diff options
| author | Nicola Murino <nicola.murino@gmail.com> | 2023-07-18 19:01:21 +0200 |
|---|---|---|
| committer | Gopher Robot <gobot@golang.org> | 2023-11-08 19:10:19 +0000 |
| commit | eb61739cd99fb244c7cd188d3c5bae54824e781d (patch) | |
| tree | 0e6aa46d6604aba25c8a7e0953423cae584502ea /ssh/server_test.go | |
| parent | 42c83fffffc70640068263e765db9c9b09cd2ba2 (diff) | |
| download | go-x-crypto-eb61739cd99fb244c7cd188d3c5bae54824e781d.tar.xz | |
ssh: allow to configure public key auth algorithms on the server sidev0.15.0
Fixes golang/go#61244
Change-Id: I29b43e379cf0cdb07b0d6935666491b997157e73
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/510775
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Bryan Mills <bcmills@google.com>
Commit-Queue: Nicola Murino <nicola.murino@gmail.com>
Run-TryBot: Nicola Murino <nicola.murino@gmail.com>
Auto-Submit: Nicola Murino <nicola.murino@gmail.com>
Reviewed-by: Han-Wen Nienhuys <hanwen@google.com>
Diffstat (limited to 'ssh/server_test.go')
| -rw-r--r-- | ssh/server_test.go | 85 |
1 files changed, 85 insertions, 0 deletions
diff --git a/ssh/server_test.go b/ssh/server_test.go new file mode 100644 index 0000000..2145dce --- /dev/null +++ b/ssh/server_test.go @@ -0,0 +1,85 @@ +// Copyright 2023 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package ssh + +import ( + "testing" +) + +func TestClientAuthRestrictedPublicKeyAlgos(t *testing.T) { + for _, tt := range []struct { + name string + key Signer + wantError bool + }{ + {"rsa", testSigners["rsa"], false}, + {"dsa", testSigners["dsa"], true}, + {"ed25519", testSigners["ed25519"], true}, + } { + c1, c2, err := netPipe() + if err != nil { + t.Fatalf("netPipe: %v", err) + } + defer c1.Close() + defer c2.Close() + serverConf := &ServerConfig{ + PublicKeyAuthAlgorithms: []string{KeyAlgoRSASHA256, KeyAlgoRSASHA512}, + PublicKeyCallback: func(conn ConnMetadata, key PublicKey) (*Permissions, error) { + return nil, nil + }, + } + serverConf.AddHostKey(testSigners["ecdsap256"]) + + done := make(chan struct{}) + go func() { + defer close(done) + NewServerConn(c1, serverConf) + }() + + clientConf := ClientConfig{ + User: "user", + Auth: []AuthMethod{ + PublicKeys(tt.key), + }, + HostKeyCallback: InsecureIgnoreHostKey(), + } + + _, _, _, err = NewClientConn(c2, "", &clientConf) + if err != nil { + if !tt.wantError { + t.Errorf("%s: got unexpected error %q", tt.name, err.Error()) + } + } else if tt.wantError { + t.Errorf("%s: succeeded, but want error", tt.name) + } + <-done + } +} + +func TestNewServerConnValidationErrors(t *testing.T) { + c1, c2, err := netPipe() + if err != nil { + t.Fatalf("netPipe: %v", err) + } + defer c1.Close() + defer c2.Close() + + serverConf := &ServerConfig{ + PublicKeyAuthAlgorithms: []string{CertAlgoRSAv01}, + } + _, _, _, err = NewServerConn(c1, serverConf) + if err == nil { + t.Fatal("NewServerConn with invalid public key auth algorithms succeeded") + } + serverConf = &ServerConfig{ + Config: Config{ + KeyExchanges: []string{kexAlgoDHGEXSHA256}, + }, + } + _, _, _, err = NewServerConn(c1, serverConf) + if err == nil { + t.Fatal("NewServerConn with unsupported key exchange succeeded") + } +} |