1 #!/usr/bin/env perl 2 #*************************************************************************** 3 # _ _ ____ _ 4 # Project ___| | | | _ \| | 5 # / __| | | | |_) | | 6 # | (__| |_| | _ <| |___ 7 # \___|\___/|_| \_\_____| 8 # 9 # Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel (at] haxx.se>, et al. 10 # 11 # This software is licensed as described in the file COPYING, which 12 # you should have received as part of this distribution. The terms 13 # are also available at https://curl.haxx.se/docs/copyright.html. 14 # 15 # You may opt to use, copy, modify, merge, publish, distribute and/or sell 16 # copies of the Software, and permit persons to whom the Software is 17 # furnished to do so, under the terms of the COPYING file. 18 # 19 # This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY 20 # KIND, either express or implied. 21 # 22 #*************************************************************************** 23 24 # Starts sshd for use in the SCP, SFTP and SOCKS curl test harness tests. 25 # Also creates the ssh configuration files needed for these tests. 26 27 use strict; 28 use warnings; 29 use Cwd; 30 use Cwd 'abs_path'; 31 32 #*************************************************************************** 33 # Variables and subs imported from sshhelp module 34 # 35 use sshhelp qw( 36 $sshdexe 37 $sshexe 38 $sftpsrvexe 39 $sftpexe 40 $sshkeygenexe 41 $sshdconfig 42 $sshconfig 43 $sftpconfig 44 $knownhosts 45 $sshdlog 46 $sshlog 47 $sftplog 48 $sftpcmds 49 $hstprvkeyf 50 $hstpubkeyf 51 $cliprvkeyf 52 $clipubkeyf 53 display_sshdconfig 54 display_sshconfig 55 display_sftpconfig 56 display_sshdlog 57 display_sshlog 58 display_sftplog 59 dump_array 60 find_sshd 61 find_ssh 62 find_sftpsrv 63 find_sftp 64 find_sshkeygen 65 logmsg 66 sshversioninfo 67 ); 68 69 #*************************************************************************** 70 # Subs imported from serverhelp module 71 # 72 use serverhelp qw( 73 server_pidfilename 74 server_logfilename 75 ); 76 77 use pathhelp; 78 79 #*************************************************************************** 80 81 my $verbose = 0; # set to 1 for debugging 82 my $debugprotocol = 0; # set to 1 for protocol debugging 83 my $port = 8999; # our default SCP/SFTP server port 84 my $socksport = $port + 1; # our default SOCKS4/5 server port 85 my $listenaddr = '127.0.0.1'; # default address on which to listen 86 my $ipvnum = 4; # default IP version of listener address 87 my $idnum = 1; # dafault ssh daemon instance number 88 my $proto = 'ssh'; # protocol the ssh daemon speaks 89 my $path = getcwd(); # current working directory 90 my $logdir = $path .'/log'; # directory for log files 91 my $username = $ENV{USER}; # default user 92 my $pidfile; # ssh daemon pid file 93 my $identity = 'curl_client_key'; # default identity file 94 95 my $error; 96 my @cfgarr; 97 98 99 #*************************************************************************** 100 # Parse command line options 101 # 102 while(@ARGV) { 103 if($ARGV[0] eq '--verbose') { 104 $verbose = 1; 105 } 106 elsif($ARGV[0] eq '--debugprotocol') { 107 $verbose = 1; 108 $debugprotocol = 1; 109 } 110 elsif($ARGV[0] eq '--user') { 111 if($ARGV[1]) { 112 $username = $ARGV[1]; 113 shift @ARGV; 114 } 115 } 116 elsif($ARGV[0] eq '--id') { 117 if($ARGV[1]) { 118 if($ARGV[1] =~ /^(\d+)$/) { 119 $idnum = $1 if($1 > 0); 120 shift @ARGV; 121 } 122 } 123 } 124 elsif($ARGV[0] eq '--ipv4') { 125 $ipvnum = 4; 126 $listenaddr = '127.0.0.1' if($listenaddr eq '::1'); 127 } 128 elsif($ARGV[0] eq '--ipv6') { 129 $ipvnum = 6; 130 $listenaddr = '::1' if($listenaddr eq '127.0.0.1'); 131 } 132 elsif($ARGV[0] eq '--addr') { 133 if($ARGV[1]) { 134 my $tmpstr = $ARGV[1]; 135 if($tmpstr =~ /^(\d\d?\d?)\.(\d\d?\d?)\.(\d\d?\d?)\.(\d\d?\d?)$/) { 136 $listenaddr = "$1.$2.$3.$4" if($ipvnum == 4); 137 shift @ARGV; 138 } 139 elsif($ipvnum == 6) { 140 $listenaddr = $tmpstr; 141 $listenaddr =~ s/^\[(.*)\]$/$1/; 142 shift @ARGV; 143 } 144 } 145 } 146 elsif($ARGV[0] eq '--pidfile') { 147 if($ARGV[1]) { 148 $pidfile = "$path/". $ARGV[1]; 149 shift @ARGV; 150 } 151 } 152 elsif($ARGV[0] eq '--sshport') { 153 if($ARGV[1]) { 154 if($ARGV[1] =~ /^(\d+)$/) { 155 $port = $1; 156 shift @ARGV; 157 } 158 } 159 } 160 elsif($ARGV[0] eq '--socksport') { 161 if($ARGV[1]) { 162 if($ARGV[1] =~ /^(\d+)$/) { 163 $socksport = $1; 164 shift @ARGV; 165 } 166 } 167 } 168 else { 169 print STDERR "\nWarning: sshserver.pl unknown parameter: $ARGV[0]\n"; 170 } 171 shift @ARGV; 172 } 173 174 175 #*************************************************************************** 176 # Default ssh daemon pid file name 177 # 178 if(!$pidfile) { 179 $pidfile = "$path/". server_pidfilename($proto, $ipvnum, $idnum); 180 } 181 182 183 #*************************************************************************** 184 # ssh, socks and sftp server log file names 185 # 186 $sshdlog = server_logfilename($logdir, 'ssh', $ipvnum, $idnum); 187 $sftplog = server_logfilename($logdir, 'sftp', $ipvnum, $idnum); 188 $sshlog = server_logfilename($logdir, 'socks', $ipvnum, $idnum); 189 190 191 #*************************************************************************** 192 # Logging level for ssh server and client 193 # 194 my $loglevel = $debugprotocol?'DEBUG3':'DEBUG2'; 195 196 197 #*************************************************************************** 198 # Validate username 199 # 200 if(!$username) { 201 $error = 'Will not run ssh server without a user name'; 202 } 203 elsif($username eq 'root') { 204 $error = 'Will not run ssh server as root to mitigate security risks'; 205 } 206 if($error) { 207 logmsg $error; 208 exit 1; 209 } 210 211 212 #*************************************************************************** 213 # Find out ssh daemon canonical file name 214 # 215 my $sshd = find_sshd(); 216 if(!$sshd) { 217 logmsg "cannot find $sshdexe"; 218 exit 1; 219 } 220 221 222 #*************************************************************************** 223 # Find out ssh daemon version info 224 # 225 my ($sshdid, $sshdvernum, $sshdverstr, $sshderror) = sshversioninfo($sshd); 226 if(!$sshdid) { 227 # Not an OpenSSH or SunSSH ssh daemon 228 logmsg $sshderror if($verbose); 229 logmsg 'SCP, SFTP and SOCKS tests require OpenSSH 2.9.9 or later'; 230 exit 1; 231 } 232 logmsg "ssh server found $sshd is $sshdverstr" if($verbose); 233 234 235 #*************************************************************************** 236 # ssh daemon command line options we might use and version support 237 # 238 # -e: log stderr : OpenSSH 2.9.0 and later 239 # -f: sshd config file : OpenSSH 1.2.1 and later 240 # -D: no daemon forking : OpenSSH 2.5.0 and later 241 # -o: command-line option : OpenSSH 3.1.0 and later 242 # -t: test config file : OpenSSH 2.9.9 and later 243 # -?: sshd version info : OpenSSH 1.2.1 and later 244 # 245 # -e: log stderr : SunSSH 1.0.0 and later 246 # -f: sshd config file : SunSSH 1.0.0 and later 247 # -D: no daemon forking : SunSSH 1.0.0 and later 248 # -o: command-line option : SunSSH 1.0.0 and later 249 # -t: test config file : SunSSH 1.0.0 and later 250 # -?: sshd version info : SunSSH 1.0.0 and later 251 252 253 #*************************************************************************** 254 # Verify minimum ssh daemon version 255 # 256 if((($sshdid =~ /OpenSSH/) && ($sshdvernum < 299)) || 257 (($sshdid =~ /SunSSH/) && ($sshdvernum < 100))) { 258 logmsg 'SCP, SFTP and SOCKS tests require OpenSSH 2.9.9 or later'; 259 exit 1; 260 } 261 262 263 #*************************************************************************** 264 # Find out sftp server plugin canonical file name 265 # 266 my $sftpsrv = find_sftpsrv(); 267 if(!$sftpsrv) { 268 logmsg "cannot find $sftpsrvexe"; 269 exit 1; 270 } 271 logmsg "sftp server plugin found $sftpsrv" if($verbose); 272 273 274 #*************************************************************************** 275 # Find out sftp client canonical file name 276 # 277 my $sftp = find_sftp(); 278 if(!$sftp) { 279 logmsg "cannot find $sftpexe"; 280 exit 1; 281 } 282 logmsg "sftp client found $sftp" if($verbose); 283 284 285 #*************************************************************************** 286 # Find out ssh keygen canonical file name 287 # 288 my $sshkeygen = find_sshkeygen(); 289 if(!$sshkeygen) { 290 logmsg "cannot find $sshkeygenexe"; 291 exit 1; 292 } 293 logmsg "ssh keygen found $sshkeygen" if($verbose); 294 295 296 #*************************************************************************** 297 # Find out ssh client canonical file name 298 # 299 my $ssh = find_ssh(); 300 if(!$ssh) { 301 logmsg "cannot find $sshexe"; 302 exit 1; 303 } 304 305 306 #*************************************************************************** 307 # Find out ssh client version info 308 # 309 my ($sshid, $sshvernum, $sshverstr, $ssherror) = sshversioninfo($ssh); 310 if(!$sshid) { 311 # Not an OpenSSH or SunSSH ssh client 312 logmsg $ssherror if($verbose); 313 logmsg 'SCP, SFTP and SOCKS tests require OpenSSH 2.9.9 or later'; 314 exit 1; 315 } 316 logmsg "ssh client found $ssh is $sshverstr" if($verbose); 317 318 319 #*************************************************************************** 320 # ssh client command line options we might use and version support 321 # 322 # -D: dynamic app port forwarding : OpenSSH 2.9.9 and later 323 # -F: ssh config file : OpenSSH 2.9.9 and later 324 # -N: no shell/command : OpenSSH 2.1.0 and later 325 # -p: connection port : OpenSSH 1.2.1 and later 326 # -v: verbose messages : OpenSSH 1.2.1 and later 327 # -vv: increase verbosity : OpenSSH 2.3.0 and later 328 # -V: ssh version info : OpenSSH 1.2.1 and later 329 # 330 # -D: dynamic app port forwarding : SunSSH 1.0.0 and later 331 # -F: ssh config file : SunSSH 1.0.0 and later 332 # -N: no shell/command : SunSSH 1.0.0 and later 333 # -p: connection port : SunSSH 1.0.0 and later 334 # -v: verbose messages : SunSSH 1.0.0 and later 335 # -vv: increase verbosity : SunSSH 1.0.0 and later 336 # -V: ssh version info : SunSSH 1.0.0 and later 337 338 339 #*************************************************************************** 340 # Verify minimum ssh client version 341 # 342 if((($sshid =~ /OpenSSH/) && ($sshvernum < 299)) || 343 (($sshid =~ /SunSSH/) && ($sshvernum < 100))) { 344 logmsg 'SCP, SFTP and SOCKS tests require OpenSSH 2.9.9 or later'; 345 exit 1; 346 } 347 348 349 #*************************************************************************** 350 # ssh keygen command line options we actually use and version support 351 # 352 # -C: identity comment : OpenSSH 1.2.1 and later 353 # -f: key filename : OpenSSH 1.2.1 and later 354 # -N: new passphrase : OpenSSH 1.2.1 and later 355 # -q: quiet keygen : OpenSSH 1.2.1 and later 356 # -t: key type : OpenSSH 2.5.0 and later 357 # 358 # -C: identity comment : SunSSH 1.0.0 and later 359 # -f: key filename : SunSSH 1.0.0 and later 360 # -N: new passphrase : SunSSH 1.0.0 and later 361 # -q: quiet keygen : SunSSH 1.0.0 and later 362 # -t: key type : SunSSH 1.0.0 and later 363 364 365 #*************************************************************************** 366 # Generate host and client key files for curl's tests 367 # 368 if((! -e $hstprvkeyf) || (! -s $hstprvkeyf) || 369 (! -e $hstpubkeyf) || (! -s $hstpubkeyf) || 370 (! -e $cliprvkeyf) || (! -s $cliprvkeyf) || 371 (! -e $clipubkeyf) || (! -s $clipubkeyf)) { 372 # Make sure all files are gone so ssh-keygen doesn't complain 373 unlink($hstprvkeyf, $hstpubkeyf, $cliprvkeyf, $clipubkeyf); 374 logmsg 'generating host keys...' if($verbose); 375 if(system "\"$sshkeygen\" -q -t rsa -f $hstprvkeyf -C 'curl test server' -N ''") { 376 logmsg 'Could not generate host key'; 377 exit 1; 378 } 379 logmsg 'generating client keys...' if($verbose); 380 if(system "\"$sshkeygen\" -q -t rsa -f $cliprvkeyf -C 'curl test client' -N ''") { 381 logmsg 'Could not generate client key'; 382 exit 1; 383 } 384 } 385 386 387 #*************************************************************************** 388 # Convert paths for curl's tests running on Windows with Cygwin/Msys OpenSSH 389 # 390 my $clipubkeyf_config = abs_path("$path/$clipubkeyf"); 391 my $hstprvkeyf_config = abs_path("$path/$hstprvkeyf"); 392 my $pidfile_config = $pidfile; 393 my $sftpsrv_config = $sftpsrv; 394 395 if ($^O eq 'MSWin32' || $^O eq 'cygwin' || $^O eq 'msys') { 396 # Ensure to use MinGW/Cygwin paths 397 $clipubkeyf_config = pathhelp::build_sys_abs_path($clipubkeyf_config); 398 $hstprvkeyf_config = pathhelp::build_sys_abs_path($hstprvkeyf_config); 399 $pidfile_config = pathhelp::build_sys_abs_path($pidfile_config); 400 $sftpsrv_config = "internal-sftp"; 401 } 402 403 #*************************************************************************** 404 # ssh daemon configuration file options we might use and version support 405 # 406 # AFSTokenPassing : OpenSSH 1.2.1 and later [1] 407 # AcceptEnv : OpenSSH 3.9.0 and later 408 # AddressFamily : OpenSSH 4.0.0 and later 409 # AllowGroups : OpenSSH 1.2.1 and later 410 # AllowTcpForwarding : OpenSSH 2.3.0 and later 411 # AllowUsers : OpenSSH 1.2.1 and later 412 # AuthorizedKeysFile : OpenSSH 2.9.9 and later 413 # AuthorizedKeysFile2 : OpenSSH 2.9.9 and later 414 # Banner : OpenSSH 2.5.0 and later 415 # ChallengeResponseAuthentication : OpenSSH 2.5.0 and later 416 # Ciphers : OpenSSH 2.1.0 and later [3] 417 # ClientAliveCountMax : OpenSSH 2.9.0 and later 418 # ClientAliveInterval : OpenSSH 2.9.0 and later 419 # Compression : OpenSSH 3.3.0 and later 420 # DenyGroups : OpenSSH 1.2.1 and later 421 # DenyUsers : OpenSSH 1.2.1 and later 422 # ForceCommand : OpenSSH 4.4.0 and later [3] 423 # GatewayPorts : OpenSSH 2.1.0 and later 424 # GSSAPIAuthentication : OpenSSH 3.7.0 and later [1] 425 # GSSAPICleanupCredentials : OpenSSH 3.8.0 and later [1] 426 # GSSAPIKeyExchange : SunSSH 1.0.0 and later [1] 427 # GSSAPIStoreDelegatedCredentials : SunSSH 1.0.0 and later [1] 428 # GSSCleanupCreds : SunSSH 1.0.0 and later [1] 429 # GSSUseSessionCredCache : SunSSH 1.0.0 and later [1] 430 # HostbasedAuthentication : OpenSSH 2.9.0 and later 431 # HostbasedUsesNameFromPacketOnly : OpenSSH 2.9.0 and later 432 # HostKey : OpenSSH 1.2.1 and later 433 # IgnoreRhosts : OpenSSH 1.2.1 and later 434 # IgnoreUserKnownHosts : OpenSSH 1.2.1 and later 435 # KbdInteractiveAuthentication : OpenSSH 2.3.0 and later 436 # KeepAlive : OpenSSH 1.2.1 and later 437 # KerberosAuthentication : OpenSSH 1.2.1 and later [1] 438 # KerberosGetAFSToken : OpenSSH 3.8.0 and later [1] 439 # KerberosOrLocalPasswd : OpenSSH 1.2.1 and later [1] 440 # KerberosTgtPassing : OpenSSH 1.2.1 and later [1] 441 # KerberosTicketCleanup : OpenSSH 1.2.1 and later [1] 442 # KeyRegenerationInterval : OpenSSH 1.2.1 and later 443 # ListenAddress : OpenSSH 1.2.1 and later 444 # LoginGraceTime : OpenSSH 1.2.1 and later 445 # LogLevel : OpenSSH 1.2.1 and later 446 # LookupClientHostnames : SunSSH 1.0.0 and later 447 # MACs : OpenSSH 2.5.0 and later [3] 448 # Match : OpenSSH 4.4.0 and later [3] 449 # MaxAuthTries : OpenSSH 3.9.0 and later 450 # MaxStartups : OpenSSH 2.2.0 and later 451 # PAMAuthenticationViaKbdInt : OpenSSH 2.9.0 and later [2] 452 # PasswordAuthentication : OpenSSH 1.2.1 and later 453 # PermitEmptyPasswords : OpenSSH 1.2.1 and later 454 # PermitOpen : OpenSSH 4.4.0 and later [3] 455 # PermitRootLogin : OpenSSH 1.2.1 and later 456 # PermitTunnel : OpenSSH 4.3.0 and later 457 # PermitUserEnvironment : OpenSSH 3.5.0 and later 458 # PidFile : OpenSSH 2.1.0 and later 459 # Port : OpenSSH 1.2.1 and later 460 # PrintLastLog : OpenSSH 2.9.0 and later 461 # PrintMotd : OpenSSH 1.2.1 and later 462 # Protocol : OpenSSH 2.1.0 and later 463 # PubkeyAuthentication : OpenSSH 2.5.0 and later 464 # RhostsAuthentication : OpenSSH 1.2.1 and later 465 # RhostsRSAAuthentication : OpenSSH 1.2.1 and later 466 # RSAAuthentication : OpenSSH 1.2.1 and later 467 # ServerKeyBits : OpenSSH 1.2.1 and later 468 # SkeyAuthentication : OpenSSH 1.2.1 and later [1] 469 # StrictModes : OpenSSH 1.2.1 and later 470 # Subsystem : OpenSSH 2.2.0 and later 471 # SyslogFacility : OpenSSH 1.2.1 and later 472 # TCPKeepAlive : OpenSSH 3.8.0 and later 473 # UseDNS : OpenSSH 3.7.0 and later 474 # UseLogin : OpenSSH 1.2.1 and later 475 # UsePAM : OpenSSH 3.7.0 and later [1][2] 476 # UsePrivilegeSeparation : OpenSSH 3.2.2 and later 477 # VerifyReverseMapping : OpenSSH 3.1.0 and later 478 # X11DisplayOffset : OpenSSH 1.2.1 and later [3] 479 # X11Forwarding : OpenSSH 1.2.1 and later 480 # X11UseLocalhost : OpenSSH 3.1.0 and later 481 # XAuthLocation : OpenSSH 2.1.1 and later [3] 482 # 483 # [1] Option only available if activated at compile time 484 # [2] Option specific for portable versions 485 # [3] Option not used in our ssh server config file 486 487 488 #*************************************************************************** 489 # Initialize sshd config with options actually supported in OpenSSH 2.9.9 490 # 491 logmsg 'generating ssh server config file...' if($verbose); 492 @cfgarr = (); 493 push @cfgarr, '# This is a generated file. Do not edit.'; 494 push @cfgarr, "# $sshdverstr sshd configuration file for curl testing"; 495 push @cfgarr, '#'; 496 push @cfgarr, "DenyUsers !$username"; 497 push @cfgarr, "AllowUsers $username"; 498 push @cfgarr, 'DenyGroups'; 499 push @cfgarr, 'AllowGroups'; 500 push @cfgarr, '#'; 501 push @cfgarr, "AuthorizedKeysFile $clipubkeyf_config"; 502 push @cfgarr, "AuthorizedKeysFile2 $clipubkeyf_config"; 503 push @cfgarr, "HostKey $hstprvkeyf_config"; 504 push @cfgarr, "PidFile $pidfile_config"; 505 push @cfgarr, '#'; 506 push @cfgarr, "Port $port"; 507 push @cfgarr, "ListenAddress $listenaddr"; 508 push @cfgarr, 'Protocol 2'; 509 push @cfgarr, '#'; 510 push @cfgarr, 'AllowTcpForwarding yes'; 511 push @cfgarr, 'Banner none'; 512 push @cfgarr, 'ChallengeResponseAuthentication no'; 513 push @cfgarr, 'ClientAliveCountMax 3'; 514 push @cfgarr, 'ClientAliveInterval 0'; 515 push @cfgarr, 'GatewayPorts no'; 516 push @cfgarr, 'HostbasedAuthentication no'; 517 push @cfgarr, 'HostbasedUsesNameFromPacketOnly no'; 518 push @cfgarr, 'IgnoreRhosts yes'; 519 push @cfgarr, 'IgnoreUserKnownHosts yes'; 520 push @cfgarr, 'KeyRegenerationInterval 0'; 521 push @cfgarr, 'LoginGraceTime 30'; 522 push @cfgarr, "LogLevel $loglevel"; 523 push @cfgarr, 'MaxStartups 5'; 524 push @cfgarr, 'PasswordAuthentication no'; 525 push @cfgarr, 'PermitEmptyPasswords no'; 526 push @cfgarr, 'PermitRootLogin no'; 527 push @cfgarr, 'PrintLastLog no'; 528 push @cfgarr, 'PrintMotd no'; 529 push @cfgarr, 'PubkeyAuthentication yes'; 530 push @cfgarr, 'RhostsRSAAuthentication no'; 531 push @cfgarr, 'RSAAuthentication no'; 532 push @cfgarr, 'ServerKeyBits 768'; 533 push @cfgarr, 'StrictModes no'; 534 push @cfgarr, "Subsystem sftp \"$sftpsrv_config\""; 535 push @cfgarr, 'SyslogFacility AUTH'; 536 push @cfgarr, 'UseLogin no'; 537 push @cfgarr, 'X11Forwarding no'; 538 push @cfgarr, '#'; 539 540 541 #*************************************************************************** 542 # Write out initial sshd configuration file for curl's tests 543 # 544 $error = dump_array($sshdconfig, @cfgarr); 545 if($error) { 546 logmsg $error; 547 exit 1; 548 } 549 550 551 #*************************************************************************** 552 # Verifies at run time if sshd supports a given configuration file option 553 # 554 sub sshd_supports_opt { 555 my ($option, $value) = @_; 556 my $err; 557 # 558 if((($sshdid =~ /OpenSSH/) && ($sshdvernum >= 310)) || 559 ($sshdid =~ /SunSSH/)) { 560 # ssh daemon supports command line options -t -f and -o 561 $err = grep /((Unsupported)|(Bad configuration)|(Deprecated)) option.*$option/, 562 qx("$sshd" -t -f $sshdconfig -o "$option=$value" 2>&1); 563 return !$err; 564 } 565 if(($sshdid =~ /OpenSSH/) && ($sshdvernum >= 299)) { 566 # ssh daemon supports command line options -t and -f 567 $err = dump_array($sshdconfig, (@cfgarr, "$option $value")); 568 if($err) { 569 logmsg $err; 570 return 0; 571 } 572 $err = grep /((Unsupported)|(Bad configuration)|(Deprecated)) option.*$option/, 573 qx("$sshd" -t -f $sshdconfig 2>&1); 574 unlink $sshdconfig; 575 return !$err; 576 } 577 return 0; 578 } 579 580 581 #*************************************************************************** 582 # Kerberos Authentication support may have not been built into sshd 583 # 584 if(sshd_supports_opt('KerberosAuthentication','no')) { 585 push @cfgarr, 'KerberosAuthentication no'; 586 } 587 if(sshd_supports_opt('KerberosGetAFSToken','no')) { 588 push @cfgarr, 'KerberosGetAFSToken no'; 589 } 590 if(sshd_supports_opt('KerberosOrLocalPasswd','no')) { 591 push @cfgarr, 'KerberosOrLocalPasswd no'; 592 } 593 if(sshd_supports_opt('KerberosTgtPassing','no')) { 594 push @cfgarr, 'KerberosTgtPassing no'; 595 } 596 if(sshd_supports_opt('KerberosTicketCleanup','yes')) { 597 push @cfgarr, 'KerberosTicketCleanup yes'; 598 } 599 600 601 #*************************************************************************** 602 # Andrew File System support may have not been built into sshd 603 # 604 if(sshd_supports_opt('AFSTokenPassing','no')) { 605 push @cfgarr, 'AFSTokenPassing no'; 606 } 607 608 609 #*************************************************************************** 610 # S/Key authentication support may have not been built into sshd 611 # 612 if(sshd_supports_opt('SkeyAuthentication','no')) { 613 push @cfgarr, 'SkeyAuthentication no'; 614 } 615 616 617 #*************************************************************************** 618 # GSSAPI Authentication support may have not been built into sshd 619 # 620 my $sshd_builtwith_GSSAPI; 621 if(sshd_supports_opt('GSSAPIAuthentication','no')) { 622 push @cfgarr, 'GSSAPIAuthentication no'; 623 $sshd_builtwith_GSSAPI = 1; 624 } 625 if(sshd_supports_opt('GSSAPICleanupCredentials','yes')) { 626 push @cfgarr, 'GSSAPICleanupCredentials yes'; 627 } 628 if(sshd_supports_opt('GSSAPIKeyExchange','no')) { 629 push @cfgarr, 'GSSAPIKeyExchange no'; 630 } 631 if(sshd_supports_opt('GSSAPIStoreDelegatedCredentials','no')) { 632 push @cfgarr, 'GSSAPIStoreDelegatedCredentials no'; 633 } 634 if(sshd_supports_opt('GSSCleanupCreds','yes')) { 635 push @cfgarr, 'GSSCleanupCreds yes'; 636 } 637 if(sshd_supports_opt('GSSUseSessionCredCache','no')) { 638 push @cfgarr, 'GSSUseSessionCredCache no'; 639 } 640 push @cfgarr, '#'; 641 642 643 #*************************************************************************** 644 # Options that might be supported or not in sshd OpenSSH 2.9.9 and later 645 # 646 if(sshd_supports_opt('AcceptEnv','')) { 647 push @cfgarr, 'AcceptEnv'; 648 } 649 if(sshd_supports_opt('AddressFamily','any')) { 650 # Address family must be specified before ListenAddress 651 splice @cfgarr, 14, 0, 'AddressFamily any'; 652 } 653 if(sshd_supports_opt('Compression','no')) { 654 push @cfgarr, 'Compression no'; 655 } 656 if(sshd_supports_opt('KbdInteractiveAuthentication','no')) { 657 push @cfgarr, 'KbdInteractiveAuthentication no'; 658 } 659 if(sshd_supports_opt('KeepAlive','no')) { 660 push @cfgarr, 'KeepAlive no'; 661 } 662 if(sshd_supports_opt('LookupClientHostnames','no')) { 663 push @cfgarr, 'LookupClientHostnames no'; 664 } 665 if(sshd_supports_opt('MaxAuthTries','10')) { 666 push @cfgarr, 'MaxAuthTries 10'; 667 } 668 if(sshd_supports_opt('PAMAuthenticationViaKbdInt','no')) { 669 push @cfgarr, 'PAMAuthenticationViaKbdInt no'; 670 } 671 if(sshd_supports_opt('PermitTunnel','no')) { 672 push @cfgarr, 'PermitTunnel no'; 673 } 674 if(sshd_supports_opt('PermitUserEnvironment','no')) { 675 push @cfgarr, 'PermitUserEnvironment no'; 676 } 677 if(sshd_supports_opt('RhostsAuthentication','no')) { 678 push @cfgarr, 'RhostsAuthentication no'; 679 } 680 if(sshd_supports_opt('TCPKeepAlive','no')) { 681 push @cfgarr, 'TCPKeepAlive no'; 682 } 683 if(sshd_supports_opt('UseDNS','no')) { 684 push @cfgarr, 'UseDNS no'; 685 } 686 if(sshd_supports_opt('UsePAM','no')) { 687 push @cfgarr, 'UsePAM no'; 688 } 689 690 if($sshdid =~ /OpenSSH/) { 691 # http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=6492415 692 if(sshd_supports_opt('UsePrivilegeSeparation','no')) { 693 push @cfgarr, 'UsePrivilegeSeparation no'; 694 } 695 } 696 697 if(sshd_supports_opt('VerifyReverseMapping','no')) { 698 push @cfgarr, 'VerifyReverseMapping no'; 699 } 700 if(sshd_supports_opt('X11UseLocalhost','yes')) { 701 push @cfgarr, 'X11UseLocalhost yes'; 702 } 703 push @cfgarr, '#'; 704 705 706 #*************************************************************************** 707 # Write out resulting sshd configuration file for curl's tests 708 # 709 $error = dump_array($sshdconfig, @cfgarr); 710 if($error) { 711 logmsg $error; 712 exit 1; 713 } 714 715 716 #*************************************************************************** 717 # Verify that sshd actually supports our generated configuration file 718 # 719 if(system "\"$sshd\" -t -f $sshdconfig > $sshdlog 2>&1") { 720 logmsg "sshd configuration file $sshdconfig failed verification"; 721 display_sshdlog(); 722 display_sshdconfig(); 723 exit 1; 724 } 725 726 727 #*************************************************************************** 728 # Generate ssh client host key database file for curl's tests 729 # 730 if((! -e $knownhosts) || (! -s $knownhosts)) { 731 logmsg 'generating ssh client known hosts file...' if($verbose); 732 unlink($knownhosts); 733 if(open(RSAKEYFILE, "<$hstpubkeyf")) { 734 my @rsahostkey = do { local $/ = ' '; <RSAKEYFILE> }; 735 if(close(RSAKEYFILE)) { 736 if(open(KNOWNHOSTS, ">$knownhosts")) { 737 print KNOWNHOSTS "$listenaddr ssh-rsa $rsahostkey[1]\n"; 738 if(!close(KNOWNHOSTS)) { 739 $error = "Error: cannot close file $knownhosts"; 740 } 741 } 742 else { 743 $error = "Error: cannot write file $knownhosts"; 744 } 745 } 746 else { 747 $error = "Error: cannot close file $hstpubkeyf"; 748 } 749 } 750 else { 751 $error = "Error: cannot read file $hstpubkeyf"; 752 } 753 if($error) { 754 logmsg $error; 755 exit 1; 756 } 757 } 758 759 760 #*************************************************************************** 761 # Convert paths for curl's tests running on Windows using Cygwin OpenSSH 762 # 763 my $identity_config = abs_path("$path/$identity"); 764 my $knownhosts_config = abs_path("$path/$knownhosts"); 765 766 if ($^O eq 'MSWin32' || $^O eq 'cygwin' || $^O eq 'msys') { 767 # Ensure to use MinGW/Cygwin paths 768 $identity_config = pathhelp::build_sys_abs_path($identity_config); 769 $knownhosts_config = pathhelp::build_sys_abs_path($knownhosts_config); 770 } 771 772 773 #*************************************************************************** 774 # ssh client configuration file options we might use and version support 775 # 776 # AddressFamily : OpenSSH 3.7.0 and later 777 # BatchMode : OpenSSH 1.2.1 and later 778 # BindAddress : OpenSSH 2.9.9 and later 779 # ChallengeResponseAuthentication : OpenSSH 2.5.0 and later 780 # CheckHostIP : OpenSSH 1.2.1 and later 781 # Cipher : OpenSSH 1.2.1 and later [3] 782 # Ciphers : OpenSSH 2.1.0 and later [3] 783 # ClearAllForwardings : OpenSSH 2.9.9 and later 784 # Compression : OpenSSH 1.2.1 and later 785 # CompressionLevel : OpenSSH 1.2.1 and later [3] 786 # ConnectionAttempts : OpenSSH 1.2.1 and later 787 # ConnectTimeout : OpenSSH 3.7.0 and later 788 # ControlMaster : OpenSSH 3.9.0 and later 789 # ControlPath : OpenSSH 3.9.0 and later 790 # DisableBanner : SunSSH 1.2.0 and later 791 # DynamicForward : OpenSSH 2.9.0 and later 792 # EnableSSHKeysign : OpenSSH 3.6.0 and later 793 # EscapeChar : OpenSSH 1.2.1 and later [3] 794 # ExitOnForwardFailure : OpenSSH 4.4.0 and later 795 # ForwardAgent : OpenSSH 1.2.1 and later 796 # ForwardX11 : OpenSSH 1.2.1 and later 797 # ForwardX11Trusted : OpenSSH 3.8.0 and later 798 # GatewayPorts : OpenSSH 1.2.1 and later 799 # GlobalKnownHostsFile : OpenSSH 1.2.1 and later 800 # GSSAPIAuthentication : OpenSSH 3.7.0 and later [1] 801 # GSSAPIDelegateCredentials : OpenSSH 3.7.0 and later [1] 802 # HashKnownHosts : OpenSSH 4.0.0 and later 803 # Host : OpenSSH 1.2.1 and later 804 # HostbasedAuthentication : OpenSSH 2.9.0 and later 805 # HostKeyAlgorithms : OpenSSH 2.9.0 and later [3] 806 # HostKeyAlias : OpenSSH 2.5.0 and later [3] 807 # HostName : OpenSSH 1.2.1 and later 808 # IdentitiesOnly : OpenSSH 3.9.0 and later 809 # IdentityFile : OpenSSH 1.2.1 and later 810 # IgnoreIfUnknown : SunSSH 1.2.0 and later 811 # KeepAlive : OpenSSH 1.2.1 and later 812 # KbdInteractiveAuthentication : OpenSSH 2.3.0 and later 813 # KbdInteractiveDevices : OpenSSH 2.3.0 and later [3] 814 # LocalCommand : OpenSSH 4.3.0 and later [3] 815 # LocalForward : OpenSSH 1.2.1 and later [3] 816 # LogLevel : OpenSSH 1.2.1 and later 817 # MACs : OpenSSH 2.5.0 and later [3] 818 # NoHostAuthenticationForLocalhost : OpenSSH 3.0.0 and later 819 # NumberOfPasswordPrompts : OpenSSH 1.2.1 and later 820 # PasswordAuthentication : OpenSSH 1.2.1 and later 821 # PermitLocalCommand : OpenSSH 4.3.0 and later 822 # Port : OpenSSH 1.2.1 and later 823 # PreferredAuthentications : OpenSSH 2.5.2 and later 824 # Protocol : OpenSSH 2.1.0 and later 825 # ProxyCommand : OpenSSH 1.2.1 and later [3] 826 # PubkeyAuthentication : OpenSSH 2.5.0 and later 827 # RekeyLimit : OpenSSH 3.7.0 and later 828 # RemoteForward : OpenSSH 1.2.1 and later [3] 829 # RhostsRSAAuthentication : OpenSSH 1.2.1 and later 830 # RSAAuthentication : OpenSSH 1.2.1 and later 831 # SendEnv : OpenSSH 3.9.0 and later 832 # ServerAliveCountMax : OpenSSH 3.8.0 and later 833 # ServerAliveInterval : OpenSSH 3.8.0 and later 834 # SmartcardDevice : OpenSSH 2.9.9 and later [1][3] 835 # StrictHostKeyChecking : OpenSSH 1.2.1 and later 836 # TCPKeepAlive : OpenSSH 3.8.0 and later 837 # Tunnel : OpenSSH 4.3.0 and later 838 # TunnelDevice : OpenSSH 4.3.0 and later [3] 839 # UsePAM : OpenSSH 3.7.0 and later [1][2][3] 840 # UsePrivilegedPort : OpenSSH 1.2.1 and later 841 # User : OpenSSH 1.2.1 and later 842 # UserKnownHostsFile : OpenSSH 1.2.1 and later 843 # VerifyHostKeyDNS : OpenSSH 3.8.0 and later 844 # XAuthLocation : OpenSSH 2.1.1 and later [3] 845 # 846 # [1] Option only available if activated at compile time 847 # [2] Option specific for portable versions 848 # [3] Option not used in our ssh client config file 849 850 851 #*************************************************************************** 852 # Initialize ssh config with options actually supported in OpenSSH 2.9.9 853 # 854 logmsg 'generating ssh client config file...' if($verbose); 855 @cfgarr = (); 856 push @cfgarr, '# This is a generated file. Do not edit.'; 857 push @cfgarr, "# $sshverstr ssh client configuration file for curl testing"; 858 push @cfgarr, '#'; 859 push @cfgarr, 'Host *'; 860 push @cfgarr, '#'; 861 push @cfgarr, "Port $port"; 862 push @cfgarr, "HostName $listenaddr"; 863 push @cfgarr, "User $username"; 864 push @cfgarr, 'Protocol 2'; 865 push @cfgarr, '#'; 866 push @cfgarr, "BindAddress $listenaddr"; 867 push @cfgarr, "DynamicForward $socksport"; 868 push @cfgarr, '#'; 869 push @cfgarr, "IdentityFile $identity_config"; 870 push @cfgarr, "UserKnownHostsFile $knownhosts_config"; 871 push @cfgarr, '#'; 872 push @cfgarr, 'BatchMode yes'; 873 push @cfgarr, 'ChallengeResponseAuthentication no'; 874 push @cfgarr, 'CheckHostIP no'; 875 push @cfgarr, 'ClearAllForwardings no'; 876 push @cfgarr, 'Compression no'; 877 push @cfgarr, 'ConnectionAttempts 3'; 878 push @cfgarr, 'ForwardAgent no'; 879 push @cfgarr, 'ForwardX11 no'; 880 push @cfgarr, 'GatewayPorts no'; 881 push @cfgarr, 'GlobalKnownHostsFile /dev/null'; 882 push @cfgarr, 'HostbasedAuthentication no'; 883 push @cfgarr, 'KbdInteractiveAuthentication no'; 884 push @cfgarr, "LogLevel $loglevel"; 885 push @cfgarr, 'NumberOfPasswordPrompts 0'; 886 push @cfgarr, 'PasswordAuthentication no'; 887 push @cfgarr, 'PreferredAuthentications publickey'; 888 push @cfgarr, 'PubkeyAuthentication yes'; 889 push @cfgarr, 'RhostsRSAAuthentication no'; 890 push @cfgarr, 'RSAAuthentication no'; 891 892 # Disabled StrictHostKeyChecking since it makes the tests fail on my 893 # OpenSSH_6.0p1 on Debian Linux / Daniel 894 push @cfgarr, 'StrictHostKeyChecking no'; 895 push @cfgarr, 'UsePrivilegedPort no'; 896 push @cfgarr, '#'; 897 898 899 #*************************************************************************** 900 # Options supported in ssh client newer than OpenSSH 2.9.9 901 # 902 903 if(($sshid =~ /OpenSSH/) && ($sshvernum >= 370)) { 904 push @cfgarr, 'AddressFamily any'; 905 } 906 907 if((($sshid =~ /OpenSSH/) && ($sshvernum >= 370)) || 908 (($sshid =~ /SunSSH/) && ($sshvernum >= 120))) { 909 push @cfgarr, 'ConnectTimeout 30'; 910 } 911 912 if(($sshid =~ /OpenSSH/) && ($sshvernum >= 390)) { 913 push @cfgarr, 'ControlMaster no'; 914 } 915 916 if(($sshid =~ /OpenSSH/) && ($sshvernum >= 420)) { 917 push @cfgarr, 'ControlPath none'; 918 } 919 920 if(($sshid =~ /SunSSH/) && ($sshvernum >= 120)) { 921 push @cfgarr, 'DisableBanner yes'; 922 } 923 924 if(($sshid =~ /OpenSSH/) && ($sshvernum >= 360)) { 925 push @cfgarr, 'EnableSSHKeysign no'; 926 } 927 928 if(($sshid =~ /OpenSSH/) && ($sshvernum >= 440)) { 929 push @cfgarr, 'ExitOnForwardFailure yes'; 930 } 931 932 if((($sshid =~ /OpenSSH/) && ($sshvernum >= 380)) || 933 (($sshid =~ /SunSSH/) && ($sshvernum >= 120))) { 934 push @cfgarr, 'ForwardX11Trusted no'; 935 } 936 937 if(($sshd_builtwith_GSSAPI) && ($sshdid eq $sshid) && 938 ($sshdvernum == $sshvernum)) { 939 push @cfgarr, 'GSSAPIAuthentication no'; 940 push @cfgarr, 'GSSAPIDelegateCredentials no'; 941 if($sshid =~ /SunSSH/) { 942 push @cfgarr, 'GSSAPIKeyExchange no'; 943 } 944 } 945 946 if((($sshid =~ /OpenSSH/) && ($sshvernum >= 400)) || 947 (($sshid =~ /SunSSH/) && ($sshvernum >= 120))) { 948 push @cfgarr, 'HashKnownHosts no'; 949 } 950 951 if(($sshid =~ /OpenSSH/) && ($sshvernum >= 390)) { 952 push @cfgarr, 'IdentitiesOnly yes'; 953 } 954 955 if(($sshid =~ /SunSSH/) && ($sshvernum >= 120)) { 956 push @cfgarr, 'IgnoreIfUnknown no'; 957 } 958 959 if((($sshid =~ /OpenSSH/) && ($sshvernum < 380)) || 960 ($sshid =~ /SunSSH/)) { 961 push @cfgarr, 'KeepAlive no'; 962 } 963 964 if((($sshid =~ /OpenSSH/) && ($sshvernum >= 300)) || 965 ($sshid =~ /SunSSH/)) { 966 push @cfgarr, 'NoHostAuthenticationForLocalhost no'; 967 } 968 969 if(($sshid =~ /OpenSSH/) && ($sshvernum >= 430)) { 970 push @cfgarr, 'PermitLocalCommand no'; 971 } 972 973 if((($sshid =~ /OpenSSH/) && ($sshvernum >= 370)) || 974 (($sshid =~ /SunSSH/) && ($sshvernum >= 120))) { 975 push @cfgarr, 'RekeyLimit 1G'; 976 } 977 978 if(($sshid =~ /OpenSSH/) && ($sshvernum >= 390)) { 979 push @cfgarr, 'SendEnv'; 980 } 981 982 if((($sshid =~ /OpenSSH/) && ($sshvernum >= 380)) || 983 (($sshid =~ /SunSSH/) && ($sshvernum >= 120))) { 984 push @cfgarr, 'ServerAliveCountMax 3'; 985 push @cfgarr, 'ServerAliveInterval 0'; 986 } 987 988 if(($sshid =~ /OpenSSH/) && ($sshvernum >= 380)) { 989 push @cfgarr, 'TCPKeepAlive no'; 990 } 991 992 if(($sshid =~ /OpenSSH/) && ($sshvernum >= 430)) { 993 push @cfgarr, 'Tunnel no'; 994 } 995 996 if(($sshid =~ /OpenSSH/) && ($sshvernum >= 380)) { 997 push @cfgarr, 'VerifyHostKeyDNS no'; 998 } 999 1000 push @cfgarr, '#'; 1001 1002 1003 #*************************************************************************** 1004 # Write out resulting ssh client configuration file for curl's tests 1005 # 1006 $error = dump_array($sshconfig, @cfgarr); 1007 if($error) { 1008 logmsg $error; 1009 exit 1; 1010 } 1011 1012 1013 #*************************************************************************** 1014 # Initialize client sftp config with options actually supported. 1015 # 1016 logmsg 'generating sftp client config file...' if($verbose); 1017 splice @cfgarr, 1, 1, "# $sshverstr sftp client configuration file for curl testing"; 1018 # 1019 for(my $i = scalar(@cfgarr) - 1; $i > 0; $i--) { 1020 if($cfgarr[$i] =~ /^DynamicForward/) { 1021 splice @cfgarr, $i, 1; 1022 next; 1023 } 1024 if($cfgarr[$i] =~ /^ClearAllForwardings/) { 1025 splice @cfgarr, $i, 1, "ClearAllForwardings yes"; 1026 next; 1027 } 1028 } 1029 1030 1031 #*************************************************************************** 1032 # Write out resulting sftp client configuration file for curl's tests 1033 # 1034 $error = dump_array($sftpconfig, @cfgarr); 1035 if($error) { 1036 logmsg $error; 1037 exit 1; 1038 } 1039 @cfgarr = (); 1040 1041 1042 #*************************************************************************** 1043 # Generate client sftp commands batch file for sftp server verification 1044 # 1045 logmsg 'generating sftp client commands file...' if($verbose); 1046 push @cfgarr, 'pwd'; 1047 push @cfgarr, 'quit'; 1048 $error = dump_array($sftpcmds, @cfgarr); 1049 if($error) { 1050 logmsg $error; 1051 exit 1; 1052 } 1053 @cfgarr = (); 1054 1055 1056 #*************************************************************************** 1057 # Start the ssh server daemon without forking it 1058 # 1059 logmsg "SCP/SFTP server listening on port $port" if($verbose); 1060 my $rc = system "\"$sshd\" -e -D -f $sshdconfig > $sshdlog 2>&1"; 1061 if($rc == -1) { 1062 logmsg "\"$sshd\" failed with: $!"; 1063 } 1064 elsif($rc & 127) { 1065 logmsg sprintf("\"$sshd\" died with signal %d, and %s coredump", 1066 ($rc & 127), ($rc & 128)?'a':'no'); 1067 } 1068 elsif($verbose && ($rc >> 8)) { 1069 logmsg sprintf("\"$sshd\" exited with %d", $rc >> 8); 1070 } 1071 1072 1073 #*************************************************************************** 1074 # Clean up once the server has stopped 1075 # 1076 unlink($hstprvkeyf, $hstpubkeyf, $cliprvkeyf, $clipubkeyf, $knownhosts); 1077 unlink($sshdconfig, $sshconfig, $sftpconfig); 1078 1079 1080 exit 0; 1081
