Fix: if the client knows CA key, it should send host key algo proposa…

…l for certificates (hierynomus#733) * Fix: if the client knows CA key, it should send host key algo proposal for certificates * Run specific SSH server in KeyWithCertificateSpec Required to verify the case with wrong host key algorithm proposals. See hierynomus#733 * Split KeyWithCertificateSpec into HostKeyWithCertificateSpec and PublicKeyAuthWithCertificateSpec Prevents from starting unnecessary SSHD containers, making the tests run a bit faster when they are launched separately.
vladimirlagunov · Nov 10, 2021 · 7c14098 · 7c14098
1 parent d5805a6
commit 7c14098
Show file tree

Hide file tree

Showing 5 changed files with 168 additions and 232 deletions.
diff --git a/src/itest/docker-image/test-container/sshd_config b/src/itest/docker-image/test-container/sshd_config
diff --git a/src/itest/groovy/com/hierynomus/sshj/SshdContainer.java b/src/itest/groovy/com/hierynomus/sshj/SshdContainer.java
@@ -32,11 +32,79 @@
  * A JUnit4 rule for launching a generic SSH server container.
  */
 public class SshdContainer extends GenericContainer<SshdContainer> {
+    public static class Builder {
+        public static final String DEFAULT_SSHD_CONFIG = "" +
+                "PermitRootLogin yes\n" +
+                "AuthorizedKeysFile .ssh/authorized_keys\n" +
+                "Subsystem sftp /usr/lib/ssh/sftp-server\n" +
+                "KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,diffie-hellman-group-exchange-sha1\n" +
+                "macs umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com\n" +
+                "TrustedUserCAKeys /etc/ssh/trusted_ca_keys\n" +
+                "Ciphers 3des-cbc,blowfish-cbc,aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com\n" +
+                "HostKey /etc/ssh/ssh_host_rsa_key\n" +
+                "HostKey /etc/ssh/ssh_host_dsa_key\n" +
+                "HostKey /etc/ssh/ssh_host_ecdsa_key\n" +
+                "HostKey /etc/ssh/ssh_host_ed25519_key\n" +
+                "HostKey /etc/ssh/ssh_host_ecdsa_256_key\n" +
+                "HostCertificate /etc/ssh/ssh_host_ecdsa_256_key-cert.pub\n" +
+                "HostKey /etc/ssh/ssh_host_ecdsa_384_key\n" +
+                "HostCertificate /etc/ssh/ssh_host_ecdsa_384_key-cert.pub\n" +
+                "HostKey /etc/ssh/ssh_host_ecdsa_521_key\n" +
+                "HostCertificate /etc/ssh/ssh_host_ecdsa_521_key-cert.pub\n" +
+                "HostKey /etc/ssh/ssh_host_ed25519_384_key\n" +
+                "HostCertificate /etc/ssh/ssh_host_ed25519_384_key-cert.pub\n" +
+                "HostKey /etc/ssh/ssh_host_rsa_2048_key\n" +
+                "HostCertificate /etc/ssh/ssh_host_rsa_2048_key-cert.pub\n" +
+                "LogLevel DEBUG2\n";
+
+        public static void defaultDockerfileBuilder(@NotNull DockerfileBuilder builder) {
+            builder.from("sickp/alpine-sshd:7.5-r2");
+
+            builder.add("authorized_keys", "/home/sshj/.ssh/authorized_keys");
+
+            builder.add("test-container/ssh_host_ecdsa_key", "/etc/ssh/ssh_host_ecdsa_key");
+            builder.add("test-container/ssh_host_ecdsa_key.pub", "/etc/ssh/ssh_host_ecdsa_key.pub");
+            builder.add("test-container/ssh_host_ed25519_key", "/etc/ssh/ssh_host_ed25519_key");
+            builder.add("test-container/ssh_host_ed25519_key.pub", "/etc/ssh/ssh_host_ed25519_key.pub");
+            builder.copy("test-container/trusted_ca_keys", "/etc/ssh/trusted_ca_keys");
+            builder.copy("test-container/host_keys/*", "/etc/ssh/");
+
+            builder.run("apk add --no-cache tini"
+                    + " && echo \"root:smile\" | chpasswd"
+                    + " && adduser -D -s /bin/ash sshj"
+                    + " && passwd -u sshj"
+                    + " && echo \"sshj:ultrapassword\" | chpasswd"
+                    + " && chmod 600 /home/sshj/.ssh/authorized_keys"
+                    + " && chmod 600 /etc/ssh/ssh_host_*_key"
+                    + " && chmod 644 /etc/ssh/*.pub"
+                    + " && chown -R sshj:sshj /home/sshj");
+            builder.entryPoint("/sbin/tini", "/entrypoint.sh", "-o", "LogLevel=DEBUG2");
+
+            builder.add("sshd_config", "/etc/ssh/sshd_config");
+        }
+
+        private @NotNull String sshdConfig = DEFAULT_SSHD_CONFIG;
+
+        public @NotNull Builder withSshdConfig(@NotNull String sshdConfig) {
+            this.sshdConfig = sshdConfig;
+            return this;
+        }
+
+        public @NotNull SshdContainer build() {
+            return new SshdContainer(buildInner());
+        }
+
+        private @NotNull Future<String> buildInner() {
+            return new ImageFromDockerfile()
+                    .withDockerfileFromBuilder(Builder::defaultDockerfileBuilder)
+                    .withFileFromPath(".", Paths.get("src/itest/docker-image"))
+                    .withFileFromString("sshd_config", sshdConfig);
+        }
+    }
+
     @SuppressWarnings("unused")  // Used dynamically by Spock
     public SshdContainer() {
-        this(new ImageFromDockerfile()
-                .withDockerfileFromBuilder(SshdContainer::defaultDockerfileBuilder)
-                .withFileFromPath(".", Paths.get("src/itest/docker-image")));
+        this(new SshdContainer.Builder().buildInner());
     }
 
     public SshdContainer(@NotNull Future<String> future) {
@@ -45,31 +113,6 @@ public SshdContainer(@NotNull Future<String> future) {
         setWaitStrategy(new SshServerWaitStrategy());
     }
 
-    public static void defaultDockerfileBuilder(@NotNull DockerfileBuilder builder) {
-        builder.from("sickp/alpine-sshd:7.5-r2");
-
-        builder.add("authorized_keys", "/home/sshj/.ssh/authorized_keys");
-
-        builder.add("test-container/ssh_host_ecdsa_key", "/etc/ssh/ssh_host_ecdsa_key");
-        builder.add("test-container/ssh_host_ecdsa_key.pub", "/etc/ssh/ssh_host_ecdsa_key.pub");
-        builder.add("test-container/ssh_host_ed25519_key", "/etc/ssh/ssh_host_ed25519_key");
-        builder.add("test-container/ssh_host_ed25519_key.pub", "/etc/ssh/ssh_host_ed25519_key.pub");
-        builder.add("test-container/sshd_config", "/etc/ssh/sshd_config");
-        builder.copy("test-container/trusted_ca_keys", "/etc/ssh/trusted_ca_keys");
-        builder.copy("test-container/host_keys/*", "/etc/ssh/");
-
-        builder.run("apk add --no-cache tini"
-                + " && echo \"root:smile\" | chpasswd"
-                + " && adduser -D -s /bin/ash sshj"
-                + " && passwd -u sshj"
-                + " && echo \"sshj:ultrapassword\" | chpasswd"
-                + " && chmod 600 /home/sshj/.ssh/authorized_keys"
-                + " && chmod 600 /etc/ssh/ssh_host_*_key"
-                + " && chmod 644 /etc/ssh/*.pub"
-                + " && chown -R sshj:sshj /home/sshj");
-        builder.entryPoint("/sbin/tini", "/entrypoint.sh", "-o", "LogLevel=DEBUG2");
-    }
-
     public SSHClient getConnectedClient(Config config) throws IOException {
         SSHClient sshClient = new SSHClient(config);
         sshClient.addHostKeyVerifier(new PromiscuousVerifier());

diff --git a/src/itest/groovy/com/hierynomus/sshj/signature/HostKeyWithCertificateSpec.groovy b/src/itest/groovy/com/hierynomus/sshj/signature/HostKeyWithCertificateSpec.groovy
@@ -0,0 +1,83 @@
+/*
+ * Copyright (C)2009 - SSHJ Contributors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.hierynomus.sshj.signature
+
+import com.hierynomus.sshj.SshdContainer
+import net.schmizz.sshj.DefaultConfig
+import net.schmizz.sshj.SSHClient
+import net.schmizz.sshj.transport.verification.OpenSSHKnownHosts
+import spock.lang.Specification
+import spock.lang.Unroll
+
+import java.nio.file.Files
+
+/**
+ * This is a brief test for verifying connection to a server using keys with certificates.
+ *
+ * Also, take a look at the unit test {@link net.schmizz.sshj.transport.verification.KeyWithCertificateUnitSpec}.
+ */
+class HostKeyWithCertificateSpec extends Specification {
+    @Unroll
+    def "accepting a signed host public key #hostKey"() {
+        given:
+        SshdContainer sshd = new SshdContainer.Builder()
+            .withSshdConfig("""
+                PasswordAuthentication yes
+                HostKey /etc/ssh/$hostKey
+                HostCertificate /etc/ssh/${hostKey}-cert.pub
+                """.stripMargin())
+            .build()
+        sshd.start()
+
+        and:
+        File knownHosts = Files.createTempFile("known_hosts", "").toFile()
+        knownHosts.deleteOnExit()
+
+        and:
+        File caPubKey = new File("src/itest/resources/keyfiles/certificates/CA_rsa.pem.pub")
+        def address = "127.0.0.1"
+        String knownHostsFileContents = "" +
+                "@cert-authority ${ address} ${caPubKey.text}" +
+                "\n@cert-authority [${address}]:${sshd.firstMappedPort} ${caPubKey.text}"
+        knownHosts.write(knownHostsFileContents)
+
+        and:
+        SSHClient sshClient = new SSHClient(new DefaultConfig())
+        sshClient.addHostKeyVerifier(new OpenSSHKnownHosts(knownHosts))
+        sshClient.connect(address, sshd.firstMappedPort)
+
+        when:
+        sshClient.authPassword("sshj", "ultrapassword")
+
+        then:
+        sshClient.authenticated
+
+        and:
+        knownHosts.getText() == knownHostsFileContents
+
+        cleanup:
+        sshd.stop()
+
+        where:
+        hostKey << [
+                "ssh_host_ecdsa_256_key",
+                "ssh_host_ecdsa_384_key",
+                "ssh_host_ecdsa_521_key",
+                "ssh_host_ed25519_384_key",
+                "ssh_host_rsa_2048_key",
+        ]
+    }
+}