2 #***************************************************************************
4 # Project ___| | | | _ \| |
6 # | (__| |_| | _ <| |___
7 # \___|\___/|_| \_\_____|
9 # Copyright (C) 1998 - 2011, 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
11 # This software is licensed as described in the file COPYING, which
12 # you should have received as part of this distribution. The terms
13 # are also available at http://curl.haxx.se/docs/copyright.html.
15 # You may opt to use, copy, modify, merge, publish, distribute and/or sell
16 # copies of the Software, and permit persons to whom the Software is
17 # furnished to do so, under the terms of the COPYING file.
19 # This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
20 # KIND, either express or implied.
22 #***************************************************************************
24 # Starts sshd for use in the SCP, SFTP and SOCKS curl test harness tests.
25 # Also creates the ssh configuration files needed for these tests.
31 #***************************************************************************
32 # Variables and subs imported from sshhelp module
68 #***************************************************************************
69 # Subs imported from serverhelp module
77 #***************************************************************************
79 my $verbose = 0; # set to 1 for debugging
80 my $debugprotocol = 0; # set to 1 for protocol debugging
81 my $port = 8999; # our default SCP/SFTP server port
82 my $socksport = $port + 1; # our default SOCKS4/5 server port
83 my $listenaddr = '127.0.0.1'; # default address on which to listen
84 my $ipvnum = 4; # default IP version of listener address
85 my $idnum = 1; # dafault ssh daemon instance number
86 my $proto = 'ssh'; # protocol the ssh daemon speaks
87 my $path = getcwd(); # current working directory
88 my $logdir = $path .'/log'; # directory for log files
89 my $username = $ENV{USER}; # default user
90 my $pidfile; # ssh daemon pid file
96 #***************************************************************************
97 # Parse command line options
100 if($ARGV[0] eq '--verbose') {
103 elsif($ARGV[0] eq '--debugprotocol') {
107 elsif($ARGV[0] eq '--user') {
109 $username = $ARGV[1];
113 elsif($ARGV[0] eq '--id') {
115 if($ARGV[1] =~ /^(\d+)$/) {
116 $idnum = $1 if($1 > 0);
121 elsif($ARGV[0] eq '--ipv4') {
123 $listenaddr = '127.0.0.1' if($listenaddr eq '::1');
125 elsif($ARGV[0] eq '--ipv6') {
127 $listenaddr = '::1' if($listenaddr eq '127.0.0.1');
129 elsif($ARGV[0] eq '--addr') {
131 my $tmpstr = $ARGV[1];
132 if($tmpstr =~ /^(\d\d?\d?)\.(\d\d?\d?)\.(\d\d?\d?)\.(\d\d?\d?)$/) {
133 $listenaddr = "$1.$2.$3.$4" if($ipvnum == 4);
136 elsif($ipvnum == 6) {
137 $listenaddr = $tmpstr;
138 $listenaddr =~ s/^\[(.*)\]$/$1/;
143 elsif($ARGV[0] eq '--pidfile') {
145 $pidfile = "$path/". $ARGV[1];
149 elsif($ARGV[0] eq '--sshport') {
151 if($ARGV[1] =~ /^(\d+)$/) {
157 elsif($ARGV[0] eq '--socksport') {
159 if($ARGV[1] =~ /^(\d+)$/) {
166 print STDERR "\nWarning: sshserver.pl unknown parameter: $ARGV[0]\n";
172 #***************************************************************************
173 # Default ssh daemon pid file name
176 $pidfile = "$path/". server_pidfilename($proto, $ipvnum, $idnum);
180 #***************************************************************************
181 # ssh, socks and sftp server log file names
183 $sshdlog = server_logfilename($logdir, 'ssh', $ipvnum, $idnum);
184 $sftplog = server_logfilename($logdir, 'sftp', $ipvnum, $idnum);
185 $sshlog = server_logfilename($logdir, 'socks', $ipvnum, $idnum);
188 #***************************************************************************
189 # Logging level for ssh server and client
191 my $loglevel = $debugprotocol?'DEBUG3':'DEBUG2';
194 #***************************************************************************
198 $error = 'Will not run ssh server without a user name';
200 elsif($username eq 'root') {
201 $error = 'Will not run ssh server as root to mitigate security risks';
209 #***************************************************************************
210 # Find out ssh daemon canonical file name
212 my $sshd = find_sshd();
214 logmsg "cannot find $sshdexe";
219 #***************************************************************************
220 # Find out ssh daemon version info
222 my ($sshdid, $sshdvernum, $sshdverstr, $sshderror) = sshversioninfo($sshd);
224 # Not an OpenSSH or SunSSH ssh daemon
225 logmsg $sshderror if($verbose);
226 logmsg 'SCP, SFTP and SOCKS tests require OpenSSH 2.9.9 or later';
229 logmsg "ssh server found $sshd is $sshdverstr" if($verbose);
232 #***************************************************************************
233 # ssh daemon command line options we might use and version support
235 # -e: log stderr : OpenSSH 2.9.0 and later
236 # -f: sshd config file : OpenSSH 1.2.1 and later
237 # -D: no daemon forking : OpenSSH 2.5.0 and later
238 # -o: command-line option : OpenSSH 3.1.0 and later
239 # -t: test config file : OpenSSH 2.9.9 and later
240 # -?: sshd version info : OpenSSH 1.2.1 and later
242 # -e: log stderr : SunSSH 1.0.0 and later
243 # -f: sshd config file : SunSSH 1.0.0 and later
244 # -D: no daemon forking : SunSSH 1.0.0 and later
245 # -o: command-line option : SunSSH 1.0.0 and later
246 # -t: test config file : SunSSH 1.0.0 and later
247 # -?: sshd version info : SunSSH 1.0.0 and later
250 #***************************************************************************
251 # Verify minimum ssh daemon version
253 if((($sshdid =~ /OpenSSH/) && ($sshdvernum < 299)) ||
254 (($sshdid =~ /SunSSH/) && ($sshdvernum < 100))) {
255 logmsg 'SCP, SFTP and SOCKS tests require OpenSSH 2.9.9 or later';
260 #***************************************************************************
261 # Find out sftp server plugin canonical file name
263 my $sftpsrv = find_sftpsrv();
265 logmsg "cannot find $sftpsrvexe";
268 logmsg "sftp server plugin found $sftpsrv" if($verbose);
271 #***************************************************************************
272 # Find out sftp client canonical file name
274 my $sftp = find_sftp();
276 logmsg "cannot find $sftpexe";
279 logmsg "sftp client found $sftp" if($verbose);
282 #***************************************************************************
283 # Find out ssh keygen canonical file name
285 my $sshkeygen = find_sshkeygen();
287 logmsg "cannot find $sshkeygenexe";
290 logmsg "ssh keygen found $sshkeygen" if($verbose);
293 #***************************************************************************
294 # Find out ssh client canonical file name
296 my $ssh = find_ssh();
298 logmsg "cannot find $sshexe";
303 #***************************************************************************
304 # Find out ssh client version info
306 my ($sshid, $sshvernum, $sshverstr, $ssherror) = sshversioninfo($ssh);
308 # Not an OpenSSH or SunSSH ssh client
309 logmsg $ssherror if($verbose);
310 logmsg 'SCP, SFTP and SOCKS tests require OpenSSH 2.9.9 or later';
313 logmsg "ssh client found $ssh is $sshverstr" if($verbose);
316 #***************************************************************************
317 # ssh client command line options we might use and version support
319 # -D: dynamic app port forwarding : OpenSSH 2.9.9 and later
320 # -F: ssh config file : OpenSSH 2.9.9 and later
321 # -N: no shell/command : OpenSSH 2.1.0 and later
322 # -p: connection port : OpenSSH 1.2.1 and later
323 # -v: verbose messages : OpenSSH 1.2.1 and later
324 # -vv: increase verbosity : OpenSSH 2.3.0 and later
325 # -V: ssh version info : OpenSSH 1.2.1 and later
327 # -D: dynamic app port forwarding : SunSSH 1.0.0 and later
328 # -F: ssh config file : SunSSH 1.0.0 and later
329 # -N: no shell/command : SunSSH 1.0.0 and later
330 # -p: connection port : SunSSH 1.0.0 and later
331 # -v: verbose messages : SunSSH 1.0.0 and later
332 # -vv: increase verbosity : SunSSH 1.0.0 and later
333 # -V: ssh version info : SunSSH 1.0.0 and later
336 #***************************************************************************
337 # Verify minimum ssh client version
339 if((($sshid =~ /OpenSSH/) && ($sshvernum < 299)) ||
340 (($sshid =~ /SunSSH/) && ($sshvernum < 100))) {
341 logmsg 'SCP, SFTP and SOCKS tests require OpenSSH 2.9.9 or later';
346 #***************************************************************************
347 # ssh keygen command line options we actually use and version support
349 # -C: identity comment : OpenSSH 1.2.1 and later
350 # -f: key filename : OpenSSH 1.2.1 and later
351 # -N: new passphrase : OpenSSH 1.2.1 and later
352 # -q: quiet keygen : OpenSSH 1.2.1 and later
353 # -t: key type : OpenSSH 2.5.0 and later
355 # -C: identity comment : SunSSH 1.0.0 and later
356 # -f: key filename : SunSSH 1.0.0 and later
357 # -N: new passphrase : SunSSH 1.0.0 and later
358 # -q: quiet keygen : SunSSH 1.0.0 and later
359 # -t: key type : SunSSH 1.0.0 and later
362 #***************************************************************************
363 # Generate host and client key files for curl's tests
365 if((! -e $hstprvkeyf) || (! -s $hstprvkeyf) ||
366 (! -e $hstpubkeyf) || (! -s $hstpubkeyf) ||
367 (! -e $cliprvkeyf) || (! -s $cliprvkeyf) ||
368 (! -e $clipubkeyf) || (! -s $clipubkeyf)) {
369 # Make sure all files are gone so ssh-keygen doesn't complain
370 unlink($hstprvkeyf, $hstpubkeyf, $cliprvkeyf, $clipubkeyf);
371 logmsg 'generating host keys...' if($verbose);
372 if(system "$sshkeygen -q -t dsa -f $hstprvkeyf -C 'curl test server' -N ''") {
373 logmsg 'Could not generate host key';
376 logmsg 'generating client keys...' if($verbose);
377 if(system "$sshkeygen -q -t dsa -f $cliprvkeyf -C 'curl test client' -N ''") {
378 logmsg 'Could not generate client key';
384 #***************************************************************************
385 # ssh daemon configuration file options we might use and version support
387 # AFSTokenPassing : OpenSSH 1.2.1 and later [1]
388 # AcceptEnv : OpenSSH 3.9.0 and later
389 # AddressFamily : OpenSSH 4.0.0 and later
390 # AllowGroups : OpenSSH 1.2.1 and later
391 # AllowTcpForwarding : OpenSSH 2.3.0 and later
392 # AllowUsers : OpenSSH 1.2.1 and later
393 # AuthorizedKeysFile : OpenSSH 2.9.9 and later
394 # AuthorizedKeysFile2 : OpenSSH 2.9.9 and later
395 # Banner : OpenSSH 2.5.0 and later
396 # ChallengeResponseAuthentication : OpenSSH 2.5.0 and later
397 # Ciphers : OpenSSH 2.1.0 and later [3]
398 # ClientAliveCountMax : OpenSSH 2.9.0 and later
399 # ClientAliveInterval : OpenSSH 2.9.0 and later
400 # Compression : OpenSSH 3.3.0 and later
401 # DenyGroups : OpenSSH 1.2.1 and later
402 # DenyUsers : OpenSSH 1.2.1 and later
403 # ForceCommand : OpenSSH 4.4.0 and later [3]
404 # GatewayPorts : OpenSSH 2.1.0 and later
405 # GSSAPIAuthentication : OpenSSH 3.7.0 and later [1]
406 # GSSAPICleanupCredentials : OpenSSH 3.8.0 and later [1]
407 # GSSAPIKeyExchange : SunSSH 1.0.0 and later [1]
408 # GSSAPIStoreDelegatedCredentials : SunSSH 1.0.0 and later [1]
409 # GSSCleanupCreds : SunSSH 1.0.0 and later [1]
410 # GSSUseSessionCredCache : SunSSH 1.0.0 and later [1]
411 # HostbasedAuthentication : OpenSSH 2.9.0 and later
412 # HostbasedUsesNameFromPacketOnly : OpenSSH 2.9.0 and later
413 # HostKey : OpenSSH 1.2.1 and later
414 # IgnoreRhosts : OpenSSH 1.2.1 and later
415 # IgnoreUserKnownHosts : OpenSSH 1.2.1 and later
416 # KbdInteractiveAuthentication : OpenSSH 2.3.0 and later
417 # KeepAlive : OpenSSH 1.2.1 and later
418 # KerberosAuthentication : OpenSSH 1.2.1 and later [1]
419 # KerberosGetAFSToken : OpenSSH 3.8.0 and later [1]
420 # KerberosOrLocalPasswd : OpenSSH 1.2.1 and later [1]
421 # KerberosTgtPassing : OpenSSH 1.2.1 and later [1]
422 # KerberosTicketCleanup : OpenSSH 1.2.1 and later [1]
423 # KeyRegenerationInterval : OpenSSH 1.2.1 and later
424 # ListenAddress : OpenSSH 1.2.1 and later
425 # LoginGraceTime : OpenSSH 1.2.1 and later
426 # LogLevel : OpenSSH 1.2.1 and later
427 # LookupClientHostnames : SunSSH 1.0.0 and later
428 # MACs : OpenSSH 2.5.0 and later [3]
429 # Match : OpenSSH 4.4.0 and later [3]
430 # MaxAuthTries : OpenSSH 3.9.0 and later
431 # MaxStartups : OpenSSH 2.2.0 and later
432 # PAMAuthenticationViaKbdInt : OpenSSH 2.9.0 and later [2]
433 # PasswordAuthentication : OpenSSH 1.2.1 and later
434 # PermitEmptyPasswords : OpenSSH 1.2.1 and later
435 # PermitOpen : OpenSSH 4.4.0 and later [3]
436 # PermitRootLogin : OpenSSH 1.2.1 and later
437 # PermitTunnel : OpenSSH 4.3.0 and later
438 # PermitUserEnvironment : OpenSSH 3.5.0 and later
439 # PidFile : OpenSSH 2.1.0 and later
440 # Port : OpenSSH 1.2.1 and later
441 # PrintLastLog : OpenSSH 2.9.0 and later
442 # PrintMotd : OpenSSH 1.2.1 and later
443 # Protocol : OpenSSH 2.1.0 and later
444 # PubkeyAuthentication : OpenSSH 2.5.0 and later
445 # RhostsAuthentication : OpenSSH 1.2.1 and later
446 # RhostsRSAAuthentication : OpenSSH 1.2.1 and later
447 # RSAAuthentication : OpenSSH 1.2.1 and later
448 # ServerKeyBits : OpenSSH 1.2.1 and later
449 # SkeyAuthentication : OpenSSH 1.2.1 and later [1]
450 # StrictModes : OpenSSH 1.2.1 and later
451 # Subsystem : OpenSSH 2.2.0 and later
452 # SyslogFacility : OpenSSH 1.2.1 and later
453 # TCPKeepAlive : OpenSSH 3.8.0 and later
454 # UseDNS : OpenSSH 3.7.0 and later
455 # UseLogin : OpenSSH 1.2.1 and later
456 # UsePAM : OpenSSH 3.7.0 and later [1][2]
457 # UsePrivilegeSeparation : OpenSSH 3.2.2 and later
458 # VerifyReverseMapping : OpenSSH 3.1.0 and later
459 # X11DisplayOffset : OpenSSH 1.2.1 and later [3]
460 # X11Forwarding : OpenSSH 1.2.1 and later
461 # X11UseLocalhost : OpenSSH 3.1.0 and later
462 # XAuthLocation : OpenSSH 2.1.1 and later [3]
464 # [1] Option only available if activated at compile time
465 # [2] Option specific for portable versions
466 # [3] Option not used in our ssh server config file
469 #***************************************************************************
470 # Initialize sshd config with options actually supported in OpenSSH 2.9.9
472 logmsg 'generating ssh server config file...' if($verbose);
474 push @cfgarr, '# This is a generated file. Do not edit.';
475 push @cfgarr, "# $sshdverstr sshd configuration file for curl testing";
477 push @cfgarr, "DenyUsers !$username";
478 push @cfgarr, "AllowUsers $username";
479 push @cfgarr, 'DenyGroups';
480 push @cfgarr, 'AllowGroups';
482 push @cfgarr, "AuthorizedKeysFile $path/$clipubkeyf";
483 push @cfgarr, "AuthorizedKeysFile2 $path/$clipubkeyf";
484 push @cfgarr, "HostKey $path/$hstprvkeyf";
485 push @cfgarr, "PidFile $pidfile";
487 push @cfgarr, "Port $port";
488 push @cfgarr, "ListenAddress $listenaddr";
489 push @cfgarr, 'Protocol 2';
491 push @cfgarr, 'AllowTcpForwarding yes';
492 push @cfgarr, 'Banner none';
493 push @cfgarr, 'ChallengeResponseAuthentication no';
494 push @cfgarr, 'ClientAliveCountMax 3';
495 push @cfgarr, 'ClientAliveInterval 0';
496 push @cfgarr, 'GatewayPorts no';
497 push @cfgarr, 'HostbasedAuthentication no';
498 push @cfgarr, 'HostbasedUsesNameFromPacketOnly no';
499 push @cfgarr, 'IgnoreRhosts yes';
500 push @cfgarr, 'IgnoreUserKnownHosts yes';
501 push @cfgarr, 'KeyRegenerationInterval 0';
502 push @cfgarr, 'LoginGraceTime 30';
503 push @cfgarr, "LogLevel $loglevel";
504 push @cfgarr, 'MaxStartups 5';
505 push @cfgarr, 'PasswordAuthentication no';
506 push @cfgarr, 'PermitEmptyPasswords no';
507 push @cfgarr, 'PermitRootLogin no';
508 push @cfgarr, 'PrintLastLog no';
509 push @cfgarr, 'PrintMotd no';
510 push @cfgarr, 'PubkeyAuthentication yes';
511 push @cfgarr, 'RhostsRSAAuthentication no';
512 push @cfgarr, 'RSAAuthentication no';
513 push @cfgarr, 'ServerKeyBits 768';
514 push @cfgarr, 'StrictModes no';
515 push @cfgarr, "Subsystem sftp $sftpsrv";
516 push @cfgarr, 'SyslogFacility AUTH';
517 push @cfgarr, 'UseLogin no';
518 push @cfgarr, 'X11Forwarding no';
522 #***************************************************************************
523 # Write out initial sshd configuration file for curl's tests
525 $error = dump_array($sshdconfig, @cfgarr);
532 #***************************************************************************
533 # Verifies at run time if sshd supports a given configuration file option
535 sub sshd_supports_opt {
536 my ($option, $value) = @_;
539 if((($sshdid =~ /OpenSSH/) && ($sshdvernum >= 310)) ||
540 ($sshdid =~ /SunSSH/)) {
541 # ssh daemon supports command line options -t -f and -o
542 $err = grep /((Unsupported)|(Bad configuration)|(Deprecated)) option.*$option/,
543 qx($sshd -t -f $sshdconfig -o $option=$value 2>&1);
546 if(($sshdid =~ /OpenSSH/) && ($sshdvernum >= 299)) {
547 # ssh daemon supports command line options -t and -f
548 $err = dump_array($sshdconfig, (@cfgarr, "$option $value"));
553 $err = grep /((Unsupported)|(Bad configuration)|(Deprecated)) option.*$option/,
554 qx($sshd -t -f $sshdconfig 2>&1);
562 #***************************************************************************
563 # Kerberos Authentication support may have not been built into sshd
565 if(sshd_supports_opt('KerberosAuthentication','no')) {
566 push @cfgarr, 'KerberosAuthentication no';
568 if(sshd_supports_opt('KerberosGetAFSToken','no')) {
569 push @cfgarr, 'KerberosGetAFSToken no';
571 if(sshd_supports_opt('KerberosOrLocalPasswd','no')) {
572 push @cfgarr, 'KerberosOrLocalPasswd no';
574 if(sshd_supports_opt('KerberosTgtPassing','no')) {
575 push @cfgarr, 'KerberosTgtPassing no';
577 if(sshd_supports_opt('KerberosTicketCleanup','yes')) {
578 push @cfgarr, 'KerberosTicketCleanup yes';
582 #***************************************************************************
583 # Andrew File System support may have not been built into sshd
585 if(sshd_supports_opt('AFSTokenPassing','no')) {
586 push @cfgarr, 'AFSTokenPassing no';
590 #***************************************************************************
591 # S/Key authentication support may have not been built into sshd
593 if(sshd_supports_opt('SkeyAuthentication','no')) {
594 push @cfgarr, 'SkeyAuthentication no';
598 #***************************************************************************
599 # GSSAPI Authentication support may have not been built into sshd
601 my $sshd_builtwith_GSSAPI;
602 if(sshd_supports_opt('GSSAPIAuthentication','no')) {
603 push @cfgarr, 'GSSAPIAuthentication no';
604 $sshd_builtwith_GSSAPI = 1;
606 if(sshd_supports_opt('GSSAPICleanupCredentials','yes')) {
607 push @cfgarr, 'GSSAPICleanupCredentials yes';
609 if(sshd_supports_opt('GSSAPIKeyExchange','no')) {
610 push @cfgarr, 'GSSAPIKeyExchange no';
612 if(sshd_supports_opt('GSSAPIStoreDelegatedCredentials','no')) {
613 push @cfgarr, 'GSSAPIStoreDelegatedCredentials no';
615 if(sshd_supports_opt('GSSCleanupCreds','yes')) {
616 push @cfgarr, 'GSSCleanupCreds yes';
618 if(sshd_supports_opt('GSSUseSessionCredCache','no')) {
619 push @cfgarr, 'GSSUseSessionCredCache no';
624 #***************************************************************************
625 # Options that might be supported or not in sshd OpenSSH 2.9.9 and later
627 if(sshd_supports_opt('AcceptEnv','')) {
628 push @cfgarr, 'AcceptEnv';
630 if(sshd_supports_opt('AddressFamily','any')) {
631 # Address family must be specified before ListenAddress
632 splice @cfgarr, 14, 0, 'AddressFamily any';
634 if(sshd_supports_opt('Compression','no')) {
635 push @cfgarr, 'Compression no';
637 if(sshd_supports_opt('KbdInteractiveAuthentication','no')) {
638 push @cfgarr, 'KbdInteractiveAuthentication no';
640 if(sshd_supports_opt('KeepAlive','no')) {
641 push @cfgarr, 'KeepAlive no';
643 if(sshd_supports_opt('LookupClientHostnames','no')) {
644 push @cfgarr, 'LookupClientHostnames no';
646 if(sshd_supports_opt('MaxAuthTries','10')) {
647 push @cfgarr, 'MaxAuthTries 10';
649 if(sshd_supports_opt('PAMAuthenticationViaKbdInt','no')) {
650 push @cfgarr, 'PAMAuthenticationViaKbdInt no';
652 if(sshd_supports_opt('PermitTunnel','no')) {
653 push @cfgarr, 'PermitTunnel no';
655 if(sshd_supports_opt('PermitUserEnvironment','no')) {
656 push @cfgarr, 'PermitUserEnvironment no';
658 if(sshd_supports_opt('RhostsAuthentication','no')) {
659 push @cfgarr, 'RhostsAuthentication no';
661 if(sshd_supports_opt('TCPKeepAlive','no')) {
662 push @cfgarr, 'TCPKeepAlive no';
664 if(sshd_supports_opt('UseDNS','no')) {
665 push @cfgarr, 'UseDNS no';
667 if(sshd_supports_opt('UsePAM','no')) {
668 push @cfgarr, 'UsePAM no';
671 if($sshdid =~ /OpenSSH/) {
672 # http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=6492415
673 if(sshd_supports_opt('UsePrivilegeSeparation','no')) {
674 push @cfgarr, 'UsePrivilegeSeparation no';
678 if(sshd_supports_opt('VerifyReverseMapping','no')) {
679 push @cfgarr, 'VerifyReverseMapping no';
681 if(sshd_supports_opt('X11UseLocalhost','yes')) {
682 push @cfgarr, 'X11UseLocalhost yes';
687 #***************************************************************************
688 # Write out resulting sshd configuration file for curl's tests
690 $error = dump_array($sshdconfig, @cfgarr);
697 #***************************************************************************
698 # Verify that sshd actually supports our generated configuration file
700 if(system "$sshd -t -f $sshdconfig > $sshdlog 2>&1") {
701 logmsg "sshd configuration file $sshdconfig failed verification";
703 display_sshdconfig();
708 #***************************************************************************
709 # Generate ssh client host key database file for curl's tests
711 if((! -e $knownhosts) || (! -s $knownhosts)) {
712 logmsg 'generating ssh client known hosts file...' if($verbose);
714 if(open(DSAKEYFILE, "<$hstpubkeyf")) {
715 my @dsahostkey = do { local $/ = ' '; <DSAKEYFILE> };
716 if(close(DSAKEYFILE)) {
717 if(open(KNOWNHOSTS, ">$knownhosts")) {
718 print KNOWNHOSTS "$listenaddr ssh-dss $dsahostkey[1]\n";
719 if(!close(KNOWNHOSTS)) {
720 $error = "Error: cannot close file $knownhosts";
724 $error = "Error: cannot write file $knownhosts";
728 $error = "Error: cannot close file $hstpubkeyf";
732 $error = "Error: cannot read file $hstpubkeyf";
741 #***************************************************************************
742 # ssh client configuration file options we might use and version support
744 # AddressFamily : OpenSSH 3.7.0 and later
745 # BatchMode : OpenSSH 1.2.1 and later
746 # BindAddress : OpenSSH 2.9.9 and later
747 # ChallengeResponseAuthentication : OpenSSH 2.5.0 and later
748 # CheckHostIP : OpenSSH 1.2.1 and later
749 # Cipher : OpenSSH 1.2.1 and later [3]
750 # Ciphers : OpenSSH 2.1.0 and later [3]
751 # ClearAllForwardings : OpenSSH 2.9.9 and later
752 # Compression : OpenSSH 1.2.1 and later
753 # CompressionLevel : OpenSSH 1.2.1 and later [3]
754 # ConnectionAttempts : OpenSSH 1.2.1 and later
755 # ConnectTimeout : OpenSSH 3.7.0 and later
756 # ControlMaster : OpenSSH 3.9.0 and later
757 # ControlPath : OpenSSH 3.9.0 and later
758 # DisableBanner : SunSSH 1.2.0 and later
759 # DynamicForward : OpenSSH 2.9.0 and later
760 # EnableSSHKeysign : OpenSSH 3.6.0 and later
761 # EscapeChar : OpenSSH 1.2.1 and later [3]
762 # ExitOnForwardFailure : OpenSSH 4.4.0 and later
763 # ForwardAgent : OpenSSH 1.2.1 and later
764 # ForwardX11 : OpenSSH 1.2.1 and later
765 # ForwardX11Trusted : OpenSSH 3.8.0 and later
766 # GatewayPorts : OpenSSH 1.2.1 and later
767 # GlobalKnownHostsFile : OpenSSH 1.2.1 and later
768 # GSSAPIAuthentication : OpenSSH 3.7.0 and later [1]
769 # GSSAPIDelegateCredentials : OpenSSH 3.7.0 and later [1]
770 # HashKnownHosts : OpenSSH 4.0.0 and later
771 # Host : OpenSSH 1.2.1 and later
772 # HostbasedAuthentication : OpenSSH 2.9.0 and later
773 # HostKeyAlgorithms : OpenSSH 2.9.0 and later [3]
774 # HostKeyAlias : OpenSSH 2.5.0 and later [3]
775 # HostName : OpenSSH 1.2.1 and later
776 # IdentitiesOnly : OpenSSH 3.9.0 and later
777 # IdentityFile : OpenSSH 1.2.1 and later
778 # IgnoreIfUnknown : SunSSH 1.2.0 and later
779 # KeepAlive : OpenSSH 1.2.1 and later
780 # KbdInteractiveAuthentication : OpenSSH 2.3.0 and later
781 # KbdInteractiveDevices : OpenSSH 2.3.0 and later [3]
782 # LocalCommand : OpenSSH 4.3.0 and later [3]
783 # LocalForward : OpenSSH 1.2.1 and later [3]
784 # LogLevel : OpenSSH 1.2.1 and later
785 # MACs : OpenSSH 2.5.0 and later [3]
786 # NoHostAuthenticationForLocalhost : OpenSSH 3.0.0 and later
787 # NumberOfPasswordPrompts : OpenSSH 1.2.1 and later
788 # PasswordAuthentication : OpenSSH 1.2.1 and later
789 # PermitLocalCommand : OpenSSH 4.3.0 and later
790 # Port : OpenSSH 1.2.1 and later
791 # PreferredAuthentications : OpenSSH 2.5.2 and later
792 # Protocol : OpenSSH 2.1.0 and later
793 # ProxyCommand : OpenSSH 1.2.1 and later [3]
794 # PubkeyAuthentication : OpenSSH 2.5.0 and later
795 # RekeyLimit : OpenSSH 3.7.0 and later
796 # RemoteForward : OpenSSH 1.2.1 and later [3]
797 # RhostsRSAAuthentication : OpenSSH 1.2.1 and later
798 # RSAAuthentication : OpenSSH 1.2.1 and later
799 # SendEnv : OpenSSH 3.9.0 and later
800 # ServerAliveCountMax : OpenSSH 3.8.0 and later
801 # ServerAliveInterval : OpenSSH 3.8.0 and later
802 # SmartcardDevice : OpenSSH 2.9.9 and later [1][3]
803 # StrictHostKeyChecking : OpenSSH 1.2.1 and later
804 # TCPKeepAlive : OpenSSH 3.8.0 and later
805 # Tunnel : OpenSSH 4.3.0 and later
806 # TunnelDevice : OpenSSH 4.3.0 and later [3]
807 # UsePAM : OpenSSH 3.7.0 and later [1][2][3]
808 # UsePrivilegedPort : OpenSSH 1.2.1 and later
809 # User : OpenSSH 1.2.1 and later
810 # UserKnownHostsFile : OpenSSH 1.2.1 and later
811 # VerifyHostKeyDNS : OpenSSH 3.8.0 and later
812 # XAuthLocation : OpenSSH 2.1.1 and later [3]
814 # [1] Option only available if activated at compile time
815 # [2] Option specific for portable versions
816 # [3] Option not used in our ssh client config file
819 #***************************************************************************
820 # Initialize ssh config with options actually supported in OpenSSH 2.9.9
822 logmsg 'generating ssh client config file...' if($verbose);
824 push @cfgarr, '# This is a generated file. Do not edit.';
825 push @cfgarr, "# $sshverstr ssh client configuration file for curl testing";
827 push @cfgarr, 'Host *';
829 push @cfgarr, "Port $port";
830 push @cfgarr, "HostName $listenaddr";
831 push @cfgarr, "User $username";
832 push @cfgarr, 'Protocol 2';
834 push @cfgarr, "BindAddress $listenaddr";
835 push @cfgarr, "DynamicForward $socksport";
837 push @cfgarr, "IdentityFile $path/curl_client_key";
838 push @cfgarr, "UserKnownHostsFile $path/$knownhosts";
840 push @cfgarr, 'BatchMode yes';
841 push @cfgarr, 'ChallengeResponseAuthentication no';
842 push @cfgarr, 'CheckHostIP no';
843 push @cfgarr, 'ClearAllForwardings no';
844 push @cfgarr, 'Compression no';
845 push @cfgarr, 'ConnectionAttempts 3';
846 push @cfgarr, 'ForwardAgent no';
847 push @cfgarr, 'ForwardX11 no';
848 push @cfgarr, 'GatewayPorts no';
849 push @cfgarr, 'GlobalKnownHostsFile /dev/null';
850 push @cfgarr, 'HostbasedAuthentication no';
851 push @cfgarr, 'KbdInteractiveAuthentication no';
852 push @cfgarr, "LogLevel $loglevel";
853 push @cfgarr, 'NumberOfPasswordPrompts 0';
854 push @cfgarr, 'PasswordAuthentication no';
855 push @cfgarr, 'PreferredAuthentications publickey';
856 push @cfgarr, 'PubkeyAuthentication yes';
857 push @cfgarr, 'RhostsRSAAuthentication no';
858 push @cfgarr, 'RSAAuthentication no';
860 # Disabled StrictHostKeyChecking since it makes the tests fail on my
861 # OpenSSH_6.0p1 on Debian Linux / Daniel
862 push @cfgarr, 'StrictHostKeyChecking no';
863 push @cfgarr, 'UsePrivilegedPort no';
867 #***************************************************************************
868 # Options supported in ssh client newer than OpenSSH 2.9.9
871 if(($sshid =~ /OpenSSH/) && ($sshvernum >= 370)) {
872 push @cfgarr, 'AddressFamily any';
875 if((($sshid =~ /OpenSSH/) && ($sshvernum >= 370)) ||
876 (($sshid =~ /SunSSH/) && ($sshvernum >= 120))) {
877 push @cfgarr, 'ConnectTimeout 30';
880 if(($sshid =~ /OpenSSH/) && ($sshvernum >= 390)) {
881 push @cfgarr, 'ControlMaster no';
884 if(($sshid =~ /OpenSSH/) && ($sshvernum >= 420)) {
885 push @cfgarr, 'ControlPath none';
888 if(($sshid =~ /SunSSH/) && ($sshvernum >= 120)) {
889 push @cfgarr, 'DisableBanner yes';
892 if(($sshid =~ /OpenSSH/) && ($sshvernum >= 360)) {
893 push @cfgarr, 'EnableSSHKeysign no';
896 if(($sshid =~ /OpenSSH/) && ($sshvernum >= 440)) {
897 push @cfgarr, 'ExitOnForwardFailure yes';
900 if((($sshid =~ /OpenSSH/) && ($sshvernum >= 380)) ||
901 (($sshid =~ /SunSSH/) && ($sshvernum >= 120))) {
902 push @cfgarr, 'ForwardX11Trusted no';
905 if(($sshd_builtwith_GSSAPI) && ($sshdid eq $sshid) &&
906 ($sshdvernum == $sshvernum)) {
907 push @cfgarr, 'GSSAPIAuthentication no';
908 push @cfgarr, 'GSSAPIDelegateCredentials no';
909 if($sshid =~ /SunSSH/) {
910 push @cfgarr, 'GSSAPIKeyExchange no';
914 if((($sshid =~ /OpenSSH/) && ($sshvernum >= 400)) ||
915 (($sshid =~ /SunSSH/) && ($sshvernum >= 120))) {
916 push @cfgarr, 'HashKnownHosts no';
919 if(($sshid =~ /OpenSSH/) && ($sshvernum >= 390)) {
920 push @cfgarr, 'IdentitiesOnly yes';
923 if(($sshid =~ /SunSSH/) && ($sshvernum >= 120)) {
924 push @cfgarr, 'IgnoreIfUnknown no';
927 if((($sshid =~ /OpenSSH/) && ($sshvernum < 380)) ||
928 ($sshid =~ /SunSSH/)) {
929 push @cfgarr, 'KeepAlive no';
932 if((($sshid =~ /OpenSSH/) && ($sshvernum >= 300)) ||
933 ($sshid =~ /SunSSH/)) {
934 push @cfgarr, 'NoHostAuthenticationForLocalhost no';
937 if(($sshid =~ /OpenSSH/) && ($sshvernum >= 430)) {
938 push @cfgarr, 'PermitLocalCommand no';
941 if((($sshid =~ /OpenSSH/) && ($sshvernum >= 370)) ||
942 (($sshid =~ /SunSSH/) && ($sshvernum >= 120))) {
943 push @cfgarr, 'RekeyLimit 1G';
946 if(($sshid =~ /OpenSSH/) && ($sshvernum >= 390)) {
947 push @cfgarr, 'SendEnv';
950 if((($sshid =~ /OpenSSH/) && ($sshvernum >= 380)) ||
951 (($sshid =~ /SunSSH/) && ($sshvernum >= 120))) {
952 push @cfgarr, 'ServerAliveCountMax 3';
953 push @cfgarr, 'ServerAliveInterval 0';
956 if(($sshid =~ /OpenSSH/) && ($sshvernum >= 380)) {
957 push @cfgarr, 'TCPKeepAlive no';
960 if(($sshid =~ /OpenSSH/) && ($sshvernum >= 430)) {
961 push @cfgarr, 'Tunnel no';
964 if(($sshid =~ /OpenSSH/) && ($sshvernum >= 380)) {
965 push @cfgarr, 'VerifyHostKeyDNS no';
971 #***************************************************************************
972 # Write out resulting ssh client configuration file for curl's tests
974 $error = dump_array($sshconfig, @cfgarr);
981 #***************************************************************************
982 # Initialize client sftp config with options actually supported.
984 logmsg 'generating sftp client config file...' if($verbose);
985 splice @cfgarr, 1, 1, "# $sshverstr sftp client configuration file for curl testing";
987 for(my $i = scalar(@cfgarr) - 1; $i > 0; $i--) {
988 if($cfgarr[$i] =~ /^DynamicForward/) {
989 splice @cfgarr, $i, 1;
992 if($cfgarr[$i] =~ /^ClearAllForwardings/) {
993 splice @cfgarr, $i, 1, "ClearAllForwardings yes";
999 #***************************************************************************
1000 # Write out resulting sftp client configuration file for curl's tests
1002 $error = dump_array($sftpconfig, @cfgarr);
1010 #***************************************************************************
1011 # Generate client sftp commands batch file for sftp server verification
1013 logmsg 'generating sftp client commands file...' if($verbose);
1014 push @cfgarr, 'pwd';
1015 push @cfgarr, 'quit';
1016 $error = dump_array($sftpcmds, @cfgarr);
1024 #***************************************************************************
1025 # Start the ssh server daemon without forking it
1027 logmsg "SCP/SFTP server listening on port $port" if($verbose);
1028 my $rc = system "$sshd -e -D -f $sshdconfig > $sshdlog 2>&1";
1030 logmsg "$sshd failed with: $!";
1033 logmsg sprintf("$sshd died with signal %d, and %s coredump",
1034 ($rc & 127), ($rc & 128)?'a':'no');
1036 elsif($verbose && ($rc >> 8)) {
1037 logmsg sprintf("$sshd exited with %d", $rc >> 8);
1041 #***************************************************************************
1042 # Clean up once the server has stopped
1044 unlink($hstprvkeyf, $hstpubkeyf, $cliprvkeyf, $clipubkeyf, $knownhosts);
1045 unlink($sshdconfig, $sshconfig, $sftpconfig);