tests: Test server pubkey authentication

The default pubkey authentication callback is not checking anything. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-01-09 14:29:57 +01:00 · 2019-01-09 14:29:57 +01:00 · db1a999852
--- a/tests/server/test_server/default_cb.c
+++ b/tests/server/test_server/default_cb.c
@ -51,6 +51,45 @@
 #include <util.h>
 #endif

+int auth_pubkey_cb(UNUSED_PARAM(ssh_session session),
+                   const char *user,
+                   UNUSED_PARAM(struct ssh_key_struct *pubkey),
+                   char signature_state,
+                   void *userdata)
+{
+    struct session_data_st *sdata;
+
+    sdata = (struct session_data_st *)userdata;
+    if (sdata == NULL) {
+        fprintf(stderr, "Error: NULL userdata\n");
+        goto null_userdata;
+    }
+
+    printf("Public key authentication of user %s\n", user);
+
+    switch(signature_state) {
+    case SSH_PUBLICKEY_STATE_NONE:
+    case SSH_PUBLICKEY_STATE_VALID:
+        break;
+    default:
+        goto denied;
+    }
+
+    /* TODO */
+    /* Check wheter the user and public key are in authorized keys list */
+
+    /* Authenticated */
+    printf("Authenticated\n");
+    sdata->authenticated = 1;
+    sdata->auth_attempts = 0;
+    return SSH_AUTH_SUCCESS;
+
+denied:
+    sdata->auth_attempts++;
+null_userdata:
+    return SSH_AUTH_DENIED;
+}
+
 /* TODO implement proper pam authentication cb */
 int auth_password_cb(UNUSED_PARAM(ssh_session session),
                     const char *user,
@ -79,7 +118,7 @@ int auth_password_cb(UNUSED_PARAM(ssh_session session),
        goto denied;
    }

-    printf("Password authentication\n");
+    printf("Password authentication of user %s\n", user);

    known_user = !(strcmp(user, sdata->username));
    valid_password = !(strcmp(password, sdata->password));
@ -705,6 +744,7 @@ struct ssh_server_callbacks_struct *get_default_server_cb(void)
    }

    cb->auth_password_function = auth_password_cb;
+    cb->auth_pubkey_function = auth_pubkey_cb;
    cb->channel_open_request_session_function = channel_new_session_cb;
 #if WITH_GSSAPI
    cb->auth_gssapi_mic_function = auth_gssapi_mic_cb;
@ -834,7 +874,9 @@ void default_handle_session_cb(ssh_event event,
    if (state->auth_methods) {
        ssh_set_auth_methods(session, state->auth_methods);
    } else {
-        ssh_set_auth_methods(session, SSH_AUTH_METHOD_PASSWORD);
+        ssh_set_auth_methods(session,
+                SSH_AUTH_METHOD_PASSWORD |
+                SSH_AUTH_METHOD_PUBLICKEY);
    }

    ssh_event_add_session(event, session);
--- a/tests/server/test_server/main.c
+++ b/tests/server/test_server/main.c
@ -268,7 +268,8 @@ static int init_server_state(struct server_state_st *state,
    if (arguments->auth_methods) {
        state->auth_methods = atoi(arguments->auth_methods);
    } else {
-        state->auth_methods = 0;
+        state->auth_methods = SSH_AUTH_METHOD_PASSWORD |
+                              SSH_AUTH_METHOD_PUBLICKEY;
    }

    state->with_pcap = arguments->with_pcap;
--- a/tests/server/torture_server.c
+++ b/tests/server/torture_server.c
@ -175,7 +175,7 @@ static int setup_default_server(void **state)

    ss->verbosity = torture_libssh_verbosity();

-    ss->auth_methods = SSH_AUTH_METHOD_PASSWORD;
+    ss->auth_methods = SSH_AUTH_METHOD_PASSWORD | SSH_AUTH_METHOD_PUBLICKEY;

 #ifdef WITH_PCAP
    ss->with_pcap = 1;
@ -331,7 +331,7 @@ static void torture_server_auth_password(void **state)
    session = s->ssh.session;
    assert_non_null(session);

-    /* TODO: implement proper pam authentication function */
+    /* TODO: implement proper pam authentication in callback */
    /* Using the default user for the server */
    rc = ssh_options_set(session, SSH_OPTIONS_USER, SSHD_DEFAULT_USER);
    assert_int_equal(rc, SSH_OK);
@ -347,12 +347,46 @@ static void torture_server_auth_password(void **state)
    rc = ssh_userauth_list(session, NULL);
    assert_true(rc & SSH_AUTH_METHOD_PASSWORD);

-    /* TODO: implement proper pam authentication function */
+    /* TODO: implement proper pam authentication in callback */
    /* Using the default password for the server */
    rc = ssh_userauth_password(session, NULL, SSHD_DEFAULT_PASSWORD);
    assert_int_equal(rc, SSH_AUTH_SUCCESS);
 }

+static void torture_server_auth_pubkey(void **state)
+{
+    struct test_server_st *tss = *state;
+    struct torture_state *s;
+    ssh_session session;
+    int rc;
+
+    assert_non_null(tss);
+
+    s = tss->state;
+    assert_non_null(s);
+
+    session = s->ssh.session;
+    assert_non_null(session);
+
+    /* Authenticate as alice with bob his pubkey */
+    rc = ssh_options_set(session, SSH_OPTIONS_USER, TORTURE_SSH_USER_ALICE);
+    assert_int_equal(rc, SSH_OK);
+
+    rc = ssh_connect(session);
+    assert_int_equal(rc, SSH_OK);
+
+    rc = ssh_userauth_none(session,NULL);
+    /* This request should return a SSH_REQUEST_DENIED error */
+    if (rc == SSH_ERROR) {
+        assert_int_equal(ssh_get_error_code(session), SSH_REQUEST_DENIED);
+    }
+    rc = ssh_userauth_list(session, NULL);
+    assert_true(rc & SSH_AUTH_METHOD_PUBLICKEY);
+
+    rc = ssh_userauth_publickey_auto(session, NULL, NULL);
+    assert_int_equal(rc, SSH_AUTH_SUCCESS);
+}
+
 static void torture_server_hostkey_mismatch(void **state)
 {
    struct test_server_st *tss = *state;
@ -409,6 +443,9 @@ int torture_run_tests(void) {
        cmocka_unit_test_setup_teardown(torture_server_auth_password,
                                        session_setup,
                                        session_teardown),
+        cmocka_unit_test_setup_teardown(torture_server_auth_pubkey,
+                                        session_setup,
+                                        session_teardown),
        cmocka_unit_test_setup_teardown(torture_server_hostkey_mismatch,
                                        session_setup,
                                        session_teardown),