2 #***************************************************************************
4 # Project ___| | | | _ \| |
6 # | (__| |_| | _ <| |___
7 # \___|\___/|_| \_\_____|
9 # Copyright (C) Daniel Stenberg, <daniel@haxx.se>, et al.
11 # This software is licensed as described in the file COPYING, which
12 # you should have received as part of this distribution. The terms
13 # are also available at https://curl.se/docs/copyright.html.
15 # You may opt to use, copy, modify, merge, publish, distribute and/or sell
16 # copies of the Software, and permit persons to whom the Software is
17 # furnished to do so, under the terms of the COPYING file.
19 # This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
20 # KIND, either express or implied.
22 # SPDX-License-Identifier: curl
24 #***************************************************************************
26 # Starts sshd for use in the SCP and SFTP curl test harness tests.
27 # Also creates the ssh configuration files needed for these tests.
34 use Digest::MD5 'md5_hex';
36 use Digest::SHA 'sha256_base64';
40 #***************************************************************************
41 # Variables and subs imported from sshhelp module
78 #***************************************************************************
79 # Subs imported from serverhelp module
90 #***************************************************************************
92 my $verbose = 0; # set to 1 for debugging
93 my $debugprotocol = 0; # set to 1 for protocol debugging
94 my $port = 8999; # our default SCP/SFTP server port
95 my $listenaddr = '127.0.0.1'; # default address on which to listen
96 my $ipvnum = 4; # default IP version of listener address
97 my $idnum = 1; # default ssh daemon instance number
98 my $proto = 'ssh'; # protocol the ssh daemon speaks
99 my $path = getcwd(); # current working directory
100 my $logdir = $path .'/log'; # directory for log files
101 my $piddir; # directory for server config files
102 my $username = $ENV{USER}; # default user
103 my $pidfile; # ssh daemon pid file
104 my $identity = 'curl_client_key'; # default identity file
109 #***************************************************************************
110 # Returns a path of the given file name in the log directory (PiddirPath)
114 return "$piddir/$file";
115 # TODO: do Windows path conversion here
118 #***************************************************************************
119 # Parse command line options
122 if($ARGV[0] eq '--verbose') {
125 elsif($ARGV[0] eq '--debugprotocol') {
129 elsif($ARGV[0] eq '--user') {
131 $username = $ARGV[1];
135 elsif($ARGV[0] eq '--id') {
137 if($ARGV[1] =~ /^(\d+)$/) {
138 $idnum = $1 if($1 > 0);
143 elsif($ARGV[0] eq '--ipv4') {
145 $listenaddr = '127.0.0.1' if($listenaddr eq '::1');
147 elsif($ARGV[0] eq '--ipv6') {
149 $listenaddr = '::1' if($listenaddr eq '127.0.0.1');
151 elsif($ARGV[0] eq '--addr') {
153 my $tmpstr = $ARGV[1];
154 if($tmpstr =~ /^(\d\d?\d?)\.(\d\d?\d?)\.(\d\d?\d?)\.(\d\d?\d?)$/) {
155 $listenaddr = "$1.$2.$3.$4" if($ipvnum == 4);
158 elsif($ipvnum == 6) {
159 $listenaddr = $tmpstr;
160 $listenaddr =~ s/^\[(.*)\]$/$1/;
165 elsif($ARGV[0] eq '--pidfile') {
167 $pidfile = "$path/". $ARGV[1];
171 elsif($ARGV[0] eq '--logdir') {
173 $logdir = "$path/". $ARGV[1];
177 elsif($ARGV[0] eq '--sshport') {
179 if($ARGV[1] =~ /^(\d+)$/) {
186 print STDERR "\nWarning: sshserver.pl unknown parameter: $ARGV[0]\n";
191 #***************************************************************************
192 # Initialize command line option dependent variables
195 #***************************************************************************
196 # Default ssh daemon pid file name & directory
199 # Use our pidfile directory to store server config files
200 $piddir = dirname($pidfile);
203 # Use the current directory to store server config files
205 $pidfile = server_pidfilename($piddir, $proto, $ipvnum, $idnum);
208 #***************************************************************************
209 # ssh and sftp server log file names
211 $sshdlog = server_logfilename($logdir, 'ssh', $ipvnum, $idnum);
212 $sftplog = server_logfilename($logdir, 'sftp', $ipvnum, $idnum);
213 $logfile = "$logdir/sshserver.log"; # used by logmsg
215 #***************************************************************************
216 # Logging level for ssh server and client
218 my $loglevel = $debugprotocol?'DEBUG3':'DEBUG2';
221 #***************************************************************************
225 $error = 'Will not run ssh server without a user name';
227 elsif($username eq 'root') {
228 $error = 'Will not run ssh server as root to mitigate security risks';
236 #***************************************************************************
237 # Find out ssh daemon canonical file name
239 my $sshd = find_sshd();
241 logmsg "cannot find $sshdexe\n";
246 #***************************************************************************
247 # Find out ssh daemon version info
249 my ($sshdid, $sshdvernum, $sshdverstr, $sshderror) = sshversioninfo($sshd);
251 # Not an OpenSSH or SunSSH ssh daemon
252 logmsg "$sshderror\n" if($verbose);
253 logmsg "SCP and SFTP tests require OpenSSH 2.9.9 or later\n";
256 logmsg "ssh server found $sshd is $sshdverstr\n" if($verbose);
259 #***************************************************************************
260 # ssh daemon command line options we might use and version support
262 # -e: log stderr : OpenSSH 2.9.0 and later
263 # -f: sshd config file : OpenSSH 1.2.1 and later
264 # -D: no daemon forking : OpenSSH 2.5.0 and later
265 # -o: command-line option : OpenSSH 3.1.0 and later
266 # -t: test config file : OpenSSH 2.9.9 and later
267 # -?: sshd version info : OpenSSH 1.2.1 and later
269 # -e: log stderr : SunSSH 1.0.0 and later
270 # -f: sshd config file : SunSSH 1.0.0 and later
271 # -D: no daemon forking : SunSSH 1.0.0 and later
272 # -o: command-line option : SunSSH 1.0.0 and later
273 # -t: test config file : SunSSH 1.0.0 and later
274 # -?: sshd version info : SunSSH 1.0.0 and later
277 #***************************************************************************
278 # Verify minimum ssh daemon version
280 if((($sshdid =~ /OpenSSH/) && ($sshdvernum < 299)) ||
281 (($sshdid =~ /SunSSH/) && ($sshdvernum < 100))) {
282 logmsg "SCP and SFTP tests require OpenSSH 2.9.9 or later\n";
287 #***************************************************************************
288 # Find out sftp server plugin canonical file name
290 my $sftpsrv = find_sftpsrv();
292 logmsg "cannot find $sftpsrvexe\n";
295 logmsg "sftp server plugin found $sftpsrv\n" if($verbose);
298 #***************************************************************************
299 # Find out sftp client canonical file name
301 my $sftp = find_sftp();
303 logmsg "cannot find $sftpexe\n";
306 logmsg "sftp client found $sftp\n" if($verbose);
309 #***************************************************************************
310 # Find out ssh keygen canonical file name
312 my $sshkeygen = find_sshkeygen();
314 logmsg "cannot find $sshkeygenexe\n";
317 logmsg "ssh keygen found $sshkeygen\n" if($verbose);
320 #***************************************************************************
321 # Find out ssh client canonical file name
323 my $ssh = find_ssh();
325 logmsg "cannot find $sshexe\n";
330 #***************************************************************************
331 # Find out ssh client version info
333 my ($sshid, $sshvernum, $sshverstr, $ssherror) = sshversioninfo($ssh);
335 # Not an OpenSSH or SunSSH ssh client
336 logmsg "$ssherror\n" if($verbose);
337 logmsg "SCP and SFTP tests require OpenSSH 2.9.9 or later\n";
340 logmsg "ssh client found $ssh is $sshverstr\n" if($verbose);
343 #***************************************************************************
344 # ssh client command line options we might use and version support
346 # -D: dynamic app port forwarding : OpenSSH 2.9.9 and later
347 # -F: ssh config file : OpenSSH 2.9.9 and later
348 # -N: no shell/command : OpenSSH 2.1.0 and later
349 # -p: connection port : OpenSSH 1.2.1 and later
350 # -v: verbose messages : OpenSSH 1.2.1 and later
351 # -vv: increase verbosity : OpenSSH 2.3.0 and later
352 # -V: ssh version info : OpenSSH 1.2.1 and later
354 # -D: dynamic app port forwarding : SunSSH 1.0.0 and later
355 # -F: ssh config file : SunSSH 1.0.0 and later
356 # -N: no shell/command : SunSSH 1.0.0 and later
357 # -p: connection port : SunSSH 1.0.0 and later
358 # -v: verbose messages : SunSSH 1.0.0 and later
359 # -vv: increase verbosity : SunSSH 1.0.0 and later
360 # -V: ssh version info : SunSSH 1.0.0 and later
363 #***************************************************************************
364 # Verify minimum ssh client version
366 if((($sshid =~ /OpenSSH/) && ($sshvernum < 299)) ||
367 (($sshid =~ /SunSSH/) && ($sshvernum < 100))) {
368 logmsg "SCP and SFTP tests require OpenSSH 2.9.9 or later\n";
373 #***************************************************************************
374 # ssh keygen command line options we actually use and version support
376 # -C: identity comment : OpenSSH 1.2.1 and later
377 # -f: key filename : OpenSSH 1.2.1 and later
378 # -N: new passphrase : OpenSSH 1.2.1 and later
379 # -q: quiet keygen : OpenSSH 1.2.1 and later
380 # -t: key type : OpenSSH 2.5.0 and later
382 # -C: identity comment : SunSSH 1.0.0 and later
383 # -f: key filename : SunSSH 1.0.0 and later
384 # -N: new passphrase : SunSSH 1.0.0 and later
385 # -q: quiet keygen : SunSSH 1.0.0 and later
386 # -t: key type : SunSSH 1.0.0 and later
389 #***************************************************************************
390 # Generate host and client key files for curl's tests
392 if((! -e pp($hstprvkeyf)) || (! -s pp($hstprvkeyf)) ||
393 (! -e pp($hstpubkeyf)) || (! -s pp($hstpubkeyf)) ||
394 (! -e pp($hstpubmd5f)) || (! -s pp($hstpubmd5f)) ||
395 (! -e pp($hstpubsha256f)) || (! -s pp($hstpubsha256f)) ||
396 (! -e pp($cliprvkeyf)) || (! -s pp($cliprvkeyf)) ||
397 (! -e pp($clipubkeyf)) || (! -s pp($clipubkeyf))) {
398 # Make sure all files are gone so ssh-keygen doesn't complain
399 unlink(pp($hstprvkeyf), pp($hstpubkeyf), pp($hstpubmd5f),
400 pp($hstpubsha256f), pp($cliprvkeyf), pp($clipubkeyf));
401 logmsg "generating host keys...\n" if($verbose);
402 if(system "\"$sshkeygen\" -q -t rsa -f " . pp($hstprvkeyf) . " -C 'curl test server' -N ''") {
403 logmsg "Could not generate host key\n";
406 logmsg "generating client keys...\n" if($verbose);
407 if(system "\"$sshkeygen\" -q -t rsa -f " . pp($cliprvkeyf) . " -C 'curl test client' -N ''") {
408 logmsg "Could not generate client key\n";
411 # Make sure that permissions are restricted so openssh doesn't complain
412 system "chmod 600 " . pp($hstprvkeyf);
413 system "chmod 600 " . pp($cliprvkeyf);
414 # Save md5 and sha256 hashes of public host key
415 open(my $rsakeyfile, "<", pp($hstpubkeyf));
416 my @rsahostkey = do { local $/ = ' '; <$rsakeyfile> };
418 if(!$rsahostkey[1]) {
419 logmsg "Failed parsing base64 encoded RSA host key\n";
422 open(my $pubmd5file, ">", pp($hstpubmd5f));
423 print $pubmd5file md5_hex(decode_base64($rsahostkey[1]));
425 if((! -e pp($hstpubmd5f)) || (! -s pp($hstpubmd5f))) {
426 logmsg "Failed writing md5 hash of RSA host key\n";
429 open(my $pubsha256file, ">", pp($hstpubsha256f));
430 print $pubsha256file sha256_base64(decode_base64($rsahostkey[1]));
431 close($pubsha256file);
432 if((! -e pp($hstpubsha256f)) || (! -s pp($hstpubsha256f))) {
433 logmsg "Failed writing sha256 hash of RSA host key\n";
439 #***************************************************************************
440 # Convert paths for curl's tests running on Windows with Cygwin/Msys OpenSSH
442 my $clipubkeyf_config;
443 my $hstprvkeyf_config;
446 if ($sshdid =~ /OpenSSH-Windows/) {
447 # Ensure to use native Windows paths with OpenSSH for Windows
448 $clipubkeyf_config = pathhelp::sys_native_abs_path(pp($clipubkeyf));
449 $hstprvkeyf_config = pathhelp::sys_native_abs_path(pp($hstprvkeyf));
450 $pidfile_config = pathhelp::sys_native_abs_path($pidfile);
451 $sftpsrv_config = pathhelp::sys_native_abs_path($sftpsrv);
453 elsif (pathhelp::os_is_win()) {
454 # Ensure to use MinGW/Cygwin paths
455 $clipubkeyf_config = pathhelp::build_sys_abs_path($clipubkeyf_config);
456 $hstprvkeyf_config = pathhelp::build_sys_abs_path($hstprvkeyf_config);
457 $pidfile_config = pathhelp::build_sys_abs_path($pidfile_config);
458 $sftpsrv_config = "internal-sftp";
461 $clipubkeyf_config = abs_path(pp($clipubkeyf));
462 $hstprvkeyf_config = abs_path(pp($hstprvkeyf));
463 $pidfile_config = $pidfile;
464 $sftpsrv_config = $sftpsrv;
466 my $sshdconfig_abs = pathhelp::sys_native_abs_path(pp($sshdconfig));
468 #***************************************************************************
469 # ssh daemon configuration file options we might use and version support
471 # AFSTokenPassing : OpenSSH 1.2.1 and later [1]
472 # AddressFamily : OpenSSH 4.0.0 and later
473 # AllowTcpForwarding : OpenSSH 2.3.0 and later
474 # AllowUsers : OpenSSH 1.2.1 and later
475 # AuthorizedKeysFile : OpenSSH 2.9.9 and later
476 # AuthorizedKeysFile2 : OpenSSH 2.9.9 and later
477 # Banner : OpenSSH 2.5.0 and later
478 # ChallengeResponseAuthentication : OpenSSH 2.5.0 and later
479 # Ciphers : OpenSSH 2.1.0 and later [3]
480 # ClientAliveCountMax : OpenSSH 2.9.0 and later
481 # ClientAliveInterval : OpenSSH 2.9.0 and later
482 # Compression : OpenSSH 3.3.0 and later
483 # DenyUsers : OpenSSH 1.2.1 and later
484 # ForceCommand : OpenSSH 4.4.0 and later [3]
485 # GatewayPorts : OpenSSH 2.1.0 and later
486 # GSSAPIAuthentication : OpenSSH 3.7.0 and later [1]
487 # GSSAPICleanupCredentials : OpenSSH 3.8.0 and later [1]
488 # GSSAPIKeyExchange : SunSSH 1.0.0 and later [1]
489 # GSSAPIStoreDelegatedCredentials : SunSSH 1.0.0 and later [1]
490 # GSSCleanupCreds : SunSSH 1.0.0 and later [1]
491 # GSSUseSessionCredCache : SunSSH 1.0.0 and later [1]
492 # HostbasedAuthentication : OpenSSH 2.9.0 and later
493 # HostbasedUsesNameFromPacketOnly : OpenSSH 2.9.0 and later
494 # HostKey : OpenSSH 1.2.1 and later
495 # IgnoreRhosts : OpenSSH 1.2.1 and later
496 # IgnoreUserKnownHosts : OpenSSH 1.2.1 and later
497 # KbdInteractiveAuthentication : OpenSSH 2.3.0 and later
498 # KeepAlive : OpenSSH 1.2.1 and later
499 # KerberosAuthentication : OpenSSH 1.2.1 and later [1]
500 # KerberosGetAFSToken : OpenSSH 3.8.0 and later [1]
501 # KerberosOrLocalPasswd : OpenSSH 1.2.1 and later [1]
502 # KerberosTgtPassing : OpenSSH 1.2.1 and later [1]
503 # KerberosTicketCleanup : OpenSSH 1.2.1 and later [1]
504 # KeyRegenerationInterval : OpenSSH 1.2.1 and later
505 # ListenAddress : OpenSSH 1.2.1 and later
506 # LoginGraceTime : OpenSSH 1.2.1 and later
507 # LogLevel : OpenSSH 1.2.1 and later
508 # LookupClientHostnames : SunSSH 1.0.0 and later
509 # MACs : OpenSSH 2.5.0 and later [3]
510 # Match : OpenSSH 4.4.0 and later [3]
511 # MaxAuthTries : OpenSSH 3.9.0 and later
512 # MaxStartups : OpenSSH 2.2.0 and later
513 # PAMAuthenticationViaKbdInt : OpenSSH 2.9.0 and later [2]
514 # PasswordAuthentication : OpenSSH 1.2.1 and later
515 # PermitEmptyPasswords : OpenSSH 1.2.1 and later
516 # PermitOpen : OpenSSH 4.4.0 and later [3]
517 # PermitRootLogin : OpenSSH 1.2.1 and later
518 # PermitTunnel : OpenSSH 4.3.0 and later
519 # PermitUserEnvironment : OpenSSH 3.5.0 and later
520 # PidFile : OpenSSH 2.1.0 and later
521 # Port : OpenSSH 1.2.1 and later
522 # PrintLastLog : OpenSSH 2.9.0 and later
523 # PrintMotd : OpenSSH 1.2.1 and later
524 # Protocol : OpenSSH 2.1.0 and later
525 # PubkeyAuthentication : OpenSSH 2.5.0 and later
526 # RhostsAuthentication : OpenSSH 1.2.1 and later
527 # RhostsRSAAuthentication : OpenSSH 1.2.1 and later
528 # RSAAuthentication : OpenSSH 1.2.1 and later
529 # ServerKeyBits : OpenSSH 1.2.1 and later
530 # SkeyAuthentication : OpenSSH 1.2.1 and later [1]
531 # StrictModes : OpenSSH 1.2.1 and later
532 # Subsystem : OpenSSH 2.2.0 and later
533 # SyslogFacility : OpenSSH 1.2.1 and later
534 # TCPKeepAlive : OpenSSH 3.8.0 and later
535 # UseDNS : OpenSSH 3.7.0 and later
536 # UseLogin : OpenSSH 1.2.1 and later
537 # UsePAM : OpenSSH 3.7.0 and later [1][2]
538 # UsePrivilegeSeparation : OpenSSH 3.2.2 and later
539 # VerifyReverseMapping : OpenSSH 3.1.0 and later
540 # X11DisplayOffset : OpenSSH 1.2.1 and later [3]
541 # X11Forwarding : OpenSSH 1.2.1 and later
542 # X11UseLocalhost : OpenSSH 3.1.0 and later
543 # XAuthLocation : OpenSSH 2.1.1 and later [3]
545 # [1] Option only available if activated at compile time
546 # [2] Option specific for portable versions
547 # [3] Option not used in our ssh server config file
550 #***************************************************************************
551 # Initialize sshd config with options actually supported in OpenSSH 2.9.9
553 logmsg "generating ssh server config file...\n" if($verbose);
555 push @cfgarr, '# This is a generated file. Do not edit.';
556 push @cfgarr, "# $sshdverstr sshd configuration file for curl testing";
559 # AllowUsers and DenyUsers options should use lowercase on Windows
560 # and do not support quotes around values for some unknown reason.
561 if ($sshdid =~ /OpenSSH-Windows/) {
562 my $username_lc = lc $username;
563 if (exists $ENV{USERDOMAIN}) {
564 my $userdomain_lc = lc $ENV{USERDOMAIN};
565 $username_lc = "$userdomain_lc\\$username_lc";
567 $username_lc =~ s/ /\?/g; # replace space with ?
568 push @cfgarr, "DenyUsers !$username_lc";
569 push @cfgarr, "AllowUsers $username_lc";
571 push @cfgarr, "DenyUsers !$username";
572 push @cfgarr, "AllowUsers $username";
575 push @cfgarr, "AuthorizedKeysFile $clipubkeyf_config";
576 push @cfgarr, "AuthorizedKeysFile2 $clipubkeyf_config";
577 push @cfgarr, "HostKey $hstprvkeyf_config";
578 if ($sshdid !~ /OpenSSH-Windows/) {
579 push @cfgarr, "PidFile $pidfile_config";
582 if(($sshdid =~ /OpenSSH/) && ($sshdvernum >= 880)) {
583 push @cfgarr, 'HostKeyAlgorithms +ssh-rsa';
584 push @cfgarr, 'PubkeyAcceptedKeyTypes +ssh-rsa';
587 push @cfgarr, "Port $port";
588 push @cfgarr, "ListenAddress $listenaddr";
589 push @cfgarr, 'Protocol 2';
591 push @cfgarr, 'AllowTcpForwarding yes';
592 push @cfgarr, 'Banner none';
593 push @cfgarr, 'ChallengeResponseAuthentication no';
594 push @cfgarr, 'ClientAliveCountMax 3';
595 push @cfgarr, 'ClientAliveInterval 0';
596 push @cfgarr, 'GatewayPorts no';
597 push @cfgarr, 'HostbasedAuthentication no';
598 push @cfgarr, 'HostbasedUsesNameFromPacketOnly no';
599 push @cfgarr, 'IgnoreRhosts yes';
600 push @cfgarr, 'IgnoreUserKnownHosts yes';
601 push @cfgarr, 'KeyRegenerationInterval 0';
602 push @cfgarr, 'LoginGraceTime 30';
603 push @cfgarr, "LogLevel $loglevel";
604 push @cfgarr, 'MaxStartups 5';
605 push @cfgarr, 'PasswordAuthentication no';
606 push @cfgarr, 'PermitEmptyPasswords no';
607 push @cfgarr, 'PermitRootLogin no';
608 push @cfgarr, 'PrintLastLog no';
609 push @cfgarr, 'PrintMotd no';
610 push @cfgarr, 'PubkeyAuthentication yes';
611 push @cfgarr, 'RhostsRSAAuthentication no';
612 push @cfgarr, 'RSAAuthentication no';
613 push @cfgarr, 'ServerKeyBits 768';
614 push @cfgarr, 'StrictModes no';
615 push @cfgarr, "Subsystem sftp \"$sftpsrv_config\"";
616 push @cfgarr, 'SyslogFacility AUTH';
617 push @cfgarr, 'UseLogin no';
618 push @cfgarr, 'X11Forwarding no';
622 #***************************************************************************
623 # Write out initial sshd configuration file for curl's tests
625 $error = dump_array(pp($sshdconfig), @cfgarr);
632 #***************************************************************************
633 # Verifies at run time if sshd supports a given configuration file option
635 sub sshd_supports_opt {
636 my ($option, $value) = @_;
639 if((($sshdid =~ /OpenSSH/) && ($sshdvernum >= 310)) ||
640 ($sshdid =~ /SunSSH/)) {
641 # ssh daemon supports command line options -t -f and -o
642 $err = grep /((Unsupported)|(Bad configuration)|(Deprecated)) option.*$option/,
643 `\"$sshd\" -t -f $sshdconfig_abs -o \"$option=$value\" 2>&1`;
646 if(($sshdid =~ /OpenSSH/) && ($sshdvernum >= 299)) {
647 # ssh daemon supports command line options -t and -f
648 $err = dump_array(pp($sshdconfig), (@cfgarr, "$option $value"));
653 $err = grep /((Unsupported)|(Bad configuration)|(Deprecated)) option.*$option/,
654 `\"$sshd\" -t -f $sshdconfig_abs 2>&1`;
655 unlink pp($sshdconfig);
662 #***************************************************************************
663 # Kerberos Authentication support may have not been built into sshd
665 if(sshd_supports_opt('KerberosAuthentication','no')) {
666 push @cfgarr, 'KerberosAuthentication no';
668 if(sshd_supports_opt('KerberosGetAFSToken','no')) {
669 push @cfgarr, 'KerberosGetAFSToken no';
671 if(sshd_supports_opt('KerberosOrLocalPasswd','no')) {
672 push @cfgarr, 'KerberosOrLocalPasswd no';
674 if(sshd_supports_opt('KerberosTgtPassing','no')) {
675 push @cfgarr, 'KerberosTgtPassing no';
677 if(sshd_supports_opt('KerberosTicketCleanup','yes')) {
678 push @cfgarr, 'KerberosTicketCleanup yes';
682 #***************************************************************************
683 # Andrew File System support may have not been built into sshd
685 if(sshd_supports_opt('AFSTokenPassing','no')) {
686 push @cfgarr, 'AFSTokenPassing no';
690 #***************************************************************************
691 # S/Key authentication support may have not been built into sshd
693 if(sshd_supports_opt('SkeyAuthentication','no')) {
694 push @cfgarr, 'SkeyAuthentication no';
698 #***************************************************************************
699 # GSSAPI Authentication support may have not been built into sshd
701 my $sshd_builtwith_GSSAPI;
702 if(sshd_supports_opt('GSSAPIAuthentication','no')) {
703 push @cfgarr, 'GSSAPIAuthentication no';
704 $sshd_builtwith_GSSAPI = 1;
706 if(sshd_supports_opt('GSSAPICleanupCredentials','yes')) {
707 push @cfgarr, 'GSSAPICleanupCredentials yes';
709 if(sshd_supports_opt('GSSAPIKeyExchange','no')) {
710 push @cfgarr, 'GSSAPIKeyExchange no';
712 if(sshd_supports_opt('GSSAPIStoreDelegatedCredentials','no')) {
713 push @cfgarr, 'GSSAPIStoreDelegatedCredentials no';
715 if(sshd_supports_opt('GSSCleanupCreds','yes')) {
716 push @cfgarr, 'GSSCleanupCreds yes';
718 if(sshd_supports_opt('GSSUseSessionCredCache','no')) {
719 push @cfgarr, 'GSSUseSessionCredCache no';
724 #***************************************************************************
725 # Options that might be supported or not in sshd OpenSSH 2.9.9 and later
727 if(sshd_supports_opt('AddressFamily','any')) {
728 # Address family must be specified before ListenAddress
729 splice @cfgarr, 11, 0, 'AddressFamily any';
731 if(sshd_supports_opt('Compression','no')) {
732 push @cfgarr, 'Compression no';
734 if(sshd_supports_opt('KbdInteractiveAuthentication','no')) {
735 push @cfgarr, 'KbdInteractiveAuthentication no';
737 if(sshd_supports_opt('KeepAlive','no')) {
738 push @cfgarr, 'KeepAlive no';
740 if(sshd_supports_opt('LookupClientHostnames','no')) {
741 push @cfgarr, 'LookupClientHostnames no';
743 if(sshd_supports_opt('MaxAuthTries','10')) {
744 push @cfgarr, 'MaxAuthTries 10';
746 if(sshd_supports_opt('PAMAuthenticationViaKbdInt','no')) {
747 push @cfgarr, 'PAMAuthenticationViaKbdInt no';
749 if(sshd_supports_opt('PermitTunnel','no')) {
750 push @cfgarr, 'PermitTunnel no';
752 if(sshd_supports_opt('PermitUserEnvironment','no')) {
753 push @cfgarr, 'PermitUserEnvironment no';
755 if(sshd_supports_opt('RhostsAuthentication','no')) {
756 push @cfgarr, 'RhostsAuthentication no';
758 if(sshd_supports_opt('TCPKeepAlive','no')) {
759 push @cfgarr, 'TCPKeepAlive no';
761 if(sshd_supports_opt('UseDNS','no')) {
762 push @cfgarr, 'UseDNS no';
764 if(sshd_supports_opt('UsePAM','no')) {
765 push @cfgarr, 'UsePAM no';
768 if($sshdid =~ /OpenSSH/) {
769 # http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=6492415
770 if(sshd_supports_opt('UsePrivilegeSeparation','no')) {
771 push @cfgarr, 'UsePrivilegeSeparation no';
775 if(sshd_supports_opt('VerifyReverseMapping','no')) {
776 push @cfgarr, 'VerifyReverseMapping no';
778 if(sshd_supports_opt('X11UseLocalhost','yes')) {
779 push @cfgarr, 'X11UseLocalhost yes';
784 #***************************************************************************
785 # Write out resulting sshd configuration file for curl's tests
787 $error = dump_array(pp($sshdconfig), @cfgarr);
794 #***************************************************************************
795 # Verify that sshd actually supports our generated configuration file
797 if(system "\"$sshd\" -t -f $sshdconfig_abs > $sshdlog 2>&1") {
798 logmsg "sshd configuration file $sshdconfig failed verification\n";
800 display_sshdconfig();
805 #***************************************************************************
806 # Generate ssh client host key database file for curl's tests
808 if((! -e pp($knownhosts)) || (! -s pp($knownhosts))) {
809 logmsg "generating ssh client known hosts file...\n" if($verbose);
810 unlink(pp($knownhosts));
811 if(open(my $rsakeyfile, "<", pp($hstpubkeyf))) {
812 my @rsahostkey = do { local $/ = ' '; <$rsakeyfile> };
813 if(close($rsakeyfile)) {
814 if(open(my $knownhostsh, ">", pp($knownhosts))) {
815 print $knownhostsh "$listenaddr ssh-rsa $rsahostkey[1]\n";
816 if(!close($knownhostsh)) {
817 $error = "Error: cannot close file $knownhosts";
821 $error = "Error: cannot write file $knownhosts";
825 $error = "Error: cannot close file $hstpubkeyf";
829 $error = "Error: cannot read file $hstpubkeyf";
838 #***************************************************************************
839 # Convert paths for curl's tests running on Windows using Cygwin OpenSSH
842 my $knownhosts_config;
843 if ($sshdid =~ /OpenSSH-Windows/) {
844 # Ensure to use native Windows paths with OpenSSH for Windows
845 $identity_config = pathhelp::sys_native_abs_path(pp($identity));
846 $knownhosts_config = pathhelp::sys_native_abs_path(pp($knownhosts));
848 elsif (pathhelp::os_is_win()) {
849 # Ensure to use MinGW/Cygwin paths
850 $identity_config = pathhelp::build_sys_abs_path($identity_config);
851 $knownhosts_config = pathhelp::build_sys_abs_path($knownhosts_config);
854 $identity_config = abs_path(pp($identity));
855 $knownhosts_config = abs_path(pp($knownhosts));
859 #***************************************************************************
860 # ssh client configuration file options we might use and version support
862 # AddressFamily : OpenSSH 3.7.0 and later
863 # BatchMode : OpenSSH 1.2.1 and later
864 # BindAddress : OpenSSH 2.9.9 and later
865 # ChallengeResponseAuthentication : OpenSSH 2.5.0 and later
866 # CheckHostIP : OpenSSH 1.2.1 and later
867 # Cipher : OpenSSH 1.2.1 and later [3]
868 # Ciphers : OpenSSH 2.1.0 and later [3]
869 # ClearAllForwardings : OpenSSH 2.9.9 and later
870 # Compression : OpenSSH 1.2.1 and later
871 # CompressionLevel : OpenSSH 1.2.1 and later [3]
872 # ConnectionAttempts : OpenSSH 1.2.1 and later
873 # ConnectTimeout : OpenSSH 3.7.0 and later
874 # ControlMaster : OpenSSH 3.9.0 and later
875 # ControlPath : OpenSSH 3.9.0 and later
876 # DisableBanner : SunSSH 1.2.0 and later
877 # DynamicForward : OpenSSH 2.9.0 and later
878 # EnableSSHKeysign : OpenSSH 3.6.0 and later
879 # EscapeChar : OpenSSH 1.2.1 and later [3]
880 # ExitOnForwardFailure : OpenSSH 4.4.0 and later
881 # ForwardAgent : OpenSSH 1.2.1 and later
882 # ForwardX11 : OpenSSH 1.2.1 and later
883 # ForwardX11Trusted : OpenSSH 3.8.0 and later
884 # GatewayPorts : OpenSSH 1.2.1 and later
885 # GlobalKnownHostsFile : OpenSSH 1.2.1 and later
886 # GSSAPIAuthentication : OpenSSH 3.7.0 and later [1]
887 # GSSAPIDelegateCredentials : OpenSSH 3.7.0 and later [1]
888 # HashKnownHosts : OpenSSH 4.0.0 and later
889 # Host : OpenSSH 1.2.1 and later
890 # HostbasedAuthentication : OpenSSH 2.9.0 and later
891 # HostKeyAlgorithms : OpenSSH 2.9.0 and later [3]
892 # HostKeyAlias : OpenSSH 2.5.0 and later [3]
893 # HostName : OpenSSH 1.2.1 and later
894 # IdentitiesOnly : OpenSSH 3.9.0 and later
895 # IdentityFile : OpenSSH 1.2.1 and later
896 # IgnoreIfUnknown : SunSSH 1.2.0 and later
897 # KeepAlive : OpenSSH 1.2.1 and later
898 # KbdInteractiveAuthentication : OpenSSH 2.3.0 and later
899 # KbdInteractiveDevices : OpenSSH 2.3.0 and later [3]
900 # LocalCommand : OpenSSH 4.3.0 and later [3]
901 # LocalForward : OpenSSH 1.2.1 and later [3]
902 # LogLevel : OpenSSH 1.2.1 and later
903 # MACs : OpenSSH 2.5.0 and later [3]
904 # NoHostAuthenticationForLocalhost : OpenSSH 3.0.0 and later
905 # NumberOfPasswordPrompts : OpenSSH 1.2.1 and later
906 # PasswordAuthentication : OpenSSH 1.2.1 and later
907 # PermitLocalCommand : OpenSSH 4.3.0 and later
908 # Port : OpenSSH 1.2.1 and later
909 # PreferredAuthentications : OpenSSH 2.5.2 and later
910 # Protocol : OpenSSH 2.1.0 and later
911 # ProxyCommand : OpenSSH 1.2.1 and later [3]
912 # PubkeyAuthentication : OpenSSH 2.5.0 and later
913 # RekeyLimit : OpenSSH 3.7.0 and later
914 # RemoteForward : OpenSSH 1.2.1 and later [3]
915 # RhostsRSAAuthentication : OpenSSH 1.2.1 and later
916 # RSAAuthentication : OpenSSH 1.2.1 and later
917 # ServerAliveCountMax : OpenSSH 3.8.0 and later
918 # ServerAliveInterval : OpenSSH 3.8.0 and later
919 # SmartcardDevice : OpenSSH 2.9.9 and later [1][3]
920 # StrictHostKeyChecking : OpenSSH 1.2.1 and later
921 # TCPKeepAlive : OpenSSH 3.8.0 and later
922 # Tunnel : OpenSSH 4.3.0 and later
923 # TunnelDevice : OpenSSH 4.3.0 and later [3]
924 # UsePAM : OpenSSH 3.7.0 and later [1][2][3]
925 # UsePrivilegedPort : OpenSSH 1.2.1 and later
926 # User : OpenSSH 1.2.1 and later
927 # UserKnownHostsFile : OpenSSH 1.2.1 and later
928 # VerifyHostKeyDNS : OpenSSH 3.8.0 and later
929 # XAuthLocation : OpenSSH 2.1.1 and later [3]
931 # [1] Option only available if activated at compile time
932 # [2] Option specific for portable versions
933 # [3] Option not used in our ssh client config file
936 #***************************************************************************
937 # Initialize ssh config with options actually supported in OpenSSH 2.9.9
939 logmsg "generating ssh client config file...\n" if($verbose);
941 push @cfgarr, '# This is a generated file. Do not edit.';
942 push @cfgarr, "# $sshverstr ssh client configuration file for curl testing";
944 push @cfgarr, 'Host *';
946 push @cfgarr, "Port $port";
947 push @cfgarr, "HostName $listenaddr";
948 push @cfgarr, "User $username";
949 push @cfgarr, 'Protocol 2';
952 # BindAddress option is not supported by OpenSSH for Windows
953 if (!($sshdid =~ /OpenSSH-Windows/)) {
954 push @cfgarr, "BindAddress $listenaddr";
958 push @cfgarr, "IdentityFile $identity_config";
959 push @cfgarr, "UserKnownHostsFile $knownhosts_config";
961 push @cfgarr, 'BatchMode yes';
962 push @cfgarr, 'ChallengeResponseAuthentication no';
963 push @cfgarr, 'CheckHostIP no';
964 push @cfgarr, 'ClearAllForwardings no';
965 push @cfgarr, 'Compression no';
966 push @cfgarr, 'ConnectionAttempts 3';
967 push @cfgarr, 'ForwardAgent no';
968 push @cfgarr, 'ForwardX11 no';
969 push @cfgarr, 'GatewayPorts no';
970 push @cfgarr, 'GlobalKnownHostsFile /dev/null';
971 push @cfgarr, 'HostbasedAuthentication no';
972 push @cfgarr, 'KbdInteractiveAuthentication no';
973 push @cfgarr, "LogLevel $loglevel";
974 push @cfgarr, 'NumberOfPasswordPrompts 0';
975 push @cfgarr, 'PasswordAuthentication no';
976 push @cfgarr, 'PreferredAuthentications publickey';
977 push @cfgarr, 'PubkeyAuthentication yes';
979 # RSA authentication options are not supported by OpenSSH for Windows
980 if (!($sshdid =~ /OpenSSH-Windows/)) {
981 push @cfgarr, 'RhostsRSAAuthentication no';
982 push @cfgarr, 'RSAAuthentication no';
985 # Disabled StrictHostKeyChecking since it makes the tests fail on my
986 # OpenSSH_6.0p1 on Debian Linux / Daniel
987 push @cfgarr, 'StrictHostKeyChecking no';
988 push @cfgarr, 'UsePrivilegedPort no';
992 #***************************************************************************
993 # Options supported in ssh client newer than OpenSSH 2.9.9
996 if(($sshid =~ /OpenSSH/) && ($sshvernum >= 370)) {
997 push @cfgarr, 'AddressFamily any';
1000 if((($sshid =~ /OpenSSH/) && ($sshvernum >= 370)) ||
1001 (($sshid =~ /SunSSH/) && ($sshvernum >= 120))) {
1002 push @cfgarr, 'ConnectTimeout 30';
1005 if(($sshid =~ /OpenSSH/) && ($sshvernum >= 390)) {
1006 push @cfgarr, 'ControlMaster no';
1009 if(($sshid =~ /OpenSSH/) && ($sshvernum >= 420)) {
1010 push @cfgarr, 'ControlPath none';
1013 if(($sshid =~ /SunSSH/) && ($sshvernum >= 120)) {
1014 push @cfgarr, 'DisableBanner yes';
1017 if(($sshid =~ /OpenSSH/) && ($sshvernum >= 360)) {
1018 push @cfgarr, 'EnableSSHKeysign no';
1021 if(($sshid =~ /OpenSSH/) && ($sshvernum >= 440)) {
1022 push @cfgarr, 'ExitOnForwardFailure yes';
1025 if((($sshid =~ /OpenSSH/) && ($sshvernum >= 380)) ||
1026 (($sshid =~ /SunSSH/) && ($sshvernum >= 120))) {
1027 push @cfgarr, 'ForwardX11Trusted no';
1030 if(($sshd_builtwith_GSSAPI) && ($sshdid eq $sshid) &&
1031 ($sshdvernum == $sshvernum)) {
1032 push @cfgarr, 'GSSAPIAuthentication no';
1033 push @cfgarr, 'GSSAPIDelegateCredentials no';
1034 if($sshid =~ /SunSSH/) {
1035 push @cfgarr, 'GSSAPIKeyExchange no';
1039 if((($sshid =~ /OpenSSH/) && ($sshvernum >= 400)) ||
1040 (($sshid =~ /SunSSH/) && ($sshvernum >= 120))) {
1041 push @cfgarr, 'HashKnownHosts no';
1044 if(($sshid =~ /OpenSSH/) && ($sshvernum >= 390)) {
1045 push @cfgarr, 'IdentitiesOnly yes';
1048 if(($sshid =~ /SunSSH/) && ($sshvernum >= 120)) {
1049 push @cfgarr, 'IgnoreIfUnknown no';
1052 if((($sshid =~ /OpenSSH/) && ($sshvernum < 380)) ||
1053 ($sshid =~ /SunSSH/)) {
1054 push @cfgarr, 'KeepAlive no';
1057 if((($sshid =~ /OpenSSH/) && ($sshvernum >= 300)) ||
1058 ($sshid =~ /SunSSH/)) {
1059 push @cfgarr, 'NoHostAuthenticationForLocalhost no';
1062 if(($sshid =~ /OpenSSH/) && ($sshvernum >= 430)) {
1063 push @cfgarr, 'PermitLocalCommand no';
1066 if((($sshid =~ /OpenSSH/) && ($sshvernum >= 370)) ||
1067 (($sshid =~ /SunSSH/) && ($sshvernum >= 120))) {
1068 push @cfgarr, 'RekeyLimit 1G';
1071 if((($sshid =~ /OpenSSH/) && ($sshvernum >= 380)) ||
1072 (($sshid =~ /SunSSH/) && ($sshvernum >= 120))) {
1073 push @cfgarr, 'ServerAliveCountMax 3';
1074 push @cfgarr, 'ServerAliveInterval 0';
1077 if(($sshid =~ /OpenSSH/) && ($sshvernum >= 380)) {
1078 push @cfgarr, 'TCPKeepAlive no';
1081 if(($sshid =~ /OpenSSH/) && ($sshvernum >= 430)) {
1082 push @cfgarr, 'Tunnel no';
1085 if(($sshid =~ /OpenSSH/) && ($sshvernum >= 380)) {
1086 push @cfgarr, 'VerifyHostKeyDNS no';
1092 #***************************************************************************
1093 # Write out resulting ssh client configuration file for curl's tests
1095 $error = dump_array(pp($sshconfig), @cfgarr);
1102 #***************************************************************************
1103 # Initialize client sftp config with options actually supported.
1105 logmsg "generating sftp client config file...\n" if($verbose);
1106 splice @cfgarr, 1, 1, "# $sshverstr sftp client configuration file for curl testing";
1108 for(my $i = scalar(@cfgarr) - 1; $i > 0; $i--) {
1109 if($cfgarr[$i] =~ /^DynamicForward/) {
1110 splice @cfgarr, $i, 1;
1113 if($cfgarr[$i] =~ /^ClearAllForwardings/) {
1114 splice @cfgarr, $i, 1, "ClearAllForwardings yes";
1120 #***************************************************************************
1121 # Write out resulting sftp client configuration file for curl's tests
1123 $error = dump_array(pp($sftpconfig), @cfgarr);
1131 #***************************************************************************
1132 # Generate client sftp commands batch file for sftp server verification
1134 logmsg "generating sftp client commands file...\n" if($verbose);
1135 push @cfgarr, 'pwd';
1136 push @cfgarr, 'quit';
1137 $error = dump_array(pp($sftpcmds), @cfgarr);
1144 #***************************************************************************
1145 # Prepare command line of ssh server daemon
1147 my $cmd = "\"$sshd\" -e -D -f $sshdconfig_abs > $sshdlog 2>&1";
1148 logmsg "SCP/SFTP server listening on port $port\n" if($verbose);
1149 logmsg "RUN: $cmd\n" if($verbose);
1151 #***************************************************************************
1152 # Start the ssh server daemon on Windows without forking it
1154 if ($sshdid =~ /OpenSSH-Windows/) {
1155 # Fake pidfile for ssh server on Windows.
1156 if(open(my $out, ">", "$pidfile")) {
1157 print $out $$ . "\n";
1164 # Put an "exec" in front of the command so that the child process
1165 # keeps this child's process ID by being tied to the spawned shell.
1166 exec("exec $cmd") || die "Can't exec() $cmd: $!";
1167 # exec() will create a new process, but ties the existence of the
1168 # new process to the parent waiting perl.exe and sh.exe processes.
1170 # exec() should never return back here to this process. We protect
1171 # ourselves by calling die() just in case something goes really bad.
1172 die "error: exec() has returned";
1175 #***************************************************************************
1176 # Start the ssh server daemon without forking it
1178 # "exec" avoids the shell process sticking around
1179 my $rc = system("exec " . $cmd);
1181 logmsg "\"$sshd\" failed with: $!\n";
1184 logmsg sprintf("\"$sshd\" died with signal %d, and %s coredump\n",
1185 ($rc & 127), ($rc & 128)?'a':'no');
1187 elsif($verbose && ($rc >> 8)) {
1188 logmsg sprintf("\"$sshd\" exited with %d\n", $rc >> 8);
1192 #***************************************************************************
1193 # Clean up once the server has stopped
1195 unlink(pp($hstprvkeyf), pp($hstpubkeyf), pp($hstpubmd5f), pp($hstpubsha256f),
1196 pp($cliprvkeyf), pp($clipubkeyf), pp($knownhosts),
1197 pp($sshdconfig), pp($sshconfig), pp($sftpconfig));