From 330cb7b513575a3d7e1956276b52ecd2cda25d95 Mon Sep 17 00:00:00 2001 From: Jameson Graef Rollins Date: Mon, 27 Oct 2008 14:57:27 -0400 Subject: extend test suite to check for authentication denial when authorized_user_ids has been removed. --- tests/basic | 52 +++++++++++++++++++++++++++++++++-------- tests/home/testuser/.ssh/config | 1 + 2 files changed, 43 insertions(+), 10 deletions(-) (limited to 'tests') diff --git a/tests/basic b/tests/basic index 2befac2..46ba63c 100755 --- a/tests/basic +++ b/tests/basic @@ -19,15 +19,28 @@ gpgadmin() { GNUPGHOME="$TEMPDIR"/admin/.gnupg gpg "$@" } +launch_sshd() { + socat EXEC:"/usr/sbin/sshd -f ${SSHD_CONFIG} -i -D -e" "UNIX-LISTEN:${SOCKET}" 2> "$TEMPDIR"/sshd.log & + export SSHD_PID=$! + + while [ ! -S "$SOCKET" ] ; do + sleep 1 + done +} + +ssh_test() { + ssh-agent bash -c \ + "monkeysphere subkey-to-ssh-agent && ssh -F $TEMPDIR/testuser/.ssh/config testhost true" +} + failed_cleanup() { -# FIXME: can we be more verbose here? - echo 'FAILED!' - read -p "press enter to cleanup and remove tmp:" + # FIXME: can we be more verbose here? + echo 'FAILED!' + read -p "press enter to cleanup and remove tmp:" - cleanup + cleanup } -# cleanup: cleanup() { if ( ps "$SSHD_PID" >/dev/null ) ; then echo "### stopping still-running sshd..." @@ -66,7 +79,7 @@ export MONKEYSPHERE_SYSSHAREDIR="$TESTDIR"/../src export MONKEYSPHERE_MONKEYSPHERE_USER="$USER" export MONKEYSPHERE_CHECK_KEYSERVER=false -SSHD_CONFIG="$TEMPDIR"/sshd_config +export SSHD_CONFIG="$TEMPDIR"/sshd_config export SOCKET="$TEMPDIR"/ssh-socket # copy in admin and testuser home to tmp @@ -132,8 +145,7 @@ EOF # launch test sshd with the new host key. echo "### starting sshd..." -socat EXEC:"/usr/sbin/sshd -f ${SSHD_CONFIG} -i -D -e" "UNIX-LISTEN:${SOCKET}" 2> "$TEMPDIR"/sshd.log & -export SSHD_PID=$! +launch_sshd ### TESTUSER TESTS @@ -158,9 +170,29 @@ monkeysphere-server update-users "$USER" # connect to test sshd, using monkeysphere-ssh-proxycommand to verify # the identity before connection. This should work in both directions! echo "### testuser connecting to sshd socket..." +ssh_test -ssh-agent bash -c \ - "monkeysphere subkey-to-ssh-agent && ssh -F $TEMPDIR/testuser/.ssh/config testhost true" +# kill the previous sshd process if it's still running +kill "$SSHD_PID" + +# now remove the testuser's authorized_user_ids file and reupdate +# authorized_keys file... +echo "### removing testuser authorized_user_ids and reupdating authorized_keys..." +rm -f "$TEMPDIR"/testuser/.monkeysphere/authorized_user_ids +monkeysphere-server update-users "$USER" + +# restart the sshd +echo "### restarting sshd..." +launch_sshd + +# and make sure the user can no longer connect +echo "### testuser attempting to connect to sshd socket..." +# FIXME: this prompts for the passphrase for the default identity +# file. how can this be avoided? +ssh_test || SSH_RETURN="$?" +if [ "$SSH_RETURN" != '255' ] ; then + exit +fi trap - EXIT diff --git a/tests/home/testuser/.ssh/config b/tests/home/testuser/.ssh/config index 1da2344..ab1efa6 100644 --- a/tests/home/testuser/.ssh/config +++ b/tests/home/testuser/.ssh/config @@ -1,5 +1,6 @@ # ssh config file for testuser for monkeysphere test suite. Host * +ChallengeResponseAuthentication no PasswordAuthentication no KbdInteractiveAuthentication no RSAAuthentication no -- cgit v1.2.3