diff options
author | Miklós Fazekas <mfazekas@szemafor.com> | 2021-08-05 16:13:54 +0200 |
---|---|---|
committer | Miklós Fazekas <mfazekas@szemafor.com> | 2021-08-05 16:14:25 +0200 |
commit | 932f0268a2903e35f7bf9f8d1bb96dd38dd77e1f (patch) | |
tree | 249c735da427ac20079223b41b6926fef16cb141 /test | |
parent | f4f37d340dfbb405e8ad77a0ccf56ce66d4fb144 (diff) | |
download | net-ssh-932f0268a2903e35f7bf9f8d1bb96dd38dd77e1f.tar.gz |
Improve intergation test
Diffstat (limited to 'test')
-rw-r--r-- | test/integration/common.rb | 2 | ||||
-rw-r--r-- | test/integration/test_cert_host_auth.rb | 48 |
2 files changed, 20 insertions, 30 deletions
diff --git a/test/integration/common.rb b/test/integration/common.rb index 0f79c68..b897ece 100644 --- a/test/integration/common.rb +++ b/test/integration/common.rb @@ -97,7 +97,7 @@ module IntegrationTestHelpers end f.write("\nLogLevel DEBUG3\n") if debug f.close - puts "CONFIG: #{f.path} PID: #{pidpath}" + puts "CONFIG: #{f.path} PID: #{pidpath}" if debug yield(f.path, pidpath) end end diff --git a/test/integration/test_cert_host_auth.rb b/test/integration/test_cert_host_auth.rb index 312be85..aeda37e 100644 --- a/test/integration/test_cert_host_auth.rb +++ b/test/integration/test_cert_host_auth.rb @@ -13,10 +13,7 @@ class TestCertHostAuth < NetSSHTest def setup_ssh_env(&block) tmpdir do |dir| - @badcert = "#{dir}/badca" - sh "rm -rf #{@badcert} #{@badcert}.pub" - sh "ssh-keygen -t rsa -N '' -C 'ca@hosts.netssh' -f #{@badcert}" - + # create a cert, and sign the host key @cert = "#{dir}/ca" sh "rm -rf #{@cert} #{@cert}.pub" sh "ssh-keygen -t rsa -N '' -C 'ca@hosts.netssh' -f #{@cert}" @@ -25,29 +22,29 @@ class TestCertHostAuth < NetSSHTest sh "ssh-keygen -s #{@cert} -h -I one.hosts.netssh -n one.hosts.netssh #{dir}/one.hosts.netssh.pub" sh "ssh-keygen -L -f one.hosts.netssh-cert.pub" end - # FileUtils.cp "#{dir}/cloud.jameshfisher.com-cert.pub", "/etc/ssh/ssh_host_ecdsa_key-cert.pub" - sh "sudo cp -f #{dir}/one.hosts.netssh-cert.pub /etc/ssh/ssh_host_ecdsa_key-cert.pub" - yield(cert_pub: "#{@cert}.pub", badcert_pub: "#{@badcert}.pub") + signed_host_key = "/etc/ssh/ssh_host_ecdsa_key-cert.pub" + sh "sudo cp -f #{dir}/one.hosts.netssh-cert.pub #{signed_host_key}" + + # we don't use this for signing the cert + @badcert = "#{dir}/badca" + sh "rm -rf #{@badcert} #{@badcert}.pub" + sh "ssh-keygen -t rsa -N '' -C 'ca@hosts.netssh' -f #{@badcert}" + + yield(cert_pub: "#{@cert}.pub", badcert_pub: "#{@badcert}.pub", signed_host_key: signed_host_key) end end - def test_smoke - config_lines = [] - config_lines.push("HostCertificate /etc/ssh/ssh_host_ecdsa_key-cert.pub") - + def test_host_should_match_when_host_key_was_signed_by_key Tempfile.open('cert_kh') do |f| setup_ssh_env do |params| data = File.read(params[:cert_pub]) - puts "Data: #{data}" f.write("@cert-authority *.hosts.netssh #{data}") f.close - start_sshd_7_or_later(config: config_lines, debug: true) do |_pid, port| - Timeout.timeout(400) do - # We have our own sshd, give it a chance to come up before - # listening. + config_lines = ["HostCertificate #{params[:signed_host_key]}"] + start_sshd_7_or_later(config: config_lines) do |_pid, port| + Timeout.timeout(100) do ret = Net::SSH.start("one.hosts.netssh", "net_ssh_1", password: 'foopwd', port: port, verify_host_key: :always, user_known_hosts_file: [f.path], verbose: :debug) do |ssh| - # assert_equal ssh.transport.algorithms.kex, "curve25519-sha256" ssh.exec! "echo 'foo'" end assert_equal "foo\n", ret @@ -60,26 +57,19 @@ class TestCertHostAuth < NetSSHTest end end - def test_failure - config_lines = [] - config_lines.push("HostCertificate /etc/ssh/ssh_host_ecdsa_key-cert.pub") - - Tempfile.open('empty_kh') do |f| + def test_with_other_pub_key_host_key_should_not_match + Tempfile.open('cert_kh') do |f| setup_ssh_env do |params| data = File.read(params[:badcert_pub]) - - puts "Data: #{data}" f.write("@cert-authority *.hosts.netssh #{data}") f.close - start_sshd_7_or_later(config: config_lines, debug: true) do |_pid, port| - Timeout.timeout(400) do - # sh "ssh net_ssh_1@one.hosts.netssh -p #{port} -o UserKnownHostsFile=#{f.path}" - + config_lines = ["HostCertificate #{params[:signed_host_key]}"] + start_sshd_7_or_later(config: config_lines) do |_pid, port| + Timeout.timeout(100) do sleep 0.2 assert_raises(Net::SSH::HostKeyMismatch) do Net::SSH.start("one.hosts.netssh", "net_ssh_1", password: 'foopwd', port: port, verify_host_key: :always, user_known_hosts_file: [f.path], verbose: :debug) do |ssh| - # assert_equal ssh.transport.algorithms.kex, "curve25519-sha256" ssh.exec! "echo 'foo'" end end |