Commit d0da5db6 authored by anonym's avatar anonym
Browse files

Merge remote-tracking branch 'origin/test/9087-lan-ssh-tests' into testing

Fix-committed: #9087
parents 8a01831b 61f2928b
......@@ -16,6 +16,13 @@ Feature: Logging in via SSH
And I verify the SSH fingerprint for the SSH server
Then I have sucessfully logged into the SSH server
@check_tor_leaks
Scenario: Connecting to an SSH server on the LAN
Given I have the SSH key pair for an SSH server
And an SSH server is running on the LAN
When I connect to an SSH server on the LAN
Then I am prompted to verify the SSH fingerprint for the SSH server
@check_tor_leaks
Scenario: Connecting to an SFTP server on the Internet using the GNOME "Connect to Server" feature
Given I have the SSH key pair for an SFTP server
......
require 'socket'
def assert_not_ipaddr(s)
err_msg = "'#{s}' looks like a LAN IP address."
assert_raise(IPAddr::InvalidAddressError, err_msg) do
IPAddr.new(s)
end
end
def read_and_validate_ssh_config srv_type
conf = $config[srv_type]
begin
......@@ -20,23 +29,19 @@ EOF
@ssh_host = conf["hostname"]
@ssh_port = conf["port"].to_i if conf["port"]
@ssh_username = conf["username"]
assert(!@ssh_host.match(/^(10|192\.168|172\.(1[6-9]|2[0-9]|3[01]))/), "#{@ssh_host} " +
"looks like a LAN IP address.")
assert_not_ipaddr(@ssh_host)
when 'SFTP'
@sftp_host = conf["hostname"]
@sftp_port = conf["port"].to_i if conf["port"]
@sftp_username = conf["username"]
assert(!@sftp_host.match(/^(10|192\.168|172\.(1[6-9]|2[0-9]|3[01]))/), "#{@sftp_host} " +
"looks like a LAN IP address.")
assert_not_ipaddr(@sftp_host)
end
end
Given /^I have the SSH key pair for an? (Git|SSH|SFTP) (?:repository|server)$/ do |server_type|
Given /^I have the SSH key pair for an? (Git|SSH|SFTP) (?:repository|server)( on the LAN)?$/ do |server_type, lan|
$vm.execute_successfully("install -m 0700 -d '/home/#{LIVE_USER}/.ssh/'",
:user => LIVE_USER)
unless server_type == 'Git'
unless server_type == 'Git' || lan
read_and_validate_ssh_config server_type
secret_key = $config[server_type]["private_key"]
public_key = $config[server_type]["public_key"]
......@@ -53,14 +58,36 @@ Given /^I have the SSH key pair for an? (Git|SSH|SFTP) (?:repository|server)$/ d
:user => LIVE_USER)
end
Given /^I verify the SSH fingerprint for the (?:Git|SSH) (?:repository|server)$/ do
Given /^I (?:am prompted to )?verify the SSH fingerprint for the (?:Git|SSH) (?:repository|server)$/ do
@screen.wait("SSHFingerprint.png", 60)
@screen.type('yes' + Sikuli::Key.ENTER)
end
When /^I connect to an SSH server on the Internet$/ do
def get_free_tcp_port
server = TCPServer.new('127.0.0.1', 0)
return server.addr[1]
ensure
server.close
end
Given /^an SSH server is running on the LAN$/ do
@sshd_server_port = get_free_tcp_port
@sshd_server_host = $vmnet.bridge_ip_addr
sshd = SSHServer.new(@sshd_server_host, @sshd_server_port)
sshd.start
add_after_scenario_hook { sshd.stop }
end
read_and_validate_ssh_config "SSH"
When /^I connect to an SSH server on the (Internet|LAN)$/ do |location|
case location
when 'Internet'
read_and_validate_ssh_config "SSH"
when 'LAN'
@ssh_port = @sshd_server_port
@ssh_username = 'user'
@ssh_host = @sshd_server_host
end
ssh_port_suffix = "-p #{@ssh_port}" if @ssh_port
......
......@@ -11,21 +11,12 @@ class IPAddr
]
PrivateIPv6Ranges = [
IPAddr.new("fc00::/7"), # private
IPAddr.new("fc00::/7")
]
def private?
if self.ipv4?
PrivateIPv4Ranges.each do |ipr|
return true if ipr.include?(self)
end
return false
else
PrivateIPv6Ranges.each do |ipr|
return true if ipr.include?(self)
end
return false
end
private_ranges = self.ipv4? ? PrivateIPv4Ranges : PrivateIPv6Ranges
private_ranges.any? { |range| range.include?(self) }
end
def public?
......
require 'tempfile'
class SSHServer
def initialize(sshd_host, sshd_port, authorized_keys = nil)
@sshd_host = sshd_host
@sshd_port = sshd_port
@authorized_keys = authorized_keys
@pid = nil
end
def start
@sshd_key_file = Tempfile.new("ssh_host_rsa_key", $config["TMPDIR"])
# 'hack' to prevent ssh-keygen from prompting to overwrite the file
File.delete(@sshd_key_file.path)
cmd_helper(['ssh-keygen', '-t', 'rsa', '-N', "", '-f', "#{@sshd_key_file.path}"])
@sshd_key_file.close
sshd_config =<<EOF
Port #{@sshd_port}
ListenAddress #{@sshd_host}
UsePrivilegeSeparation no
HostKey #{@sshd_key_file.path}
Pidfile #{$config['TMPDIR']}/ssh.pid
EOF
@sshd_config_file = Tempfile.new("sshd_config", $config["TMPDIR"])
@sshd_config_file.write(sshd_config)
if @authorized_keys
@authorized_keys_file = Tempfile.new("authorized_keys", $config['TMPDIR'])
@authorized_keys_file.write(@authorized_keys)
@authorized_keys_file.close
@sshd_config_file.write("AuthorizedKeysFile #{@authorized_keys_file.path}")
end
@sshd_config_file.close
cmd = ["/usr/sbin/sshd", "-4", "-f", @sshd_config_file.path, "-D"]
job = IO.popen(cmd)
@pid = job.pid
end
def stop
File.delete("#{@sshd_key_file.path}.pub")
File.delete("#{$config['TMPDIR']}/ssh.pid")
begin
Process.kill("TERM", @pid)
rescue
# noop
end
end
def active?
begin
ret = Process.kill(0, @pid)
rescue Errno::ESRCH => e
if e.message == "No such process"
return false
else
raise e
end
end
assert_equal(1, ret, "This shouldn't happen")
return true
end
end
......@@ -46,7 +46,7 @@ class VMNet
def bridge_ip_addr
net_xml = REXML::Document.new(@net.xml_desc)
net_xml.elements['network/ip'].attributes['address']
IPAddr.new(net_xml.elements['network/ip'].attributes['address']).to_s
end
def guest_real_mac
......@@ -57,7 +57,6 @@ class VMNet
def bridge_mac
File.open("/sys/class/net/#{bridge_name}/address", "rb").read.chomp
end
end
......
......@@ -21,6 +21,7 @@ libvirt-daemon-system
libvirt-dev
libvirt0
openjdk-7-jre
openssh-server
ovmf
python-jabberbot
python-potr
......
......@@ -170,10 +170,6 @@ Make sure that I2P is up-to-date, at least if the
[changelogs](https://geti2p.net/en/blog/) mention that
security critical bugs were fixed.
# SSH
* Connecting (by IP) over SSH to a server on the LAN should work. (automate: [[!tails_ticket 9087 desc="#9087"]])
# APT (automate: [[!tails_ticket 8164 desc="#8164"]])
grep -r deb.tails.boum.org /etc/apt/sources.list*
......
......@@ -28,7 +28,7 @@ The following packages are necessary on Debian Jessie:
qemu-kvm qemu-system-x86 ruby-guestfs ruby-json ruby-libvirt \
ruby-net-irc ruby-packetfu ruby-rb-inotify ruby-rjb ruby-rspec \
ruby-test-unit seabios tcpdump unclutter virt-viewer x11vnc \
xtightvncviewer xvfb && \
xtightvncviewer xvfb openssh-server && \
service libvirtd restart
Other requirements
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment