2 #***************************************************************************
4 # Project ___| | | | _ \| |
6 # | (__| |_| | _ <| |___
7 # \___|\___/|_| \_\_____|
9 # Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
11 # This software is licensed as described in the file COPYING, which
12 # you should have received as part of this distribution. The terms
13 # are also available at http://curl.haxx.se/docs/copyright.html.
15 # You may opt to use, copy, modify, merge, publish, distribute and/or sell
16 # copies of the Software, and permit persons to whom the Software is
17 # furnished to do so, under the terms of the COPYING file.
19 # This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
20 # KIND, either express or implied.
22 #***************************************************************************
24 # Starts sshd for use in the SCP, SFTP and SOCKS curl test harness tests.
25 # Also creates the ssh configuration files needed for these tests.
32 #***************************************************************************
33 # Variables and subs imported from sshhelp module
69 #***************************************************************************
70 # Subs imported from serverhelp module
78 #***************************************************************************
80 my $verbose = 0; # set to 1 for debugging
81 my $debugprotocol = 0; # set to 1 for protocol debugging
82 my $port = 8999; # our default SCP/SFTP server port
83 my $socksport = $port + 1; # our default SOCKS4/5 server port
84 my $listenaddr = '127.0.0.1'; # default address on which to listen
85 my $ipvnum = 4; # default IP version of listener address
86 my $idnum = 1; # dafault ssh daemon instance number
87 my $proto = 'ssh'; # protocol the ssh daemon speaks
88 my $path = getcwd(); # current working directory
89 my $logdir = $path .'/log'; # directory for log files
90 my $username = $ENV{USER}; # default user
91 my $pidfile; # ssh daemon pid file
92 my $identity = 'curl_client_key'; # default identity file
98 #***************************************************************************
99 # Parse command line options
102 if($ARGV[0] eq '--verbose') {
105 elsif($ARGV[0] eq '--debugprotocol') {
109 elsif($ARGV[0] eq '--user') {
111 $username = $ARGV[1];
115 elsif($ARGV[0] eq '--id') {
117 if($ARGV[1] =~ /^(\d+)$/) {
118 $idnum = $1 if($1 > 0);
123 elsif($ARGV[0] eq '--ipv4') {
125 $listenaddr = '127.0.0.1' if($listenaddr eq '::1');
127 elsif($ARGV[0] eq '--ipv6') {
129 $listenaddr = '::1' if($listenaddr eq '127.0.0.1');
131 elsif($ARGV[0] eq '--addr') {
133 my $tmpstr = $ARGV[1];
134 if($tmpstr =~ /^(\d\d?\d?)\.(\d\d?\d?)\.(\d\d?\d?)\.(\d\d?\d?)$/) {
135 $listenaddr = "$1.$2.$3.$4" if($ipvnum == 4);
138 elsif($ipvnum == 6) {
139 $listenaddr = $tmpstr;
140 $listenaddr =~ s/^\[(.*)\]$/$1/;
145 elsif($ARGV[0] eq '--pidfile') {
147 $pidfile = "$path/". $ARGV[1];
151 elsif($ARGV[0] eq '--sshport') {
153 if($ARGV[1] =~ /^(\d+)$/) {
159 elsif($ARGV[0] eq '--socksport') {
161 if($ARGV[1] =~ /^(\d+)$/) {
168 print STDERR "\nWarning: sshserver.pl unknown parameter: $ARGV[0]\n";
174 #***************************************************************************
175 # Default ssh daemon pid file name
178 $pidfile = "$path/". server_pidfilename($proto, $ipvnum, $idnum);
182 #***************************************************************************
183 # ssh, socks and sftp server log file names
185 $sshdlog = server_logfilename($logdir, 'ssh', $ipvnum, $idnum);
186 $sftplog = server_logfilename($logdir, 'sftp', $ipvnum, $idnum);
187 $sshlog = server_logfilename($logdir, 'socks', $ipvnum, $idnum);
190 #***************************************************************************
191 # Logging level for ssh server and client
193 my $loglevel = $debugprotocol?'DEBUG3':'DEBUG2';
196 #***************************************************************************
200 $error = 'Will not run ssh server without a user name';
202 elsif($username eq 'root') {
203 $error = 'Will not run ssh server as root to mitigate security risks';
211 #***************************************************************************
212 # Find out ssh daemon canonical file name
214 my $sshd = find_sshd();
216 logmsg "cannot find $sshdexe";
221 #***************************************************************************
222 # Find out ssh daemon version info
224 my ($sshdid, $sshdvernum, $sshdverstr, $sshderror) = sshversioninfo($sshd);
226 # Not an OpenSSH or SunSSH ssh daemon
227 logmsg $sshderror if($verbose);
228 logmsg 'SCP, SFTP and SOCKS tests require OpenSSH 2.9.9 or later';
231 logmsg "ssh server found $sshd is $sshdverstr" if($verbose);
234 #***************************************************************************
235 # ssh daemon command line options we might use and version support
237 # -e: log stderr : OpenSSH 2.9.0 and later
238 # -f: sshd config file : OpenSSH 1.2.1 and later
239 # -D: no daemon forking : OpenSSH 2.5.0 and later
240 # -o: command-line option : OpenSSH 3.1.0 and later
241 # -t: test config file : OpenSSH 2.9.9 and later
242 # -?: sshd version info : OpenSSH 1.2.1 and later
244 # -e: log stderr : SunSSH 1.0.0 and later
245 # -f: sshd config file : SunSSH 1.0.0 and later
246 # -D: no daemon forking : SunSSH 1.0.0 and later
247 # -o: command-line option : SunSSH 1.0.0 and later
248 # -t: test config file : SunSSH 1.0.0 and later
249 # -?: sshd version info : SunSSH 1.0.0 and later
252 #***************************************************************************
253 # Verify minimum ssh daemon version
255 if((($sshdid =~ /OpenSSH/) && ($sshdvernum < 299)) ||
256 (($sshdid =~ /SunSSH/) && ($sshdvernum < 100))) {
257 logmsg 'SCP, SFTP and SOCKS tests require OpenSSH 2.9.9 or later';
262 #***************************************************************************
263 # Find out sftp server plugin canonical file name
265 my $sftpsrv = find_sftpsrv();
267 logmsg "cannot find $sftpsrvexe";
270 logmsg "sftp server plugin found $sftpsrv" if($verbose);
273 #***************************************************************************
274 # Find out sftp client canonical file name
276 my $sftp = find_sftp();
278 logmsg "cannot find $sftpexe";
281 logmsg "sftp client found $sftp" if($verbose);
284 #***************************************************************************
285 # Find out ssh keygen canonical file name
287 my $sshkeygen = find_sshkeygen();
289 logmsg "cannot find $sshkeygenexe";
292 logmsg "ssh keygen found $sshkeygen" if($verbose);
295 #***************************************************************************
296 # Find out ssh client canonical file name
298 my $ssh = find_ssh();
300 logmsg "cannot find $sshexe";
305 #***************************************************************************
306 # Find out ssh client version info
308 my ($sshid, $sshvernum, $sshverstr, $ssherror) = sshversioninfo($ssh);
310 # Not an OpenSSH or SunSSH ssh client
311 logmsg $ssherror if($verbose);
312 logmsg 'SCP, SFTP and SOCKS tests require OpenSSH 2.9.9 or later';
315 logmsg "ssh client found $ssh is $sshverstr" if($verbose);
318 #***************************************************************************
319 # ssh client command line options we might use and version support
321 # -D: dynamic app port forwarding : OpenSSH 2.9.9 and later
322 # -F: ssh config file : OpenSSH 2.9.9 and later
323 # -N: no shell/command : OpenSSH 2.1.0 and later
324 # -p: connection port : OpenSSH 1.2.1 and later
325 # -v: verbose messages : OpenSSH 1.2.1 and later
326 # -vv: increase verbosity : OpenSSH 2.3.0 and later
327 # -V: ssh version info : OpenSSH 1.2.1 and later
329 # -D: dynamic app port forwarding : SunSSH 1.0.0 and later
330 # -F: ssh config file : SunSSH 1.0.0 and later
331 # -N: no shell/command : SunSSH 1.0.0 and later
332 # -p: connection port : SunSSH 1.0.0 and later
333 # -v: verbose messages : SunSSH 1.0.0 and later
334 # -vv: increase verbosity : SunSSH 1.0.0 and later
335 # -V: ssh version info : SunSSH 1.0.0 and later
338 #***************************************************************************
339 # Verify minimum ssh client version
341 if((($sshid =~ /OpenSSH/) && ($sshvernum < 299)) ||
342 (($sshid =~ /SunSSH/) && ($sshvernum < 100))) {
343 logmsg 'SCP, SFTP and SOCKS tests require OpenSSH 2.9.9 or later';
348 #***************************************************************************
349 # ssh keygen command line options we actually use and version support
351 # -C: identity comment : OpenSSH 1.2.1 and later
352 # -f: key filename : OpenSSH 1.2.1 and later
353 # -N: new passphrase : OpenSSH 1.2.1 and later
354 # -q: quiet keygen : OpenSSH 1.2.1 and later
355 # -t: key type : OpenSSH 2.5.0 and later
357 # -C: identity comment : SunSSH 1.0.0 and later
358 # -f: key filename : SunSSH 1.0.0 and later
359 # -N: new passphrase : SunSSH 1.0.0 and later
360 # -q: quiet keygen : SunSSH 1.0.0 and later
361 # -t: key type : SunSSH 1.0.0 and later
364 #***************************************************************************
365 # Generate host and client key files for curl's tests
367 if((! -e $hstprvkeyf) || (! -s $hstprvkeyf) ||
368 (! -e $hstpubkeyf) || (! -s $hstpubkeyf) ||
369 (! -e $cliprvkeyf) || (! -s $cliprvkeyf) ||
370 (! -e $clipubkeyf) || (! -s $clipubkeyf)) {
371 # Make sure all files are gone so ssh-keygen doesn't complain
372 unlink($hstprvkeyf, $hstpubkeyf, $cliprvkeyf, $clipubkeyf);
373 logmsg 'generating host keys...' if($verbose);
374 if(system "\"$sshkeygen\" -q -t dsa -f $hstprvkeyf -C 'curl test server' -N ''") {
375 logmsg 'Could not generate host key';
378 logmsg 'generating client keys...' if($verbose);
379 if(system "\"$sshkeygen\" -q -t dsa -f $cliprvkeyf -C 'curl test client' -N ''") {
380 logmsg 'Could not generate client key';
386 #***************************************************************************
387 # Convert paths for curl's tests running on Windows using Cygwin OpenSSH
389 my $clipubkeyf_config = abs_path("$path/$clipubkeyf");
390 my $hstprvkeyf_config = abs_path("$path/$hstprvkeyf");
391 my $pidfile_config = $pidfile;
392 my $sftpsrv_config = $sftpsrv;
394 if ($^O eq 'MSWin32' || $^O eq 'cygwin' || $^O eq 'msys') {
395 # convert MinGW drive paths to Cygwin drive paths
396 $clipubkeyf_config =~ s/^\/(\w)\//\/cygdrive\/$1\//;
397 $hstprvkeyf_config =~ s/^\/(\w)\//\/cygdrive\/$1\//;
398 $pidfile_config =~ s/^\/(\w)\//\/cygdrive\/$1\//;
399 $sftpsrv_config = "internal-sftp";
402 #***************************************************************************
403 # ssh daemon configuration file options we might use and version support
405 # AFSTokenPassing : OpenSSH 1.2.1 and later [1]
406 # AcceptEnv : OpenSSH 3.9.0 and later
407 # AddressFamily : OpenSSH 4.0.0 and later
408 # AllowGroups : OpenSSH 1.2.1 and later
409 # AllowTcpForwarding : OpenSSH 2.3.0 and later
410 # AllowUsers : OpenSSH 1.2.1 and later
411 # AuthorizedKeysFile : OpenSSH 2.9.9 and later
412 # AuthorizedKeysFile2 : OpenSSH 2.9.9 and later
413 # Banner : OpenSSH 2.5.0 and later
414 # ChallengeResponseAuthentication : OpenSSH 2.5.0 and later
415 # Ciphers : OpenSSH 2.1.0 and later [3]
416 # ClientAliveCountMax : OpenSSH 2.9.0 and later
417 # ClientAliveInterval : OpenSSH 2.9.0 and later
418 # Compression : OpenSSH 3.3.0 and later
419 # DenyGroups : OpenSSH 1.2.1 and later
420 # DenyUsers : OpenSSH 1.2.1 and later
421 # ForceCommand : OpenSSH 4.4.0 and later [3]
422 # GatewayPorts : OpenSSH 2.1.0 and later
423 # GSSAPIAuthentication : OpenSSH 3.7.0 and later [1]
424 # GSSAPICleanupCredentials : OpenSSH 3.8.0 and later [1]
425 # GSSAPIKeyExchange : SunSSH 1.0.0 and later [1]
426 # GSSAPIStoreDelegatedCredentials : SunSSH 1.0.0 and later [1]
427 # GSSCleanupCreds : SunSSH 1.0.0 and later [1]
428 # GSSUseSessionCredCache : SunSSH 1.0.0 and later [1]
429 # HostbasedAuthentication : OpenSSH 2.9.0 and later
430 # HostbasedUsesNameFromPacketOnly : OpenSSH 2.9.0 and later
431 # HostKey : OpenSSH 1.2.1 and later
432 # IgnoreRhosts : OpenSSH 1.2.1 and later
433 # IgnoreUserKnownHosts : OpenSSH 1.2.1 and later
434 # KbdInteractiveAuthentication : OpenSSH 2.3.0 and later
435 # KeepAlive : OpenSSH 1.2.1 and later
436 # KerberosAuthentication : OpenSSH 1.2.1 and later [1]
437 # KerberosGetAFSToken : OpenSSH 3.8.0 and later [1]
438 # KerberosOrLocalPasswd : OpenSSH 1.2.1 and later [1]
439 # KerberosTgtPassing : OpenSSH 1.2.1 and later [1]
440 # KerberosTicketCleanup : OpenSSH 1.2.1 and later [1]
441 # KeyRegenerationInterval : OpenSSH 1.2.1 and later
442 # ListenAddress : OpenSSH 1.2.1 and later
443 # LoginGraceTime : OpenSSH 1.2.1 and later
444 # LogLevel : OpenSSH 1.2.1 and later
445 # LookupClientHostnames : SunSSH 1.0.0 and later
446 # MACs : OpenSSH 2.5.0 and later [3]
447 # Match : OpenSSH 4.4.0 and later [3]
448 # MaxAuthTries : OpenSSH 3.9.0 and later
449 # MaxStartups : OpenSSH 2.2.0 and later
450 # PAMAuthenticationViaKbdInt : OpenSSH 2.9.0 and later [2]
451 # PasswordAuthentication : OpenSSH 1.2.1 and later
452 # PermitEmptyPasswords : OpenSSH 1.2.1 and later
453 # PermitOpen : OpenSSH 4.4.0 and later [3]
454 # PermitRootLogin : OpenSSH 1.2.1 and later
455 # PermitTunnel : OpenSSH 4.3.0 and later
456 # PermitUserEnvironment : OpenSSH 3.5.0 and later
457 # PidFile : OpenSSH 2.1.0 and later
458 # Port : OpenSSH 1.2.1 and later
459 # PrintLastLog : OpenSSH 2.9.0 and later
460 # PrintMotd : OpenSSH 1.2.1 and later
461 # Protocol : OpenSSH 2.1.0 and later
462 # PubkeyAuthentication : OpenSSH 2.5.0 and later
463 # RhostsAuthentication : OpenSSH 1.2.1 and later
464 # RhostsRSAAuthentication : OpenSSH 1.2.1 and later
465 # RSAAuthentication : OpenSSH 1.2.1 and later
466 # ServerKeyBits : OpenSSH 1.2.1 and later
467 # SkeyAuthentication : OpenSSH 1.2.1 and later [1]
468 # StrictModes : OpenSSH 1.2.1 and later
469 # Subsystem : OpenSSH 2.2.0 and later
470 # SyslogFacility : OpenSSH 1.2.1 and later
471 # TCPKeepAlive : OpenSSH 3.8.0 and later
472 # UseDNS : OpenSSH 3.7.0 and later
473 # UseLogin : OpenSSH 1.2.1 and later
474 # UsePAM : OpenSSH 3.7.0 and later [1][2]
475 # UsePrivilegeSeparation : OpenSSH 3.2.2 and later
476 # VerifyReverseMapping : OpenSSH 3.1.0 and later
477 # X11DisplayOffset : OpenSSH 1.2.1 and later [3]
478 # X11Forwarding : OpenSSH 1.2.1 and later
479 # X11UseLocalhost : OpenSSH 3.1.0 and later
480 # XAuthLocation : OpenSSH 2.1.1 and later [3]
482 # [1] Option only available if activated at compile time
483 # [2] Option specific for portable versions
484 # [3] Option not used in our ssh server config file
487 #***************************************************************************
488 # Initialize sshd config with options actually supported in OpenSSH 2.9.9
490 logmsg 'generating ssh server config file...' if($verbose);
492 push @cfgarr, '# This is a generated file. Do not edit.';
493 push @cfgarr, "# $sshdverstr sshd configuration file for curl testing";
495 push @cfgarr, "DenyUsers !$username";
496 push @cfgarr, "AllowUsers $username";
497 push @cfgarr, 'DenyGroups';
498 push @cfgarr, 'AllowGroups';
500 push @cfgarr, "AuthorizedKeysFile $clipubkeyf_config";
501 push @cfgarr, "AuthorizedKeysFile2 $clipubkeyf_config";
502 push @cfgarr, "HostKey $hstprvkeyf_config";
503 push @cfgarr, "PidFile $pidfile_config";
505 push @cfgarr, "Port $port";
506 push @cfgarr, "ListenAddress $listenaddr";
507 push @cfgarr, 'Protocol 2';
509 push @cfgarr, 'AllowTcpForwarding yes';
510 push @cfgarr, 'Banner none';
511 push @cfgarr, 'ChallengeResponseAuthentication no';
512 push @cfgarr, 'ClientAliveCountMax 3';
513 push @cfgarr, 'ClientAliveInterval 0';
514 push @cfgarr, 'GatewayPorts no';
515 push @cfgarr, 'HostbasedAuthentication no';
516 push @cfgarr, 'HostbasedUsesNameFromPacketOnly no';
517 push @cfgarr, 'IgnoreRhosts yes';
518 push @cfgarr, 'IgnoreUserKnownHosts yes';
519 push @cfgarr, 'KeyRegenerationInterval 0';
520 push @cfgarr, 'LoginGraceTime 30';
521 push @cfgarr, "LogLevel $loglevel";
522 push @cfgarr, 'MaxStartups 5';
523 push @cfgarr, 'PasswordAuthentication no';
524 push @cfgarr, 'PermitEmptyPasswords no';
525 push @cfgarr, 'PermitRootLogin no';
526 push @cfgarr, 'PrintLastLog no';
527 push @cfgarr, 'PrintMotd no';
528 push @cfgarr, 'PubkeyAuthentication yes';
529 push @cfgarr, 'RhostsRSAAuthentication no';
530 push @cfgarr, 'RSAAuthentication no';
531 push @cfgarr, 'ServerKeyBits 768';
532 push @cfgarr, 'StrictModes no';
533 push @cfgarr, "Subsystem sftp \"$sftpsrv_config\"";
534 push @cfgarr, 'SyslogFacility AUTH';
535 push @cfgarr, 'UseLogin no';
536 push @cfgarr, 'X11Forwarding no';
540 #***************************************************************************
541 # Write out initial sshd configuration file for curl's tests
543 $error = dump_array($sshdconfig, @cfgarr);
550 #***************************************************************************
551 # Verifies at run time if sshd supports a given configuration file option
553 sub sshd_supports_opt {
554 my ($option, $value) = @_;
557 if((($sshdid =~ /OpenSSH/) && ($sshdvernum >= 310)) ||
558 ($sshdid =~ /SunSSH/)) {
559 # ssh daemon supports command line options -t -f and -o
560 $err = grep /((Unsupported)|(Bad configuration)|(Deprecated)) option.*$option/,
561 qx("$sshd" -t -f $sshdconfig -o $option=$value 2>&1);
564 if(($sshdid =~ /OpenSSH/) && ($sshdvernum >= 299)) {
565 # ssh daemon supports command line options -t and -f
566 $err = dump_array($sshdconfig, (@cfgarr, "$option $value"));
571 $err = grep /((Unsupported)|(Bad configuration)|(Deprecated)) option.*$option/,
572 qx("$sshd" -t -f $sshdconfig 2>&1);
580 #***************************************************************************
581 # Kerberos Authentication support may have not been built into sshd
583 if(sshd_supports_opt('KerberosAuthentication','no')) {
584 push @cfgarr, 'KerberosAuthentication no';
586 if(sshd_supports_opt('KerberosGetAFSToken','no')) {
587 push @cfgarr, 'KerberosGetAFSToken no';
589 if(sshd_supports_opt('KerberosOrLocalPasswd','no')) {
590 push @cfgarr, 'KerberosOrLocalPasswd no';
592 if(sshd_supports_opt('KerberosTgtPassing','no')) {
593 push @cfgarr, 'KerberosTgtPassing no';
595 if(sshd_supports_opt('KerberosTicketCleanup','yes')) {
596 push @cfgarr, 'KerberosTicketCleanup yes';
600 #***************************************************************************
601 # Andrew File System support may have not been built into sshd
603 if(sshd_supports_opt('AFSTokenPassing','no')) {
604 push @cfgarr, 'AFSTokenPassing no';
608 #***************************************************************************
609 # S/Key authentication support may have not been built into sshd
611 if(sshd_supports_opt('SkeyAuthentication','no')) {
612 push @cfgarr, 'SkeyAuthentication no';
616 #***************************************************************************
617 # GSSAPI Authentication support may have not been built into sshd
619 my $sshd_builtwith_GSSAPI;
620 if(sshd_supports_opt('GSSAPIAuthentication','no')) {
621 push @cfgarr, 'GSSAPIAuthentication no';
622 $sshd_builtwith_GSSAPI = 1;
624 if(sshd_supports_opt('GSSAPICleanupCredentials','yes')) {
625 push @cfgarr, 'GSSAPICleanupCredentials yes';
627 if(sshd_supports_opt('GSSAPIKeyExchange','no')) {
628 push @cfgarr, 'GSSAPIKeyExchange no';
630 if(sshd_supports_opt('GSSAPIStoreDelegatedCredentials','no')) {
631 push @cfgarr, 'GSSAPIStoreDelegatedCredentials no';
633 if(sshd_supports_opt('GSSCleanupCreds','yes')) {
634 push @cfgarr, 'GSSCleanupCreds yes';
636 if(sshd_supports_opt('GSSUseSessionCredCache','no')) {
637 push @cfgarr, 'GSSUseSessionCredCache no';
642 #***************************************************************************
643 # Options that might be supported or not in sshd OpenSSH 2.9.9 and later
645 if(sshd_supports_opt('AcceptEnv','')) {
646 push @cfgarr, 'AcceptEnv';
648 if(sshd_supports_opt('AddressFamily','any')) {
649 # Address family must be specified before ListenAddress
650 splice @cfgarr, 14, 0, 'AddressFamily any';
652 if(sshd_supports_opt('Compression','no')) {
653 push @cfgarr, 'Compression no';
655 if(sshd_supports_opt('KbdInteractiveAuthentication','no')) {
656 push @cfgarr, 'KbdInteractiveAuthentication no';
658 if(sshd_supports_opt('KeepAlive','no')) {
659 push @cfgarr, 'KeepAlive no';
661 if(sshd_supports_opt('LookupClientHostnames','no')) {
662 push @cfgarr, 'LookupClientHostnames no';
664 if(sshd_supports_opt('MaxAuthTries','10')) {
665 push @cfgarr, 'MaxAuthTries 10';
667 if(sshd_supports_opt('PAMAuthenticationViaKbdInt','no')) {
668 push @cfgarr, 'PAMAuthenticationViaKbdInt no';
670 if(sshd_supports_opt('PermitTunnel','no')) {
671 push @cfgarr, 'PermitTunnel no';
673 if(sshd_supports_opt('PermitUserEnvironment','no')) {
674 push @cfgarr, 'PermitUserEnvironment no';
676 if(sshd_supports_opt('RhostsAuthentication','no')) {
677 push @cfgarr, 'RhostsAuthentication no';
679 if(sshd_supports_opt('TCPKeepAlive','no')) {
680 push @cfgarr, 'TCPKeepAlive no';
682 if(sshd_supports_opt('UseDNS','no')) {
683 push @cfgarr, 'UseDNS no';
685 if(sshd_supports_opt('UsePAM','no')) {
686 push @cfgarr, 'UsePAM no';
689 if($sshdid =~ /OpenSSH/) {
690 # http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=6492415
691 if(sshd_supports_opt('UsePrivilegeSeparation','no')) {
692 push @cfgarr, 'UsePrivilegeSeparation no';
696 if(sshd_supports_opt('VerifyReverseMapping','no')) {
697 push @cfgarr, 'VerifyReverseMapping no';
699 if(sshd_supports_opt('X11UseLocalhost','yes')) {
700 push @cfgarr, 'X11UseLocalhost yes';
705 #***************************************************************************
706 # Write out resulting sshd configuration file for curl's tests
708 $error = dump_array($sshdconfig, @cfgarr);
715 #***************************************************************************
716 # Verify that sshd actually supports our generated configuration file
718 if(system "\"$sshd\" -t -f $sshdconfig > $sshdlog 2>&1") {
719 logmsg "sshd configuration file $sshdconfig failed verification";
721 display_sshdconfig();
726 #***************************************************************************
727 # Generate ssh client host key database file for curl's tests
729 if((! -e $knownhosts) || (! -s $knownhosts)) {
730 logmsg 'generating ssh client known hosts file...' if($verbose);
732 if(open(DSAKEYFILE, "<$hstpubkeyf")) {
733 my @dsahostkey = do { local $/ = ' '; <DSAKEYFILE> };
734 if(close(DSAKEYFILE)) {
735 if(open(KNOWNHOSTS, ">$knownhosts")) {
736 print KNOWNHOSTS "$listenaddr ssh-dss $dsahostkey[1]\n";
737 if(!close(KNOWNHOSTS)) {
738 $error = "Error: cannot close file $knownhosts";
742 $error = "Error: cannot write file $knownhosts";
746 $error = "Error: cannot close file $hstpubkeyf";
750 $error = "Error: cannot read file $hstpubkeyf";
759 #***************************************************************************
760 # Convert paths for curl's tests running on Windows using Cygwin OpenSSH
762 my $identity_config = abs_path("$path/$identity");
763 my $knownhosts_config = abs_path("$path/$knownhosts");
765 if ($^O eq 'MSWin32' || $^O eq 'cygwin' || $^O eq 'msys') {
766 # convert MinGW drive paths to Cygwin drive paths
767 $identity_config =~ s/^\/(\w)\//\/cygdrive\/$1\//;
768 $knownhosts_config =~ s/^\/(\w)\//\/cygdrive\/$1\//;
772 #***************************************************************************
773 # ssh client configuration file options we might use and version support
775 # AddressFamily : OpenSSH 3.7.0 and later
776 # BatchMode : OpenSSH 1.2.1 and later
777 # BindAddress : OpenSSH 2.9.9 and later
778 # ChallengeResponseAuthentication : OpenSSH 2.5.0 and later
779 # CheckHostIP : OpenSSH 1.2.1 and later
780 # Cipher : OpenSSH 1.2.1 and later [3]
781 # Ciphers : OpenSSH 2.1.0 and later [3]
782 # ClearAllForwardings : OpenSSH 2.9.9 and later
783 # Compression : OpenSSH 1.2.1 and later
784 # CompressionLevel : OpenSSH 1.2.1 and later [3]
785 # ConnectionAttempts : OpenSSH 1.2.1 and later
786 # ConnectTimeout : OpenSSH 3.7.0 and later
787 # ControlMaster : OpenSSH 3.9.0 and later
788 # ControlPath : OpenSSH 3.9.0 and later
789 # DisableBanner : SunSSH 1.2.0 and later
790 # DynamicForward : OpenSSH 2.9.0 and later
791 # EnableSSHKeysign : OpenSSH 3.6.0 and later
792 # EscapeChar : OpenSSH 1.2.1 and later [3]
793 # ExitOnForwardFailure : OpenSSH 4.4.0 and later
794 # ForwardAgent : OpenSSH 1.2.1 and later
795 # ForwardX11 : OpenSSH 1.2.1 and later
796 # ForwardX11Trusted : OpenSSH 3.8.0 and later
797 # GatewayPorts : OpenSSH 1.2.1 and later
798 # GlobalKnownHostsFile : OpenSSH 1.2.1 and later
799 # GSSAPIAuthentication : OpenSSH 3.7.0 and later [1]
800 # GSSAPIDelegateCredentials : OpenSSH 3.7.0 and later [1]
801 # HashKnownHosts : OpenSSH 4.0.0 and later
802 # Host : OpenSSH 1.2.1 and later
803 # HostbasedAuthentication : OpenSSH 2.9.0 and later
804 # HostKeyAlgorithms : OpenSSH 2.9.0 and later [3]
805 # HostKeyAlias : OpenSSH 2.5.0 and later [3]
806 # HostName : OpenSSH 1.2.1 and later
807 # IdentitiesOnly : OpenSSH 3.9.0 and later
808 # IdentityFile : OpenSSH 1.2.1 and later
809 # IgnoreIfUnknown : SunSSH 1.2.0 and later
810 # KeepAlive : OpenSSH 1.2.1 and later
811 # KbdInteractiveAuthentication : OpenSSH 2.3.0 and later
812 # KbdInteractiveDevices : OpenSSH 2.3.0 and later [3]
813 # LocalCommand : OpenSSH 4.3.0 and later [3]
814 # LocalForward : OpenSSH 1.2.1 and later [3]
815 # LogLevel : OpenSSH 1.2.1 and later
816 # MACs : OpenSSH 2.5.0 and later [3]
817 # NoHostAuthenticationForLocalhost : OpenSSH 3.0.0 and later
818 # NumberOfPasswordPrompts : OpenSSH 1.2.1 and later
819 # PasswordAuthentication : OpenSSH 1.2.1 and later
820 # PermitLocalCommand : OpenSSH 4.3.0 and later
821 # Port : OpenSSH 1.2.1 and later
822 # PreferredAuthentications : OpenSSH 2.5.2 and later
823 # Protocol : OpenSSH 2.1.0 and later
824 # ProxyCommand : OpenSSH 1.2.1 and later [3]
825 # PubkeyAuthentication : OpenSSH 2.5.0 and later
826 # RekeyLimit : OpenSSH 3.7.0 and later
827 # RemoteForward : OpenSSH 1.2.1 and later [3]
828 # RhostsRSAAuthentication : OpenSSH 1.2.1 and later
829 # RSAAuthentication : OpenSSH 1.2.1 and later
830 # SendEnv : OpenSSH 3.9.0 and later
831 # ServerAliveCountMax : OpenSSH 3.8.0 and later
832 # ServerAliveInterval : OpenSSH 3.8.0 and later
833 # SmartcardDevice : OpenSSH 2.9.9 and later [1][3]
834 # StrictHostKeyChecking : OpenSSH 1.2.1 and later
835 # TCPKeepAlive : OpenSSH 3.8.0 and later
836 # Tunnel : OpenSSH 4.3.0 and later
837 # TunnelDevice : OpenSSH 4.3.0 and later [3]
838 # UsePAM : OpenSSH 3.7.0 and later [1][2][3]
839 # UsePrivilegedPort : OpenSSH 1.2.1 and later
840 # User : OpenSSH 1.2.1 and later
841 # UserKnownHostsFile : OpenSSH 1.2.1 and later
842 # VerifyHostKeyDNS : OpenSSH 3.8.0 and later
843 # XAuthLocation : OpenSSH 2.1.1 and later [3]
845 # [1] Option only available if activated at compile time
846 # [2] Option specific for portable versions
847 # [3] Option not used in our ssh client config file
850 #***************************************************************************
851 # Initialize ssh config with options actually supported in OpenSSH 2.9.9
853 logmsg 'generating ssh client config file...' if($verbose);
855 push @cfgarr, '# This is a generated file. Do not edit.';
856 push @cfgarr, "# $sshverstr ssh client configuration file for curl testing";
858 push @cfgarr, 'Host *';
860 push @cfgarr, "Port $port";
861 push @cfgarr, "HostName $listenaddr";
862 push @cfgarr, "User $username";
863 push @cfgarr, 'Protocol 2';
865 push @cfgarr, "BindAddress $listenaddr";
866 push @cfgarr, "DynamicForward $socksport";
868 push @cfgarr, "IdentityFile $identity_config";
869 push @cfgarr, "UserKnownHostsFile $knownhosts_config";
871 push @cfgarr, 'BatchMode yes';
872 push @cfgarr, 'ChallengeResponseAuthentication no';
873 push @cfgarr, 'CheckHostIP no';
874 push @cfgarr, 'ClearAllForwardings no';
875 push @cfgarr, 'Compression no';
876 push @cfgarr, 'ConnectionAttempts 3';
877 push @cfgarr, 'ForwardAgent no';
878 push @cfgarr, 'ForwardX11 no';
879 push @cfgarr, 'GatewayPorts no';
880 push @cfgarr, 'GlobalKnownHostsFile /dev/null';
881 push @cfgarr, 'HostbasedAuthentication no';
882 push @cfgarr, 'KbdInteractiveAuthentication no';
883 push @cfgarr, "LogLevel $loglevel";
884 push @cfgarr, 'NumberOfPasswordPrompts 0';
885 push @cfgarr, 'PasswordAuthentication no';
886 push @cfgarr, 'PreferredAuthentications publickey';
887 push @cfgarr, 'PubkeyAuthentication yes';
888 push @cfgarr, 'RhostsRSAAuthentication no';
889 push @cfgarr, 'RSAAuthentication no';
891 # Disabled StrictHostKeyChecking since it makes the tests fail on my
892 # OpenSSH_6.0p1 on Debian Linux / Daniel
893 push @cfgarr, 'StrictHostKeyChecking no';
894 push @cfgarr, 'UsePrivilegedPort no';
898 #***************************************************************************
899 # Options supported in ssh client newer than OpenSSH 2.9.9
902 if(($sshid =~ /OpenSSH/) && ($sshvernum >= 370)) {
903 push @cfgarr, 'AddressFamily any';
906 if((($sshid =~ /OpenSSH/) && ($sshvernum >= 370)) ||
907 (($sshid =~ /SunSSH/) && ($sshvernum >= 120))) {
908 push @cfgarr, 'ConnectTimeout 30';
911 if(($sshid =~ /OpenSSH/) && ($sshvernum >= 390)) {
912 push @cfgarr, 'ControlMaster no';
915 if(($sshid =~ /OpenSSH/) && ($sshvernum >= 420)) {
916 push @cfgarr, 'ControlPath none';
919 if(($sshid =~ /SunSSH/) && ($sshvernum >= 120)) {
920 push @cfgarr, 'DisableBanner yes';
923 if(($sshid =~ /OpenSSH/) && ($sshvernum >= 360)) {
924 push @cfgarr, 'EnableSSHKeysign no';
927 if(($sshid =~ /OpenSSH/) && ($sshvernum >= 440)) {
928 push @cfgarr, 'ExitOnForwardFailure yes';
931 if((($sshid =~ /OpenSSH/) && ($sshvernum >= 380)) ||
932 (($sshid =~ /SunSSH/) && ($sshvernum >= 120))) {
933 push @cfgarr, 'ForwardX11Trusted no';
936 if(($sshd_builtwith_GSSAPI) && ($sshdid eq $sshid) &&
937 ($sshdvernum == $sshvernum)) {
938 push @cfgarr, 'GSSAPIAuthentication no';
939 push @cfgarr, 'GSSAPIDelegateCredentials no';
940 if($sshid =~ /SunSSH/) {
941 push @cfgarr, 'GSSAPIKeyExchange no';
945 if((($sshid =~ /OpenSSH/) && ($sshvernum >= 400)) ||
946 (($sshid =~ /SunSSH/) && ($sshvernum >= 120))) {
947 push @cfgarr, 'HashKnownHosts no';
950 if(($sshid =~ /OpenSSH/) && ($sshvernum >= 390)) {
951 push @cfgarr, 'IdentitiesOnly yes';
954 if(($sshid =~ /SunSSH/) && ($sshvernum >= 120)) {
955 push @cfgarr, 'IgnoreIfUnknown no';
958 if((($sshid =~ /OpenSSH/) && ($sshvernum < 380)) ||
959 ($sshid =~ /SunSSH/)) {
960 push @cfgarr, 'KeepAlive no';
963 if((($sshid =~ /OpenSSH/) && ($sshvernum >= 300)) ||
964 ($sshid =~ /SunSSH/)) {
965 push @cfgarr, 'NoHostAuthenticationForLocalhost no';
968 if(($sshid =~ /OpenSSH/) && ($sshvernum >= 430)) {
969 push @cfgarr, 'PermitLocalCommand no';
972 if((($sshid =~ /OpenSSH/) && ($sshvernum >= 370)) ||
973 (($sshid =~ /SunSSH/) && ($sshvernum >= 120))) {
974 push @cfgarr, 'RekeyLimit 1G';
977 if(($sshid =~ /OpenSSH/) && ($sshvernum >= 390)) {
978 push @cfgarr, 'SendEnv';
981 if((($sshid =~ /OpenSSH/) && ($sshvernum >= 380)) ||
982 (($sshid =~ /SunSSH/) && ($sshvernum >= 120))) {
983 push @cfgarr, 'ServerAliveCountMax 3';
984 push @cfgarr, 'ServerAliveInterval 0';
987 if(($sshid =~ /OpenSSH/) && ($sshvernum >= 380)) {
988 push @cfgarr, 'TCPKeepAlive no';
991 if(($sshid =~ /OpenSSH/) && ($sshvernum >= 430)) {
992 push @cfgarr, 'Tunnel no';
995 if(($sshid =~ /OpenSSH/) && ($sshvernum >= 380)) {
996 push @cfgarr, 'VerifyHostKeyDNS no';
1002 #***************************************************************************
1003 # Write out resulting ssh client configuration file for curl's tests
1005 $error = dump_array($sshconfig, @cfgarr);
1012 #***************************************************************************
1013 # Initialize client sftp config with options actually supported.
1015 logmsg 'generating sftp client config file...' if($verbose);
1016 splice @cfgarr, 1, 1, "# $sshverstr sftp client configuration file for curl testing";
1018 for(my $i = scalar(@cfgarr) - 1; $i > 0; $i--) {
1019 if($cfgarr[$i] =~ /^DynamicForward/) {
1020 splice @cfgarr, $i, 1;
1023 if($cfgarr[$i] =~ /^ClearAllForwardings/) {
1024 splice @cfgarr, $i, 1, "ClearAllForwardings yes";
1030 #***************************************************************************
1031 # Write out resulting sftp client configuration file for curl's tests
1033 $error = dump_array($sftpconfig, @cfgarr);
1041 #***************************************************************************
1042 # Generate client sftp commands batch file for sftp server verification
1044 logmsg 'generating sftp client commands file...' if($verbose);
1045 push @cfgarr, 'pwd';
1046 push @cfgarr, 'quit';
1047 $error = dump_array($sftpcmds, @cfgarr);
1055 #***************************************************************************
1056 # Start the ssh server daemon without forking it
1058 logmsg "SCP/SFTP server listening on port $port" if($verbose);
1059 my $rc = system "\"$sshd\" -e -D -f $sshdconfig > $sshdlog 2>&1";
1061 logmsg "\"$sshd\" failed with: $!";
1064 logmsg sprintf("\"$sshd\" died with signal %d, and %s coredump",
1065 ($rc & 127), ($rc & 128)?'a':'no');
1067 elsif($verbose && ($rc >> 8)) {
1068 logmsg sprintf("\"$sshd\" exited with %d", $rc >> 8);
1072 #***************************************************************************
1073 # Clean up once the server has stopped
1075 unlink($hstprvkeyf, $hstpubkeyf, $cliprvkeyf, $clipubkeyf, $knownhosts);
1076 unlink($sshdconfig, $sshconfig, $sftpconfig);