summaryrefslogtreecommitdiffstats
path: root/tests/ssh-test-plugin
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-17 08:06:26 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-17 08:06:26 +0000
commit1660d4b7a65d9ad2ce0deaa19d35579ca4084ac5 (patch)
tree6cf8220b628ebd2ccfc1375dd6516c6996e9abcc /tests/ssh-test-plugin
parentInitial commit. (diff)
downloadcryptsetup-1660d4b7a65d9ad2ce0deaa19d35579ca4084ac5.tar.xz
cryptsetup-1660d4b7a65d9ad2ce0deaa19d35579ca4084ac5.zip
Adding upstream version 2:2.6.1.upstream/2%2.6.1upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'tests/ssh-test-plugin')
-rwxr-xr-xtests/ssh-test-plugin204
1 files changed, 204 insertions, 0 deletions
diff --git a/tests/ssh-test-plugin b/tests/ssh-test-plugin
new file mode 100755
index 0000000..5b3966e
--- /dev/null
+++ b/tests/ssh-test-plugin
@@ -0,0 +1,204 @@
+#!/bin/bash
+
+[ -z "$CRYPTSETUP_PATH" ] && {
+ TOKEN_PATH="./fake_token_path.so"
+ [ ! -f $TOKEN_PATH ] && { echo "Please compile $TOKEN_PATH."; exit 77; }
+ export LD_PRELOAD=$TOKEN_PATH
+ CRYPTSETUP_PATH=".."
+}
+CRYPTSETUP=$CRYPTSETUP_PATH/cryptsetup
+CRYPTSETUP_SSH=$CRYPTSETUP_PATH/cryptsetup-ssh
+IMG="ssh_test.img"
+MAP="sshtest"
+USER="sshtest"
+PASSWD="sshtest1"
+PASSWD2="sshtest2"
+SSH_OPTIONS="-o StrictHostKeyChecking=no"
+
+SSH_SERVER="localhost"
+SSH_PATH="/home/$USER/keyfile"
+SSH_KEY_PATH="$HOME/sshtest-key"
+
+FAST_PBKDF_OPT="--pbkdf pbkdf2 --pbkdf-force-iterations 1000"
+
+CRYPTSETUP_VALGRIND=../.libs/cryptsetup
+CRYPTSETUP_SSH_VALGRIND=../.libs/cryptsetup-ssh
+CRYPTSETUP_LIB_VALGRIND=../.libs
+
+[ -z "$srcdir" ] && srcdir="."
+
+function remove_mapping()
+{
+ [ -b /dev/mapper/$MAP ] && dmsetup remove --retry $MAP
+ rm -f $IMG >/dev/null 2>&1
+}
+
+function remove_user()
+{
+ id -u $USER >/dev/null 2>&1 && userdel -r -f $USER >/dev/null 2>&1
+ rm -f $SSH_KEY_PATH "$SSH_KEY_PATH.pub" >/dev/null 2>&1
+}
+
+function create_user()
+{
+ id -u $USER >/dev/null 2>&1
+ [ $? -eq 0 ] && skip "User account $USER exists, aborting."
+ [ -f $SSH_KEY_PATH ] && skip "SSH key $SSH_KEY_PATH already exists, aborting."
+
+ useradd -m $USER -p $(openssl passwd $PASSWD) || skip "Failed to add user for SSH plugin test."
+
+ ssh-keygen -f $SSH_KEY_PATH -q -N "" >/dev/null 2>&1
+ [ $? -ne 0 ] && remove_user && skip "Failed to create SSH key."
+}
+
+function ssh_check()
+{
+ # try to use netcat to check port 22
+ nc -zv $SSH_SERVER 22 >/dev/null 2>&1 || skip "SSH server does not seem to be running, skipping."
+}
+
+function bin_check()
+{
+ command -v $1 >/dev/null || skip "WARNING: test require $1 binary, test skipped."
+}
+
+function ssh_setup()
+{
+ # copy the ssh key
+ [ -d "/home/$USER/.ssh" ] || mkdir /home/$USER/.ssh
+ touch /home/$USER/.ssh/authorized_keys
+
+ cat $SSH_KEY_PATH.pub >> /home/$USER/.ssh/authorized_keys
+ [ $? -ne 0 ] && remove_user && fail "Failed to copy SSH key."
+
+ # make sure /home/sshtest/.ssh and /home/sshtest/.ssh/authorized_keys have correct permissions
+ chown -R $USER:$USER /home/$USER/.ssh
+ chmod 700 /home/$USER/.ssh
+ chmod 644 /home/$USER/.ssh/authorized_keys
+
+ # try to ssh and also create keyfile
+ ssh -i $SSH_KEY_PATH $SSH_OPTIONS -o BatchMode=yes -n $USER@$SSH_SERVER "echo -n $PASSWD > $SSH_PATH" >/dev/null 2>&1
+ [ $? -ne 0 ] && remove_user && fail "Failed to connect using SSH."
+}
+
+function fail()
+{
+ echo "[FAILED]"
+ [ -n "$1" ] && echo "$1"
+ echo "FAILED backtrace:"
+ while caller $frame; do ((frame++)); done
+ remove_mapping
+ remove_user
+ exit 2
+}
+
+function skip()
+{
+ [ -n "$1" ] && echo "$1"
+ remove_mapping
+ exit 77
+}
+
+function valgrind_setup()
+{
+ command -v valgrind >/dev/null || fail "Cannot find valgrind."
+ [ ! -f $CRYPTSETUP_VALGRIND ] && fail "Unable to get location of cryptsetup executable."
+ [ ! -f $CRYPTSETUP_SSH_VALGRIND ] && fail "Unable to get location of cryptsetup-ssh executable."
+ export LD_LIBRARY_PATH="$CRYPTSETUP_LIB_VALGRIND:$LD_LIBRARY_PATH"
+}
+
+function valgrind_run()
+{
+ INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_VALGRIND} "$@"
+}
+
+function valgrind_run_ssh()
+{
+ INFOSTRING="$(basename ${BASH_SOURCE[1]})-line-${BASH_LINENO[0]}" ./valg.sh ${CRYPTSETUP_SSH_VALGRIND} "$@"
+}
+
+format()
+{
+ dd if=/dev/zero of=$IMG bs=1M count=32 >/dev/null 2>&1
+
+ echo $PASSWD | $CRYPTSETUP luksFormat --type luks2 $FAST_PBKDF_OPT $IMG --force-password -q
+ [ $? -ne 0 ] && fail "Format failed."
+
+ echo -e "$PASSWD\n$PASSWD2" | $CRYPTSETUP luksAddKey $FAST_PBKDF_OPT $IMG -q
+ [ $? -ne 0 ] && fail "Add key failed."
+}
+
+check_dump()
+{
+ dump=$1
+ keyslot=$2
+
+ token=$(echo "$dump" | grep Tokens -A 1 | tail -1 | cut -d: -f2 | tr -d "\t\n ")
+ [ "$token" = "ssh" ] || fail " token check from dump failed."
+
+ server=$(echo "$dump" | grep ssh_server | cut -d: -f2 | tr -d "\t\n ")
+ [ "$server" = $SSH_SERVER ] || fail " server check from dump failed."
+
+ user=$(echo "$dump" | grep ssh_user | cut -d: -f2 | tr -d "\t\n ")
+ [ "$user" = "$USER" ] || fail " user check from dump failed."
+
+ path=$(echo "$dump" | grep ssh_path | cut -d: -f2 | tr -d "\t\n ")
+ [ "$path" = "$SSH_PATH" ] || fail " path check from dump failed."
+
+ key_path=$(echo "$dump" | grep ssh_key_path | cut -d: -f2 | tr -d "\t\n ")
+ [ "$key_path" = "$SSH_KEY_PATH" ] || fail " key_path check from dump failed."
+
+ keyslot_dump=$(echo "$dump" | grep Keyslot: | cut -d: -f2 | tr -d "\t\n ")
+ [ "$keyslot_dump" = "$keyslot" ] || fail " keyslot check from dump failed."
+}
+
+[ ! -x "$CRYPTSETUP" ] && skip "Cannot find $CRYPTSETUP, test skipped."
+[ -n "$VALG" ] && valgrind_setup && CRYPTSETUP=valgrind_run && CRYPTSETUP_SSH=valgrind_run_ssh
+[ $(id -u) != 0 ] && skip "WARNING: You must be root to run this test, test skipped."
+
+# Prevent running dangerous useradd operation by default
+[ -z "$RUN_SSH_PLUGIN_TEST" ] && skip "WARNING: Variable RUN_SSH_PLUGIN_TEST must be defined, test skipped."
+
+bin_check nc
+bin_check useradd
+bin_check ssh
+bin_check ssh-keygen
+bin_check sshpass
+bin_check openssl
+
+format
+
+echo -n "Adding SSH token: "
+
+ssh_check
+create_user
+ssh_setup
+
+$CRYPTSETUP_SSH add $IMG --ssh-server $SSH_SERVER --ssh-user $USER --ssh-path $SSH_PATH --ssh-keypath $SSH_KEY_PATH
+[ $? -ne 0 ] && fail "Failed to add SSH token to $IMG"
+
+out=$($CRYPTSETUP luksDump $IMG)
+check_dump "$out" 0
+echo "[OK]"
+
+echo -n "Activating using SSH token: "
+
+$CRYPTSETUP luksOpen --token-only --disable-external-tokens -r $IMG $MAP && fail "Tokens should be disabled"
+$CRYPTSETUP luksOpen -r $IMG $MAP -q >/dev/null 2>&1 <&-
+[ $? -ne 0 ] && fail "Failed to open $IMG using SSH token"
+echo "[OK]"
+
+# Remove the newly added token and test adding with --key-slot
+$CRYPTSETUP token remove --token-id 0 $IMG || fail "Failed to remove token"
+
+echo -n "Adding SSH token with --key-slot: "
+
+$CRYPTSETUP_SSH add $IMG --ssh-server $SSH_SERVER --ssh-user $USER --ssh-path $SSH_PATH --ssh-keypath $SSH_KEY_PATH --key-slot 1
+[ $? -ne 0 ] && fail "Failed to add SSH token to $IMG"
+
+out=$($CRYPTSETUP luksDump $IMG)
+check_dump "$out" 1
+echo "[OK]"
+
+remove_mapping
+remove_user