#!/bin/bash [ -z "$CRYPTSETUP_PATH" ] && { TOKEN_PATH="./fake_token_path.so" [ ! -f $TOKEN_PATH ] && { echo "Please compile $TOKEN_PATH."; exit 77; } export LD_PRELOAD=$TOKEN_PATH CRYPTSETUP_PATH=".." } CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup CRYPTSETUP_SSH=$CRYPTSETUP_PATH/cryptsetup-ssh IMG="ssh_test.img" MAP="sshtest" USER="sshtest" PASSWD="sshtest1" PASSWD2="sshtest2" SSH_OPTIONS="-o StrictHostKeyChecking=no" SSH_SERVER="localhost" SSH_PATH="/home/$USER/keyfile" SSH_KEY_PATH="$HOME/sshtest-key" FAST_PBKDF_OPT="--pbkdf pbkdf2 --pbkdf-force-iterations 1000" CRYPTSETUP_VALGRIND=../.libs/cryptsetup CRYPTSETUP_SSH_VALGRIND=../.libs/cryptsetup-ssh CRYPTSETUP_LIB_VALGRIND=../.libs [ -z "$srcdir" ] && srcdir="." function remove_mapping() { [ -b /dev/mapper/$MAP ] && dmsetup remove --retry $MAP rm -f $IMG >/dev/null 2>&1 } function remove_user() { id -u $USER >/dev/null 2>&1 && userdel -r -f $USER >/dev/null 2>&1 rm -f $SSH_KEY_PATH "$SSH_KEY_PATH.pub" >/dev/null 2>&1 } function create_user() { id -u $USER >/dev/null 2>&1 [ $? -eq 0 ] && skip "User account $USER exists, aborting." [ -f $SSH_KEY_PATH ] && skip "SSH key $SSH_KEY_PATH already exists, aborting." useradd -m $USER -p $(openssl passwd $PASSWD) || skip "Failed to add user for SSH plugin test." ssh-keygen -f $SSH_KEY_PATH -q -N "" >/dev/null 2>&1 [ $? -ne 0 ] && remove_user && skip "Failed to create SSH key." } function ssh_check() { # try to use netcat to check port 22 nc -zv $SSH_SERVER 22 >/dev/null 2>&1 || skip "SSH server does not seem to be running, skipping." } function bin_check() { command -v $1 >/dev/null || skip "WARNING: test require $1 binary, test skipped." } function ssh_setup() { # copy the ssh key [ -d "/home/$USER/.ssh" ] || mkdir /home/$USER/.ssh touch /home/$USER/.ssh/authorized_keys cat $SSH_KEY_PATH.pub >> /home/$USER/.ssh/authorized_keys [ $? -ne 0 ] && remove_user && fail "Failed to copy SSH key." # make sure /home/sshtest/.ssh and /home/sshtest/.ssh/authorized_keys have correct permissions chown -R $USER:$USER /home/$USER/.ssh chmod 700 /home/$USER/.ssh chmod 644 /home/$USER/.ssh/authorized_keys # try to ssh and also create keyfile ssh -i $SSH_KEY_PATH $SSH_OPTIONS -o BatchMode=yes -n $USER@$SSH_SERVER "echo -n $PASSWD > $SSH_PATH" >/dev/null 2>&1 [ $? -ne 0 ] && remove_user && fail "Failed to connect using SSH." } function fail() { echo "[FAILED]" [ -n "$1" ] && echo "$1" echo "FAILED backtrace:" while caller $frame; do ((frame++)); done remove_mapping remove_user exit 2 } function skip() { [ -n "$1" ] && echo "$1" remove_mapping exit 77 } function valgrind_setup() { command -v valgrind >/dev/null || fail "Cannot find valgrind." [ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable." [ ! -f $CRYPTSETUP_SSH_VALGRIND ] && fail "Unable to get location of cryptsetup-ssh executable." export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH" } function valgrind_run() { INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@" } function valgrind_run_ssh() { INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_SSH_VALGRIND} "$@" } format() { dd if=/dev/zero of=$IMG bs=1M count=32 >/dev/null 2>&1 echo $PASSWD | $CRYPTSETUP luksFormat --type luks2 $FAST_PBKDF_OPT $IMG --force-password -q [ $? -ne 0 ] && fail "Format failed." echo -e "$PASSWD\n$PASSWD2" | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $IMG -q [ $? -ne 0 ] && fail "Add key failed." } check_dump() { dump=$1 keyslot=$2 token=$(echo "$dump" | grep Tokens -A 1 | tail -1 | cut -d: -f2 | tr -d "\t\n ") [ "$token" = "ssh" ] || fail " token check from dump failed." server=$(echo "$dump" | grep ssh_server | cut -d: -f2 | tr -d "\t\n ") [ "$server" = $SSH_SERVER ] || fail " server check from dump failed." user=$(echo "$dump" | grep ssh_user | cut -d: -f2 | tr -d "\t\n ") [ "$user" = "$USER" ] || fail " user check from dump failed." path=$(echo "$dump" | grep ssh_path | cut -d: -f2 | tr -d "\t\n ") [ "$path" = "$SSH_PATH" ] || fail " path check from dump failed." key_path=$(echo "$dump" | grep ssh_key_path | cut -d: -f2 | tr -d "\t\n ") [ "$key_path" = "$SSH_KEY_PATH" ] || fail " key_path check from dump failed." keyslot_dump=$(echo "$dump" | grep Keyslot: | cut -d: -f2 | tr -d "\t\n ") [ "$keyslot_dump" = "$keyslot" ] || fail " keyslot check from dump failed." } [ ! -x "$CRYPTSETUP" ] && skip "Cannot find $CRYPTSETUP, test skipped." [ -n "$VALG" ] && valgrind_setup && CRYPTSETUP=valgrind_run && CRYPTSETUP_SSH=valgrind_run_ssh [ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped." # Prevent running dangerous useradd operation by default [ -z "$RUN_SSH_PLUGIN_TEST" ] && skip "WARNING: Variable RUN_SSH_PLUGIN_TEST must be defined, test skipped." bin_check nc bin_check useradd bin_check ssh bin_check ssh-keygen bin_check sshpass bin_check openssl format echo -n "Adding SSH token: " ssh_check create_user ssh_setup $CRYPTSETUP_SSH add $IMG --ssh-server $SSH_SERVER --ssh-user $USER --ssh-path $SSH_PATH --ssh-keypath $SSH_KEY_PATH [ $? -ne 0 ] && fail "Failed to add SSH token to $IMG" out=$($CRYPTSETUP luksDump $IMG) check_dump "$out" 0 echo "[OK]" echo -n "Activating using SSH token: " $CRYPTSETUP luksOpen --token-only --disable-external-tokens -r $IMG $MAP && fail "Tokens should be disabled" $CRYPTSETUP luksOpen -r $IMG $MAP -q >/dev/null 2>&1 <&- [ $? -ne 0 ] && fail "Failed to open $IMG using SSH token" echo "[OK]" # Remove the newly added token and test adding with --key-slot $CRYPTSETUP token remove --token-id 0 $IMG || fail "Failed to remove token" echo -n "Adding SSH token with --key-slot: " $CRYPTSETUP_SSH add $IMG --ssh-server $SSH_SERVER --ssh-user $USER --ssh-path $SSH_PATH --ssh-keypath $SSH_KEY_PATH --key-slot 1 [ $? -ne 0 ] && fail "Failed to add SSH token to $IMG" out=$($CRYPTSETUP luksDump $IMG) check_dump "$out" 1 echo "[OK]" remove_mapping remove_user