1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
|
require 'common'
require 'net/ssh/authentication/methods/publickey'
require 'authentication/methods/common'
module Authentication
module Methods
class TestPublickey < NetSSHTest
include Common
def test_authenticate_should_return_false_when_no_key_manager_has_been_set
assert_equal false, subject(key_manager: nil).authenticate("ssh-connection", "jamis")
end
def test_authenticate_should_return_false_when_key_manager_has_no_keys
assert_equal false, subject(keys: []).authenticate("ssh-connection", "jamis")
end
def test_authenticate_should_return_false_if_no_keys_can_authenticate
transport.expect do |t, packet|
assert_equal USERAUTH_REQUEST, packet.type
assert verify_userauth_request_packet(packet, keys.first, false)
t.return(USERAUTH_FAILURE, :string, "hostbased,password")
t.expect do |t2, packet2|
assert_equal USERAUTH_REQUEST, packet2.type
assert verify_userauth_request_packet(packet2, keys.last, false)
t2.return(USERAUTH_FAILURE, :string, "hostbased,password")
end
end
assert_equal false, subject.authenticate("ssh-connection", "jamis")
end
def test_authenticate_should_raise_if_publickey_disallowed
key_manager.expects(:sign).with(&signature_parameters(keys.first)).returns("sig-one")
transport.expect do |t, packet|
assert_equal USERAUTH_REQUEST, packet.type
assert verify_userauth_request_packet(packet, keys.first, false)
t.return(USERAUTH_PK_OK, :string, keys.first.ssh_type, :string, Net::SSH::Buffer.from(:key, keys.first))
t.expect do |t2, packet2|
assert_equal USERAUTH_REQUEST, packet2.type
assert verify_userauth_request_packet(packet2, keys.first, true)
assert_equal "sig-one", packet2.read_string
t2.return(USERAUTH_FAILURE, :string, "hostbased,password")
end
end
assert_raises Net::SSH::Authentication::DisallowedMethod do
subject.authenticate("ssh-connection", "jamis")
end
end
def test_authenticate_should_return_false_if_signature_exchange_fails
key_manager.expects(:sign).with(&signature_parameters(keys.first)).returns("sig-one")
key_manager.expects(:sign).with(&signature_parameters(keys.last)).returns("sig-two")
transport.expect do |t, packet|
assert_equal USERAUTH_REQUEST, packet.type
assert verify_userauth_request_packet(packet, keys.first, false)
t.return(USERAUTH_PK_OK, :string, keys.first.ssh_type, :string, Net::SSH::Buffer.from(:key, keys.first))
t.expect do |t2, packet2|
assert_equal USERAUTH_REQUEST, packet2.type
assert verify_userauth_request_packet(packet2, keys.first, true)
assert_equal "sig-one", packet2.read_string
t2.return(USERAUTH_FAILURE, :string, "publickey")
t2.expect do |t3, packet3|
assert_equal USERAUTH_REQUEST, packet3.type
assert verify_userauth_request_packet(packet3, keys.last, false)
t3.return(USERAUTH_PK_OK, :string, keys.last.ssh_type, :string, Net::SSH::Buffer.from(:key, keys.last))
t3.expect do |t4, packet4|
assert_equal USERAUTH_REQUEST, packet4.type
assert verify_userauth_request_packet(packet4, keys.last, true)
assert_equal "sig-two", packet4.read_string
t4.return(USERAUTH_FAILURE, :string, "publickey")
end
end
end
end
assert !subject.authenticate("ssh-connection", "jamis")
end
def test_authenticate_should_return_true_if_any_key_can_authenticate
key_manager.expects(:sign).with(&signature_parameters(keys.first)).returns("sig-one")
transport.expect do |t, packet|
assert_equal USERAUTH_REQUEST, packet.type
assert verify_userauth_request_packet(packet, keys.first, false)
t.return(USERAUTH_PK_OK, :string, keys.first.ssh_type, :string, Net::SSH::Buffer.from(:key, keys.first))
t.expect do |t2, packet2|
assert_equal USERAUTH_REQUEST, packet2.type
assert verify_userauth_request_packet(packet2, keys.first, true)
assert_equal "sig-one", packet2.read_string
t2.return(USERAUTH_SUCCESS)
end
end
assert subject.authenticate("ssh-connection", "jamis")
end
def test_authenticate_rsa_sha2
key_manager.expects(:sign).with(&signature_parameters_with_alg(keys.first, "rsa-sha2-256")).returns("sig-one")
transport.expect do |t, packet|
assert_equal USERAUTH_REQUEST, packet.type
assert verify_userauth_request_packet(packet, keys.first, false, "rsa-sha2-256")
t.return(USERAUTH_PK_OK, :string, "rsa-sha2-256", :string, Net::SSH::Buffer.from(:key, keys.first))
t.expect do |t2, packet2|
assert_equal USERAUTH_REQUEST, packet2.type
assert verify_userauth_request_packet(packet2, keys.first, true, "rsa-sha2-256")
assert_equal "sig-one", packet2.read_string
t2.return(USERAUTH_SUCCESS)
end
end
assert subject(pubkey_algorithms: %w[rsa-sha2-256]).authenticate("ssh-connection", "jamis")
end
def test_authenticate_rsa_sha2_fallback
key_manager.expects(:sign).with(&signature_parameters(keys.first)).returns("sig-one")
transport.expect do |t, packet|
assert_equal USERAUTH_REQUEST, packet.type
assert verify_userauth_request_packet(packet, keys.first, false, "rsa-sha2-256")
t.return(USERAUTH_FAILURE, :string, "publickey")
t.expect do |t2, packet2|
assert_equal USERAUTH_REQUEST, packet2.type
assert verify_userauth_request_packet(packet2, keys.first, false)
t2.return(USERAUTH_PK_OK, :string, keys.first.ssh_type, :string, Net::SSH::Buffer.from(:key, keys.first))
t2.expect do |t3, packet3|
assert_equal USERAUTH_REQUEST, packet3.type
assert verify_userauth_request_packet(packet3, keys.first, true)
assert_equal "sig-one", packet3.read_string
t3.return(USERAUTH_SUCCESS)
end
end
end
assert subject(pubkey_algorithms: %w[rsa-sha2-256 ssh-rsa]).authenticate("ssh-connection", "jamis")
end
private
def signature_parameters(key)
Proc.new do |given_key, data|
next false unless given_key.to_blob == key.to_blob
buffer = Net::SSH::Buffer.new(data)
buffer.read_string == "abcxyz123" && # session-id
buffer.read_byte == USERAUTH_REQUEST && # type
verify_userauth_request_packet(buffer, key, true)
end
end
def signature_parameters_with_alg(key, alg)
Proc.new do |given_key, data, given_alg|
next false unless given_key.to_blob == key.to_blob
next false unless given_alg == alg
buffer = Net::SSH::Buffer.new(data)
buffer.read_string == "abcxyz123" && # session-id
buffer.read_byte == USERAUTH_REQUEST && # type
verify_userauth_request_packet(buffer, key, true, alg)
end
end
def verify_userauth_request_packet(packet, key, has_sig, alg = nil)
packet.read_string == "jamis" && # user-name
packet.read_string == "ssh-connection" && # next service
packet.read_string == "publickey" && # auth-method
packet.read_bool == has_sig && # whether a signature is appended
packet.read_string == (alg || key.ssh_type) && # ssh key type
packet.read_buffer.read_key.to_blob == key.to_blob # key
end
@@keys = nil
def keys
@@keys ||= [OpenSSL::PKey::RSA.new(512), OpenSSL::PKey::DSA.new(512)]
end
def key_manager(options = {})
@key_manager ||= begin
manager = stub("key_manager")
manager.stubs(:each_identity).multiple_yields(*(options[:keys] || keys))
manager
end
end
def subject(options = {})
options[:key_manager] = key_manager(options) unless options.key?(:key_manager)
options[:pubkey_algorithms] = %w[ssh-rsa] unless options.key?(:pubkey_algorithms)
@subject ||= Net::SSH::Authentication::Methods::Publickey.new(session(options), options)
end
end
end
end
|
