1#!/usr/bin/env perl
2#***************************************************************************
3#                                  _   _ ____  _
4#  Project                     ___| | | |  _ \| |
5#                             / __| | | | |_) | |
6#                            | (__| |_| |  _ <| |___
7#                             \___|\___/|_| \_\_____|
8#
9# Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
10#
11# This software is licensed as described in the file COPYING, which
12# you should have received as part of this distribution. The terms
13# are also available at https://curl.haxx.se/docs/copyright.html.
14#
15# You may opt to use, copy, modify, merge, publish, distribute and/or sell
16# copies of the Software, and permit persons to whom the Software is
17# furnished to do so, under the terms of the COPYING file.
18#
19# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
20# KIND, either express or implied.
21#
22#***************************************************************************
23
24# Starts sshd for use in the SCP, SFTP and SOCKS curl test harness tests.
25# Also creates the ssh configuration files needed for these tests.
26
27use strict;
28use warnings;
29use Cwd;
30use Cwd 'abs_path';
31
32#***************************************************************************
33# Variables and subs imported from sshhelp module
34#
35use sshhelp qw(
36    $sshdexe
37    $sshexe
38    $sftpsrvexe
39    $sftpexe
40    $sshkeygenexe
41    $sshdconfig
42    $sshconfig
43    $sftpconfig
44    $knownhosts
45    $sshdlog
46    $sshlog
47    $sftplog
48    $sftpcmds
49    $hstprvkeyf
50    $hstpubkeyf
51    $cliprvkeyf
52    $clipubkeyf
53    display_sshdconfig
54    display_sshconfig
55    display_sftpconfig
56    display_sshdlog
57    display_sshlog
58    display_sftplog
59    dump_array
60    find_sshd
61    find_ssh
62    find_sftpsrv
63    find_sftp
64    find_sshkeygen
65    logmsg
66    sshversioninfo
67    );
68
69#***************************************************************************
70# Subs imported from serverhelp module
71#
72use serverhelp qw(
73    server_pidfilename
74    server_logfilename
75    );
76
77use pathhelp;
78
79#***************************************************************************
80
81my $verbose = 0;              # set to 1 for debugging
82my $debugprotocol = 0;        # set to 1 for protocol debugging
83my $port = 8999;              # our default SCP/SFTP server port
84my $socksport = $port + 1;    # our default SOCKS4/5 server port
85my $listenaddr = '127.0.0.1'; # default address on which to listen
86my $ipvnum = 4;               # default IP version of listener address
87my $idnum = 1;                # default ssh daemon instance number
88my $proto = 'ssh';            # protocol the ssh daemon speaks
89my $path = getcwd();          # current working directory
90my $logdir = $path .'/log';   # directory for log files
91my $username = $ENV{USER};    # default user
92my $pidfile;                  # ssh daemon pid file
93my $identity = 'curl_client_key'; # default identity file
94
95my $error;
96my @cfgarr;
97
98
99#***************************************************************************
100# Parse command line options
101#
102while(@ARGV) {
103    if($ARGV[0] eq '--verbose') {
104        $verbose = 1;
105    }
106    elsif($ARGV[0] eq '--debugprotocol') {
107        $verbose = 1;
108        $debugprotocol = 1;
109    }
110    elsif($ARGV[0] eq '--user') {
111        if($ARGV[1]) {
112            $username = $ARGV[1];
113            shift @ARGV;
114        }
115    }
116    elsif($ARGV[0] eq '--id') {
117        if($ARGV[1]) {
118            if($ARGV[1] =~ /^(\d+)$/) {
119                $idnum = $1 if($1 > 0);
120                shift @ARGV;
121            }
122        }
123    }
124    elsif($ARGV[0] eq '--ipv4') {
125        $ipvnum = 4;
126        $listenaddr = '127.0.0.1' if($listenaddr eq '::1');
127    }
128    elsif($ARGV[0] eq '--ipv6') {
129        $ipvnum = 6;
130        $listenaddr = '::1' if($listenaddr eq '127.0.0.1');
131    }
132    elsif($ARGV[0] eq '--addr') {
133        if($ARGV[1]) {
134            my $tmpstr = $ARGV[1];
135            if($tmpstr =~ /^(\d\d?\d?)\.(\d\d?\d?)\.(\d\d?\d?)\.(\d\d?\d?)$/) {
136                $listenaddr = "$1.$2.$3.$4" if($ipvnum == 4);
137                shift @ARGV;
138            }
139            elsif($ipvnum == 6) {
140                $listenaddr = $tmpstr;
141                $listenaddr =~ s/^\[(.*)\]$/$1/;
142                shift @ARGV;
143            }
144        }
145    }
146    elsif($ARGV[0] eq '--pidfile') {
147        if($ARGV[1]) {
148            $pidfile = "$path/". $ARGV[1];
149            shift @ARGV;
150        }
151    }
152    elsif($ARGV[0] eq '--sshport') {
153        if($ARGV[1]) {
154            if($ARGV[1] =~ /^(\d+)$/) {
155                $port = $1;
156                shift @ARGV;
157            }
158        }
159    }
160    elsif($ARGV[0] eq '--socksport') {
161        if($ARGV[1]) {
162            if($ARGV[1] =~ /^(\d+)$/) {
163                $socksport = $1;
164                shift @ARGV;
165            }
166        }
167    }
168    else {
169        print STDERR "\nWarning: sshserver.pl unknown parameter: $ARGV[0]\n";
170    }
171    shift @ARGV;
172}
173
174
175#***************************************************************************
176# Default ssh daemon pid file name
177#
178if(!$pidfile) {
179    $pidfile = "$path/". server_pidfilename($proto, $ipvnum, $idnum);
180}
181
182
183#***************************************************************************
184# ssh, socks and sftp server log file names
185#
186$sshdlog = server_logfilename($logdir, 'ssh', $ipvnum, $idnum);
187$sftplog = server_logfilename($logdir, 'sftp', $ipvnum, $idnum);
188$sshlog  = server_logfilename($logdir, 'socks', $ipvnum, $idnum);
189
190
191#***************************************************************************
192# Logging level for ssh server and client
193#
194my $loglevel = $debugprotocol?'DEBUG3':'DEBUG2';
195
196
197#***************************************************************************
198# Validate username
199#
200if(!$username) {
201    $error = 'Will not run ssh server without a user name';
202}
203elsif($username eq 'root') {
204    $error = 'Will not run ssh server as root to mitigate security risks';
205}
206if($error) {
207    logmsg $error;
208    exit 1;
209}
210
211
212#***************************************************************************
213# Find out ssh daemon canonical file name
214#
215my $sshd = find_sshd();
216if(!$sshd) {
217    logmsg "cannot find $sshdexe";
218    exit 1;
219}
220
221
222#***************************************************************************
223# Find out ssh daemon version info
224#
225my ($sshdid, $sshdvernum, $sshdverstr, $sshderror) = sshversioninfo($sshd);
226if(!$sshdid) {
227    # Not an OpenSSH or SunSSH ssh daemon
228    logmsg $sshderror if($verbose);
229    logmsg 'SCP, SFTP and SOCKS tests require OpenSSH 2.9.9 or later';
230    exit 1;
231}
232logmsg "ssh server found $sshd is $sshdverstr" if($verbose);
233
234
235#***************************************************************************
236#  ssh daemon command line options we might use and version support
237#
238#  -e:  log stderr           : OpenSSH 2.9.0 and later
239#  -f:  sshd config file     : OpenSSH 1.2.1 and later
240#  -D:  no daemon forking    : OpenSSH 2.5.0 and later
241#  -o:  command-line option  : OpenSSH 3.1.0 and later
242#  -t:  test config file     : OpenSSH 2.9.9 and later
243#  -?:  sshd version info    : OpenSSH 1.2.1 and later
244#
245#  -e:  log stderr           : SunSSH 1.0.0 and later
246#  -f:  sshd config file     : SunSSH 1.0.0 and later
247#  -D:  no daemon forking    : SunSSH 1.0.0 and later
248#  -o:  command-line option  : SunSSH 1.0.0 and later
249#  -t:  test config file     : SunSSH 1.0.0 and later
250#  -?:  sshd version info    : SunSSH 1.0.0 and later
251
252
253#***************************************************************************
254# Verify minimum ssh daemon version
255#
256if((($sshdid =~ /OpenSSH/) && ($sshdvernum < 299)) ||
257   (($sshdid =~ /SunSSH/)  && ($sshdvernum < 100))) {
258    logmsg 'SCP, SFTP and SOCKS tests require OpenSSH 2.9.9 or later';
259    exit 1;
260}
261
262
263#***************************************************************************
264# Find out sftp server plugin canonical file name
265#
266my $sftpsrv = find_sftpsrv();
267if(!$sftpsrv) {
268    logmsg "cannot find $sftpsrvexe";
269    exit 1;
270}
271logmsg "sftp server plugin found $sftpsrv" if($verbose);
272
273
274#***************************************************************************
275# Find out sftp client canonical file name
276#
277my $sftp = find_sftp();
278if(!$sftp) {
279    logmsg "cannot find $sftpexe";
280    exit 1;
281}
282logmsg "sftp client found $sftp" if($verbose);
283
284
285#***************************************************************************
286# Find out ssh keygen canonical file name
287#
288my $sshkeygen = find_sshkeygen();
289if(!$sshkeygen) {
290    logmsg "cannot find $sshkeygenexe";
291    exit 1;
292}
293logmsg "ssh keygen found $sshkeygen" if($verbose);
294
295
296#***************************************************************************
297# Find out ssh client canonical file name
298#
299my $ssh = find_ssh();
300if(!$ssh) {
301    logmsg "cannot find $sshexe";
302    exit 1;
303}
304
305
306#***************************************************************************
307# Find out ssh client version info
308#
309my ($sshid, $sshvernum, $sshverstr, $ssherror) = sshversioninfo($ssh);
310if(!$sshid) {
311    # Not an OpenSSH or SunSSH ssh client
312    logmsg $ssherror if($verbose);
313    logmsg 'SCP, SFTP and SOCKS tests require OpenSSH 2.9.9 or later';
314    exit 1;
315}
316logmsg "ssh client found $ssh is $sshverstr" if($verbose);
317
318
319#***************************************************************************
320#  ssh client command line options we might use and version support
321#
322#  -D:  dynamic app port forwarding  : OpenSSH 2.9.9 and later
323#  -F:  ssh config file              : OpenSSH 2.9.9 and later
324#  -N:  no shell/command             : OpenSSH 2.1.0 and later
325#  -p:  connection port              : OpenSSH 1.2.1 and later
326#  -v:  verbose messages             : OpenSSH 1.2.1 and later
327# -vv:  increase verbosity           : OpenSSH 2.3.0 and later
328#  -V:  ssh version info             : OpenSSH 1.2.1 and later
329#
330#  -D:  dynamic app port forwarding  : SunSSH 1.0.0 and later
331#  -F:  ssh config file              : SunSSH 1.0.0 and later
332#  -N:  no shell/command             : SunSSH 1.0.0 and later
333#  -p:  connection port              : SunSSH 1.0.0 and later
334#  -v:  verbose messages             : SunSSH 1.0.0 and later
335# -vv:  increase verbosity           : SunSSH 1.0.0 and later
336#  -V:  ssh version info             : SunSSH 1.0.0 and later
337
338
339#***************************************************************************
340# Verify minimum ssh client version
341#
342if((($sshid =~ /OpenSSH/) && ($sshvernum < 299)) ||
343   (($sshid =~ /SunSSH/)  && ($sshvernum < 100))) {
344    logmsg 'SCP, SFTP and SOCKS tests require OpenSSH 2.9.9 or later';
345    exit 1;
346}
347
348
349#***************************************************************************
350#  ssh keygen command line options we actually use and version support
351#
352#  -C:  identity comment : OpenSSH 1.2.1 and later
353#  -f:  key filename     : OpenSSH 1.2.1 and later
354#  -N:  new passphrase   : OpenSSH 1.2.1 and later
355#  -q:  quiet keygen     : OpenSSH 1.2.1 and later
356#  -t:  key type         : OpenSSH 2.5.0 and later
357#
358#  -C:  identity comment : SunSSH 1.0.0 and later
359#  -f:  key filename     : SunSSH 1.0.0 and later
360#  -N:  new passphrase   : SunSSH 1.0.0 and later
361#  -q:  quiet keygen     : SunSSH 1.0.0 and later
362#  -t:  key type         : SunSSH 1.0.0 and later
363
364
365#***************************************************************************
366# Generate host and client key files for curl's tests
367#
368if((! -e $hstprvkeyf) || (! -s $hstprvkeyf) ||
369   (! -e $hstpubkeyf) || (! -s $hstpubkeyf) ||
370   (! -e $cliprvkeyf) || (! -s $cliprvkeyf) ||
371   (! -e $clipubkeyf) || (! -s $clipubkeyf)) {
372    # Make sure all files are gone so ssh-keygen doesn't complain
373    unlink($hstprvkeyf, $hstpubkeyf, $cliprvkeyf, $clipubkeyf);
374    logmsg 'generating host keys...' if($verbose);
375    if(system "\"$sshkeygen\" -q -t rsa -f $hstprvkeyf -C 'curl test server' -N ''") {
376        logmsg 'Could not generate host key';
377        exit 1;
378    }
379    logmsg 'generating client keys...' if($verbose);
380    if(system "\"$sshkeygen\" -q -t rsa -f $cliprvkeyf -C 'curl test client' -N ''") {
381        logmsg 'Could not generate client key';
382        exit 1;
383    }
384}
385
386
387#***************************************************************************
388# Convert paths for curl's tests running on Windows with Cygwin/Msys OpenSSH
389#
390my $clipubkeyf_config = abs_path("$path/$clipubkeyf");
391my $hstprvkeyf_config = abs_path("$path/$hstprvkeyf");
392my $pidfile_config = $pidfile;
393my $sftpsrv_config = $sftpsrv;
394
395if ($^O eq 'MSWin32' || $^O eq 'cygwin' || $^O eq 'msys') {
396    # Ensure to use MinGW/Cygwin paths
397    $clipubkeyf_config = pathhelp::build_sys_abs_path($clipubkeyf_config);
398    $hstprvkeyf_config = pathhelp::build_sys_abs_path($hstprvkeyf_config);
399    $pidfile_config = pathhelp::build_sys_abs_path($pidfile_config);
400    $sftpsrv_config = "internal-sftp";
401}
402
403#***************************************************************************
404#  ssh daemon configuration file options we might use and version support
405#
406#  AFSTokenPassing                  : OpenSSH 1.2.1 and later [1]
407#  AcceptEnv                        : OpenSSH 3.9.0 and later
408#  AddressFamily                    : OpenSSH 4.0.0 and later
409#  AllowGroups                      : OpenSSH 1.2.1 and later
410#  AllowTcpForwarding               : OpenSSH 2.3.0 and later
411#  AllowUsers                       : OpenSSH 1.2.1 and later
412#  AuthorizedKeysFile               : OpenSSH 2.9.9 and later
413#  AuthorizedKeysFile2              : OpenSSH 2.9.9 and later
414#  Banner                           : OpenSSH 2.5.0 and later
415#  ChallengeResponseAuthentication  : OpenSSH 2.5.0 and later
416#  Ciphers                          : OpenSSH 2.1.0 and later [3]
417#  ClientAliveCountMax              : OpenSSH 2.9.0 and later
418#  ClientAliveInterval              : OpenSSH 2.9.0 and later
419#  Compression                      : OpenSSH 3.3.0 and later
420#  DenyGroups                       : OpenSSH 1.2.1 and later
421#  DenyUsers                        : OpenSSH 1.2.1 and later
422#  ForceCommand                     : OpenSSH 4.4.0 and later [3]
423#  GatewayPorts                     : OpenSSH 2.1.0 and later
424#  GSSAPIAuthentication             : OpenSSH 3.7.0 and later [1]
425#  GSSAPICleanupCredentials         : OpenSSH 3.8.0 and later [1]
426#  GSSAPIKeyExchange                :  SunSSH 1.0.0 and later [1]
427#  GSSAPIStoreDelegatedCredentials  :  SunSSH 1.0.0 and later [1]
428#  GSSCleanupCreds                  :  SunSSH 1.0.0 and later [1]
429#  GSSUseSessionCredCache           :  SunSSH 1.0.0 and later [1]
430#  HostbasedAuthentication          : OpenSSH 2.9.0 and later
431#  HostbasedUsesNameFromPacketOnly  : OpenSSH 2.9.0 and later
432#  HostKey                          : OpenSSH 1.2.1 and later
433#  IgnoreRhosts                     : OpenSSH 1.2.1 and later
434#  IgnoreUserKnownHosts             : OpenSSH 1.2.1 and later
435#  KbdInteractiveAuthentication     : OpenSSH 2.3.0 and later
436#  KeepAlive                        : OpenSSH 1.2.1 and later
437#  KerberosAuthentication           : OpenSSH 1.2.1 and later [1]
438#  KerberosGetAFSToken              : OpenSSH 3.8.0 and later [1]
439#  KerberosOrLocalPasswd            : OpenSSH 1.2.1 and later [1]
440#  KerberosTgtPassing               : OpenSSH 1.2.1 and later [1]
441#  KerberosTicketCleanup            : OpenSSH 1.2.1 and later [1]
442#  KeyRegenerationInterval          : OpenSSH 1.2.1 and later
443#  ListenAddress                    : OpenSSH 1.2.1 and later
444#  LoginGraceTime                   : OpenSSH 1.2.1 and later
445#  LogLevel                         : OpenSSH 1.2.1 and later
446#  LookupClientHostnames            :  SunSSH 1.0.0 and later
447#  MACs                             : OpenSSH 2.5.0 and later [3]
448#  Match                            : OpenSSH 4.4.0 and later [3]
449#  MaxAuthTries                     : OpenSSH 3.9.0 and later
450#  MaxStartups                      : OpenSSH 2.2.0 and later
451#  PAMAuthenticationViaKbdInt       : OpenSSH 2.9.0 and later [2]
452#  PasswordAuthentication           : OpenSSH 1.2.1 and later
453#  PermitEmptyPasswords             : OpenSSH 1.2.1 and later
454#  PermitOpen                       : OpenSSH 4.4.0 and later [3]
455#  PermitRootLogin                  : OpenSSH 1.2.1 and later
456#  PermitTunnel                     : OpenSSH 4.3.0 and later
457#  PermitUserEnvironment            : OpenSSH 3.5.0 and later
458#  PidFile                          : OpenSSH 2.1.0 and later
459#  Port                             : OpenSSH 1.2.1 and later
460#  PrintLastLog                     : OpenSSH 2.9.0 and later
461#  PrintMotd                        : OpenSSH 1.2.1 and later
462#  Protocol                         : OpenSSH 2.1.0 and later
463#  PubkeyAuthentication             : OpenSSH 2.5.0 and later
464#  RhostsAuthentication             : OpenSSH 1.2.1 and later
465#  RhostsRSAAuthentication          : OpenSSH 1.2.1 and later
466#  RSAAuthentication                : OpenSSH 1.2.1 and later
467#  ServerKeyBits                    : OpenSSH 1.2.1 and later
468#  SkeyAuthentication               : OpenSSH 1.2.1 and later [1]
469#  StrictModes                      : OpenSSH 1.2.1 and later
470#  Subsystem                        : OpenSSH 2.2.0 and later
471#  SyslogFacility                   : OpenSSH 1.2.1 and later
472#  TCPKeepAlive                     : OpenSSH 3.8.0 and later
473#  UseDNS                           : OpenSSH 3.7.0 and later
474#  UseLogin                         : OpenSSH 1.2.1 and later
475#  UsePAM                           : OpenSSH 3.7.0 and later [1][2]
476#  UsePrivilegeSeparation           : OpenSSH 3.2.2 and later
477#  VerifyReverseMapping             : OpenSSH 3.1.0 and later
478#  X11DisplayOffset                 : OpenSSH 1.2.1 and later [3]
479#  X11Forwarding                    : OpenSSH 1.2.1 and later
480#  X11UseLocalhost                  : OpenSSH 3.1.0 and later
481#  XAuthLocation                    : OpenSSH 2.1.1 and later [3]
482#
483#  [1] Option only available if activated at compile time
484#  [2] Option specific for portable versions
485#  [3] Option not used in our ssh server config file
486
487
488#***************************************************************************
489# Initialize sshd config with options actually supported in OpenSSH 2.9.9
490#
491logmsg 'generating ssh server config file...' if($verbose);
492@cfgarr = ();
493push @cfgarr, '# This is a generated file.  Do not edit.';
494push @cfgarr, "# $sshdverstr sshd configuration file for curl testing";
495push @cfgarr, '#';
496push @cfgarr, "DenyUsers !$username";
497push @cfgarr, "AllowUsers $username";
498push @cfgarr, 'DenyGroups';
499push @cfgarr, 'AllowGroups';
500push @cfgarr, '#';
501push @cfgarr, "AuthorizedKeysFile $clipubkeyf_config";
502push @cfgarr, "AuthorizedKeysFile2 $clipubkeyf_config";
503push @cfgarr, "HostKey $hstprvkeyf_config";
504push @cfgarr, "PidFile $pidfile_config";
505push @cfgarr, '#';
506push @cfgarr, "Port $port";
507push @cfgarr, "ListenAddress $listenaddr";
508push @cfgarr, 'Protocol 2';
509push @cfgarr, '#';
510push @cfgarr, 'AllowTcpForwarding yes';
511push @cfgarr, 'Banner none';
512push @cfgarr, 'ChallengeResponseAuthentication no';
513push @cfgarr, 'ClientAliveCountMax 3';
514push @cfgarr, 'ClientAliveInterval 0';
515push @cfgarr, 'GatewayPorts no';
516push @cfgarr, 'HostbasedAuthentication no';
517push @cfgarr, 'HostbasedUsesNameFromPacketOnly no';
518push @cfgarr, 'IgnoreRhosts yes';
519push @cfgarr, 'IgnoreUserKnownHosts yes';
520push @cfgarr, 'KeyRegenerationInterval 0';
521push @cfgarr, 'LoginGraceTime 30';
522push @cfgarr, "LogLevel $loglevel";
523push @cfgarr, 'MaxStartups 5';
524push @cfgarr, 'PasswordAuthentication no';
525push @cfgarr, 'PermitEmptyPasswords no';
526push @cfgarr, 'PermitRootLogin no';
527push @cfgarr, 'PrintLastLog no';
528push @cfgarr, 'PrintMotd no';
529push @cfgarr, 'PubkeyAuthentication yes';
530push @cfgarr, 'RhostsRSAAuthentication no';
531push @cfgarr, 'RSAAuthentication no';
532push @cfgarr, 'ServerKeyBits 768';
533push @cfgarr, 'StrictModes no';
534push @cfgarr, "Subsystem sftp \"$sftpsrv_config\"";
535push @cfgarr, 'SyslogFacility AUTH';
536push @cfgarr, 'UseLogin no';
537push @cfgarr, 'X11Forwarding no';
538push @cfgarr, '#';
539
540
541#***************************************************************************
542# Write out initial sshd configuration file for curl's tests
543#
544$error = dump_array($sshdconfig, @cfgarr);
545if($error) {
546    logmsg $error;
547    exit 1;
548}
549
550
551#***************************************************************************
552# Verifies at run time if sshd supports a given configuration file option
553#
554sub sshd_supports_opt {
555    my ($option, $value) = @_;
556    my $err;
557    #
558    if((($sshdid =~ /OpenSSH/) && ($sshdvernum >= 310)) ||
559        ($sshdid =~ /SunSSH/)) {
560        # ssh daemon supports command line options -t -f and -o
561        $err = grep /((Unsupported)|(Bad configuration)|(Deprecated)) option.*$option/,
562                    qx("$sshd" -t -f $sshdconfig -o "$option=$value" 2>&1);
563        return !$err;
564    }
565    if(($sshdid =~ /OpenSSH/) && ($sshdvernum >= 299)) {
566        # ssh daemon supports command line options -t and -f
567        $err = dump_array($sshdconfig, (@cfgarr, "$option $value"));
568        if($err) {
569            logmsg $err;
570            return 0;
571        }
572        $err = grep /((Unsupported)|(Bad configuration)|(Deprecated)) option.*$option/,
573                    qx("$sshd" -t -f $sshdconfig 2>&1);
574        unlink $sshdconfig;
575        return !$err;
576    }
577    return 0;
578}
579
580
581#***************************************************************************
582# Kerberos Authentication support may have not been built into sshd
583#
584if(sshd_supports_opt('KerberosAuthentication','no')) {
585    push @cfgarr, 'KerberosAuthentication no';
586}
587if(sshd_supports_opt('KerberosGetAFSToken','no')) {
588    push @cfgarr, 'KerberosGetAFSToken no';
589}
590if(sshd_supports_opt('KerberosOrLocalPasswd','no')) {
591    push @cfgarr, 'KerberosOrLocalPasswd no';
592}
593if(sshd_supports_opt('KerberosTgtPassing','no')) {
594    push @cfgarr, 'KerberosTgtPassing no';
595}
596if(sshd_supports_opt('KerberosTicketCleanup','yes')) {
597    push @cfgarr, 'KerberosTicketCleanup yes';
598}
599
600
601#***************************************************************************
602# Andrew File System support may have not been built into sshd
603#
604if(sshd_supports_opt('AFSTokenPassing','no')) {
605    push @cfgarr, 'AFSTokenPassing no';
606}
607
608
609#***************************************************************************
610# S/Key authentication support may have not been built into sshd
611#
612if(sshd_supports_opt('SkeyAuthentication','no')) {
613    push @cfgarr, 'SkeyAuthentication no';
614}
615
616
617#***************************************************************************
618# GSSAPI Authentication support may have not been built into sshd
619#
620my $sshd_builtwith_GSSAPI;
621if(sshd_supports_opt('GSSAPIAuthentication','no')) {
622    push @cfgarr, 'GSSAPIAuthentication no';
623    $sshd_builtwith_GSSAPI = 1;
624}
625if(sshd_supports_opt('GSSAPICleanupCredentials','yes')) {
626    push @cfgarr, 'GSSAPICleanupCredentials yes';
627}
628if(sshd_supports_opt('GSSAPIKeyExchange','no')) {
629    push @cfgarr, 'GSSAPIKeyExchange no';
630}
631if(sshd_supports_opt('GSSAPIStoreDelegatedCredentials','no')) {
632    push @cfgarr, 'GSSAPIStoreDelegatedCredentials no';
633}
634if(sshd_supports_opt('GSSCleanupCreds','yes')) {
635    push @cfgarr, 'GSSCleanupCreds yes';
636}
637if(sshd_supports_opt('GSSUseSessionCredCache','no')) {
638    push @cfgarr, 'GSSUseSessionCredCache no';
639}
640push @cfgarr, '#';
641
642
643#***************************************************************************
644# Options that might be supported or not in sshd OpenSSH 2.9.9 and later
645#
646if(sshd_supports_opt('AcceptEnv','')) {
647    push @cfgarr, 'AcceptEnv';
648}
649if(sshd_supports_opt('AddressFamily','any')) {
650    # Address family must be specified before ListenAddress
651    splice @cfgarr, 14, 0, 'AddressFamily any';
652}
653if(sshd_supports_opt('Compression','no')) {
654    push @cfgarr, 'Compression no';
655}
656if(sshd_supports_opt('KbdInteractiveAuthentication','no')) {
657    push @cfgarr, 'KbdInteractiveAuthentication no';
658}
659if(sshd_supports_opt('KeepAlive','no')) {
660    push @cfgarr, 'KeepAlive no';
661}
662if(sshd_supports_opt('LookupClientHostnames','no')) {
663    push @cfgarr, 'LookupClientHostnames no';
664}
665if(sshd_supports_opt('MaxAuthTries','10')) {
666    push @cfgarr, 'MaxAuthTries 10';
667}
668if(sshd_supports_opt('PAMAuthenticationViaKbdInt','no')) {
669    push @cfgarr, 'PAMAuthenticationViaKbdInt no';
670}
671if(sshd_supports_opt('PermitTunnel','no')) {
672    push @cfgarr, 'PermitTunnel no';
673}
674if(sshd_supports_opt('PermitUserEnvironment','no')) {
675    push @cfgarr, 'PermitUserEnvironment no';
676}
677if(sshd_supports_opt('RhostsAuthentication','no')) {
678    push @cfgarr, 'RhostsAuthentication no';
679}
680if(sshd_supports_opt('TCPKeepAlive','no')) {
681    push @cfgarr, 'TCPKeepAlive no';
682}
683if(sshd_supports_opt('UseDNS','no')) {
684    push @cfgarr, 'UseDNS no';
685}
686if(sshd_supports_opt('UsePAM','no')) {
687    push @cfgarr, 'UsePAM no';
688}
689
690if($sshdid =~ /OpenSSH/) {
691    # http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=6492415
692    if(sshd_supports_opt('UsePrivilegeSeparation','no')) {
693        push @cfgarr, 'UsePrivilegeSeparation no';
694    }
695}
696
697if(sshd_supports_opt('VerifyReverseMapping','no')) {
698    push @cfgarr, 'VerifyReverseMapping no';
699}
700if(sshd_supports_opt('X11UseLocalhost','yes')) {
701    push @cfgarr, 'X11UseLocalhost yes';
702}
703push @cfgarr, '#';
704
705
706#***************************************************************************
707# Write out resulting sshd configuration file for curl's tests
708#
709$error = dump_array($sshdconfig, @cfgarr);
710if($error) {
711    logmsg $error;
712    exit 1;
713}
714
715
716#***************************************************************************
717# Verify that sshd actually supports our generated configuration file
718#
719if(system "\"$sshd\" -t -f $sshdconfig > $sshdlog 2>&1") {
720    logmsg "sshd configuration file $sshdconfig failed verification";
721    display_sshdlog();
722    display_sshdconfig();
723    exit 1;
724}
725
726
727#***************************************************************************
728# Generate ssh client host key database file for curl's tests
729#
730if((! -e $knownhosts) || (! -s $knownhosts)) {
731    logmsg 'generating ssh client known hosts file...' if($verbose);
732    unlink($knownhosts);
733    if(open(RSAKEYFILE, "<$hstpubkeyf")) {
734        my @rsahostkey = do { local $/ = ' '; <RSAKEYFILE> };
735        if(close(RSAKEYFILE)) {
736            if(open(KNOWNHOSTS, ">$knownhosts")) {
737                print KNOWNHOSTS "$listenaddr ssh-rsa $rsahostkey[1]\n";
738                if(!close(KNOWNHOSTS)) {
739                    $error = "Error: cannot close file $knownhosts";
740                }
741            }
742            else {
743                $error = "Error: cannot write file $knownhosts";
744            }
745        }
746        else {
747            $error = "Error: cannot close file $hstpubkeyf";
748        }
749    }
750    else {
751        $error = "Error: cannot read file $hstpubkeyf";
752    }
753    if($error) {
754        logmsg $error;
755        exit 1;
756    }
757}
758
759
760#***************************************************************************
761# Convert paths for curl's tests running on Windows using Cygwin OpenSSH
762#
763my $identity_config = abs_path("$path/$identity");
764my $knownhosts_config = abs_path("$path/$knownhosts");
765
766if ($^O eq 'MSWin32' || $^O eq 'cygwin' || $^O eq 'msys') {
767    # Ensure to use MinGW/Cygwin paths
768    $identity_config = pathhelp::build_sys_abs_path($identity_config);
769    $knownhosts_config = pathhelp::build_sys_abs_path($knownhosts_config);
770}
771
772
773#***************************************************************************
774#  ssh client configuration file options we might use and version support
775#
776#  AddressFamily                     : OpenSSH 3.7.0 and later
777#  BatchMode                         : OpenSSH 1.2.1 and later
778#  BindAddress                       : OpenSSH 2.9.9 and later
779#  ChallengeResponseAuthentication   : OpenSSH 2.5.0 and later
780#  CheckHostIP                       : OpenSSH 1.2.1 and later
781#  Cipher                            : OpenSSH 1.2.1 and later [3]
782#  Ciphers                           : OpenSSH 2.1.0 and later [3]
783#  ClearAllForwardings               : OpenSSH 2.9.9 and later
784#  Compression                       : OpenSSH 1.2.1 and later
785#  CompressionLevel                  : OpenSSH 1.2.1 and later [3]
786#  ConnectionAttempts                : OpenSSH 1.2.1 and later
787#  ConnectTimeout                    : OpenSSH 3.7.0 and later
788#  ControlMaster                     : OpenSSH 3.9.0 and later
789#  ControlPath                       : OpenSSH 3.9.0 and later
790#  DisableBanner                     :  SunSSH 1.2.0 and later
791#  DynamicForward                    : OpenSSH 2.9.0 and later
792#  EnableSSHKeysign                  : OpenSSH 3.6.0 and later
793#  EscapeChar                        : OpenSSH 1.2.1 and later [3]
794#  ExitOnForwardFailure              : OpenSSH 4.4.0 and later
795#  ForwardAgent                      : OpenSSH 1.2.1 and later
796#  ForwardX11                        : OpenSSH 1.2.1 and later
797#  ForwardX11Trusted                 : OpenSSH 3.8.0 and later
798#  GatewayPorts                      : OpenSSH 1.2.1 and later
799#  GlobalKnownHostsFile              : OpenSSH 1.2.1 and later
800#  GSSAPIAuthentication              : OpenSSH 3.7.0 and later [1]
801#  GSSAPIDelegateCredentials         : OpenSSH 3.7.0 and later [1]
802#  HashKnownHosts                    : OpenSSH 4.0.0 and later
803#  Host                              : OpenSSH 1.2.1 and later
804#  HostbasedAuthentication           : OpenSSH 2.9.0 and later
805#  HostKeyAlgorithms                 : OpenSSH 2.9.0 and later [3]
806#  HostKeyAlias                      : OpenSSH 2.5.0 and later [3]
807#  HostName                          : OpenSSH 1.2.1 and later
808#  IdentitiesOnly                    : OpenSSH 3.9.0 and later
809#  IdentityFile                      : OpenSSH 1.2.1 and later
810#  IgnoreIfUnknown                   :  SunSSH 1.2.0 and later
811#  KeepAlive                         : OpenSSH 1.2.1 and later
812#  KbdInteractiveAuthentication      : OpenSSH 2.3.0 and later
813#  KbdInteractiveDevices             : OpenSSH 2.3.0 and later [3]
814#  LocalCommand                      : OpenSSH 4.3.0 and later [3]
815#  LocalForward                      : OpenSSH 1.2.1 and later [3]
816#  LogLevel                          : OpenSSH 1.2.1 and later
817#  MACs                              : OpenSSH 2.5.0 and later [3]
818#  NoHostAuthenticationForLocalhost  : OpenSSH 3.0.0 and later
819#  NumberOfPasswordPrompts           : OpenSSH 1.2.1 and later
820#  PasswordAuthentication            : OpenSSH 1.2.1 and later
821#  PermitLocalCommand                : OpenSSH 4.3.0 and later
822#  Port                              : OpenSSH 1.2.1 and later
823#  PreferredAuthentications          : OpenSSH 2.5.2 and later
824#  Protocol                          : OpenSSH 2.1.0 and later
825#  ProxyCommand                      : OpenSSH 1.2.1 and later [3]
826#  PubkeyAuthentication              : OpenSSH 2.5.0 and later
827#  RekeyLimit                        : OpenSSH 3.7.0 and later
828#  RemoteForward                     : OpenSSH 1.2.1 and later [3]
829#  RhostsRSAAuthentication           : OpenSSH 1.2.1 and later
830#  RSAAuthentication                 : OpenSSH 1.2.1 and later
831#  SendEnv                           : OpenSSH 3.9.0 and later
832#  ServerAliveCountMax               : OpenSSH 3.8.0 and later
833#  ServerAliveInterval               : OpenSSH 3.8.0 and later
834#  SmartcardDevice                   : OpenSSH 2.9.9 and later [1][3]
835#  StrictHostKeyChecking             : OpenSSH 1.2.1 and later
836#  TCPKeepAlive                      : OpenSSH 3.8.0 and later
837#  Tunnel                            : OpenSSH 4.3.0 and later
838#  TunnelDevice                      : OpenSSH 4.3.0 and later [3]
839#  UsePAM                            : OpenSSH 3.7.0 and later [1][2][3]
840#  UsePrivilegedPort                 : OpenSSH 1.2.1 and later
841#  User                              : OpenSSH 1.2.1 and later
842#  UserKnownHostsFile                : OpenSSH 1.2.1 and later
843#  VerifyHostKeyDNS                  : OpenSSH 3.8.0 and later
844#  XAuthLocation                     : OpenSSH 2.1.1 and later [3]
845#
846#  [1] Option only available if activated at compile time
847#  [2] Option specific for portable versions
848#  [3] Option not used in our ssh client config file
849
850
851#***************************************************************************
852# Initialize ssh config with options actually supported in OpenSSH 2.9.9
853#
854logmsg 'generating ssh client config file...' if($verbose);
855@cfgarr = ();
856push @cfgarr, '# This is a generated file.  Do not edit.';
857push @cfgarr, "# $sshverstr ssh client configuration file for curl testing";
858push @cfgarr, '#';
859push @cfgarr, 'Host *';
860push @cfgarr, '#';
861push @cfgarr, "Port $port";
862push @cfgarr, "HostName $listenaddr";
863push @cfgarr, "User $username";
864push @cfgarr, 'Protocol 2';
865push @cfgarr, '#';
866push @cfgarr, "BindAddress $listenaddr";
867push @cfgarr, "DynamicForward $socksport";
868push @cfgarr, '#';
869push @cfgarr, "IdentityFile $identity_config";
870push @cfgarr, "UserKnownHostsFile $knownhosts_config";
871push @cfgarr, '#';
872push @cfgarr, 'BatchMode yes';
873push @cfgarr, 'ChallengeResponseAuthentication no';
874push @cfgarr, 'CheckHostIP no';
875push @cfgarr, 'ClearAllForwardings no';
876push @cfgarr, 'Compression no';
877push @cfgarr, 'ConnectionAttempts 3';
878push @cfgarr, 'ForwardAgent no';
879push @cfgarr, 'ForwardX11 no';
880push @cfgarr, 'GatewayPorts no';
881push @cfgarr, 'GlobalKnownHostsFile /dev/null';
882push @cfgarr, 'HostbasedAuthentication no';
883push @cfgarr, 'KbdInteractiveAuthentication no';
884push @cfgarr, "LogLevel $loglevel";
885push @cfgarr, 'NumberOfPasswordPrompts 0';
886push @cfgarr, 'PasswordAuthentication no';
887push @cfgarr, 'PreferredAuthentications publickey';
888push @cfgarr, 'PubkeyAuthentication yes';
889push @cfgarr, 'RhostsRSAAuthentication no';
890push @cfgarr, 'RSAAuthentication no';
891
892# Disabled StrictHostKeyChecking since it makes the tests fail on my
893# OpenSSH_6.0p1 on Debian Linux / Daniel
894push @cfgarr, 'StrictHostKeyChecking no';
895push @cfgarr, 'UsePrivilegedPort no';
896push @cfgarr, '#';
897
898
899#***************************************************************************
900# Options supported in ssh client newer than OpenSSH 2.9.9
901#
902
903if(($sshid =~ /OpenSSH/) && ($sshvernum >= 370)) {
904    push @cfgarr, 'AddressFamily any';
905}
906
907if((($sshid =~ /OpenSSH/) && ($sshvernum >= 370)) ||
908   (($sshid =~ /SunSSH/) && ($sshvernum >= 120))) {
909    push @cfgarr, 'ConnectTimeout 30';
910}
911
912if(($sshid =~ /OpenSSH/) && ($sshvernum >= 390)) {
913    push @cfgarr, 'ControlMaster no';
914}
915
916if(($sshid =~ /OpenSSH/) && ($sshvernum >= 420)) {
917    push @cfgarr, 'ControlPath none';
918}
919
920if(($sshid =~ /SunSSH/) && ($sshvernum >= 120)) {
921    push @cfgarr, 'DisableBanner yes';
922}
923
924if(($sshid =~ /OpenSSH/) && ($sshvernum >= 360)) {
925    push @cfgarr, 'EnableSSHKeysign no';
926}
927
928if(($sshid =~ /OpenSSH/) && ($sshvernum >= 440)) {
929    push @cfgarr, 'ExitOnForwardFailure yes';
930}
931
932if((($sshid =~ /OpenSSH/) && ($sshvernum >= 380)) ||
933   (($sshid =~ /SunSSH/) && ($sshvernum >= 120))) {
934    push @cfgarr, 'ForwardX11Trusted no';
935}
936
937if(($sshd_builtwith_GSSAPI) && ($sshdid eq $sshid) &&
938   ($sshdvernum == $sshvernum)) {
939    push @cfgarr, 'GSSAPIAuthentication no';
940    push @cfgarr, 'GSSAPIDelegateCredentials no';
941    if($sshid =~ /SunSSH/) {
942        push @cfgarr, 'GSSAPIKeyExchange no';
943    }
944}
945
946if((($sshid =~ /OpenSSH/) && ($sshvernum >= 400)) ||
947   (($sshid =~ /SunSSH/) && ($sshvernum >= 120))) {
948    push @cfgarr, 'HashKnownHosts no';
949}
950
951if(($sshid =~ /OpenSSH/) && ($sshvernum >= 390)) {
952    push @cfgarr, 'IdentitiesOnly yes';
953}
954
955if(($sshid =~ /SunSSH/) && ($sshvernum >= 120)) {
956    push @cfgarr, 'IgnoreIfUnknown no';
957}
958
959if((($sshid =~ /OpenSSH/) && ($sshvernum < 380)) ||
960    ($sshid =~ /SunSSH/)) {
961    push @cfgarr, 'KeepAlive no';
962}
963
964if((($sshid =~ /OpenSSH/) && ($sshvernum >= 300)) ||
965    ($sshid =~ /SunSSH/)) {
966    push @cfgarr, 'NoHostAuthenticationForLocalhost no';
967}
968
969if(($sshid =~ /OpenSSH/) && ($sshvernum >= 430)) {
970    push @cfgarr, 'PermitLocalCommand no';
971}
972
973if((($sshid =~ /OpenSSH/) && ($sshvernum >= 370)) ||
974   (($sshid =~ /SunSSH/) && ($sshvernum >= 120))) {
975    push @cfgarr, 'RekeyLimit 1G';
976}
977
978if(($sshid =~ /OpenSSH/) && ($sshvernum >= 390)) {
979    push @cfgarr, 'SendEnv';
980}
981
982if((($sshid =~ /OpenSSH/) && ($sshvernum >= 380)) ||
983   (($sshid =~ /SunSSH/) && ($sshvernum >= 120))) {
984    push @cfgarr, 'ServerAliveCountMax 3';
985    push @cfgarr, 'ServerAliveInterval 0';
986}
987
988if(($sshid =~ /OpenSSH/) && ($sshvernum >= 380)) {
989    push @cfgarr, 'TCPKeepAlive no';
990}
991
992if(($sshid =~ /OpenSSH/) && ($sshvernum >= 430)) {
993    push @cfgarr, 'Tunnel no';
994}
995
996if(($sshid =~ /OpenSSH/) && ($sshvernum >= 380)) {
997    push @cfgarr, 'VerifyHostKeyDNS no';
998}
999
1000push @cfgarr, '#';
1001
1002
1003#***************************************************************************
1004# Write out resulting ssh client configuration file for curl's tests
1005#
1006$error = dump_array($sshconfig, @cfgarr);
1007if($error) {
1008    logmsg $error;
1009    exit 1;
1010}
1011
1012
1013#***************************************************************************
1014# Initialize client sftp config with options actually supported.
1015#
1016logmsg 'generating sftp client config file...' if($verbose);
1017splice @cfgarr, 1, 1, "# $sshverstr sftp client configuration file for curl testing";
1018#
1019for(my $i = scalar(@cfgarr) - 1; $i > 0; $i--) {
1020    if($cfgarr[$i] =~ /^DynamicForward/) {
1021        splice @cfgarr, $i, 1;
1022        next;
1023    }
1024    if($cfgarr[$i] =~ /^ClearAllForwardings/) {
1025        splice @cfgarr, $i, 1, "ClearAllForwardings yes";
1026        next;
1027    }
1028}
1029
1030
1031#***************************************************************************
1032# Write out resulting sftp client configuration file for curl's tests
1033#
1034$error = dump_array($sftpconfig, @cfgarr);
1035if($error) {
1036    logmsg $error;
1037    exit 1;
1038}
1039@cfgarr = ();
1040
1041
1042#***************************************************************************
1043# Generate client sftp commands batch file for sftp server verification
1044#
1045logmsg 'generating sftp client commands file...' if($verbose);
1046push @cfgarr, 'pwd';
1047push @cfgarr, 'quit';
1048$error = dump_array($sftpcmds, @cfgarr);
1049if($error) {
1050    logmsg $error;
1051    exit 1;
1052}
1053@cfgarr = ();
1054
1055
1056#***************************************************************************
1057# Start the ssh server daemon without forking it
1058#
1059logmsg "SCP/SFTP server listening on port $port" if($verbose);
1060my $rc = system "\"$sshd\" -e -D -f $sshdconfig > $sshdlog 2>&1";
1061if($rc == -1) {
1062    logmsg "\"$sshd\" failed with: $!";
1063}
1064elsif($rc & 127) {
1065    logmsg sprintf("\"$sshd\" died with signal %d, and %s coredump",
1066                   ($rc & 127), ($rc & 128)?'a':'no');
1067}
1068elsif($verbose && ($rc >> 8)) {
1069    logmsg sprintf("\"$sshd\" exited with %d", $rc >> 8);
1070}
1071
1072
1073#***************************************************************************
1074# Clean up once the server has stopped
1075#
1076unlink($hstprvkeyf, $hstpubkeyf, $cliprvkeyf, $clipubkeyf, $knownhosts);
1077unlink($sshdconfig, $sshconfig, $sftpconfig);
1078
1079
1080exit 0;
1081