summaryrefslogtreecommitdiffhomepage
path: root/tests
diff options
context:
space:
mode:
authorJeff Forcier <jeff@bitprophet.org>2022-05-16 20:26:48 -0400
committerJeff Forcier <jeff@bitprophet.org>2022-05-16 20:38:48 -0400
commitdd1a32c428f1f5c9ea15fe97fde9358e695f4afc (patch)
treeeeb12baf334b8150b4665e12f59d3aab59ad343e /tests
parent943b733c4701b0b4fb56e4651727b97ab4ca7f0b (diff)
Fix OpenSSH<7.8 + RSA-CERT use re: SHA2
Closes #2017
Diffstat (limited to 'tests')
-rw-r--r--tests/test_client.py42
1 files changed, 37 insertions, 5 deletions
diff --git a/tests/test_client.py b/tests/test_client.py
index f14aac23..21694e28 100644
--- a/tests/test_client.py
+++ b/tests/test_client.py
@@ -152,7 +152,12 @@ class ClientTest(unittest.TestCase):
self.sockl.close()
def _run(
- self, allowed_keys=None, delay=0, public_blob=None, kill_event=None
+ self,
+ allowed_keys=None,
+ delay=0,
+ public_blob=None,
+ kill_event=None,
+ server_name=None,
):
if allowed_keys is None:
allowed_keys = FINGERPRINTS.keys()
@@ -164,6 +169,8 @@ class ClientTest(unittest.TestCase):
self.socks.close()
return
self.ts = paramiko.Transport(self.socks)
+ if server_name is not None:
+ self.ts.local_version = server_name
keypath = _support("test_rsa.key")
host_key = paramiko.RSAKey.from_private_key_file(keypath)
self.ts.add_server_key(host_key)
@@ -179,11 +186,11 @@ class ClientTest(unittest.TestCase):
"""
(Most) kwargs get passed directly into SSHClient.connect().
- The exception is ``allowed_keys`` which is stripped and handed to the
- ``NullServer`` used for testing.
+ The exceptions are ``allowed_keys``/``public_blob``/``server_name``
+ which are stripped and handed to the ``NullServer`` used for testing.
"""
run_kwargs = {"kill_event": self.kill_event}
- for key in ("allowed_keys", "public_blob"):
+ for key in ("allowed_keys", "public_blob", "server_name"):
run_kwargs[key] = kwargs.pop(key, None)
# Server setup
threading.Thread(target=self._run, kwargs=run_kwargs).start()
@@ -205,7 +212,9 @@ class ClientTest(unittest.TestCase):
self.event.wait(1.0)
self.assertTrue(self.event.is_set())
self.assertTrue(self.ts.is_active())
- self.assertEqual("slowdive", self.ts.get_username())
+ self.assertEqual(
+ self.connect_kwargs["username"], self.ts.get_username()
+ )
self.assertEqual(True, self.ts.is_authenticated())
self.assertEqual(False, self.tc.get_transport().gss_kex_used)
@@ -336,6 +345,29 @@ class SSHClientTest(ClientTest):
),
)
+ def _cert_algo_test(self, ver, alg):
+ # Issue #2017; see auth_handler.py
+ self.connect_kwargs["username"] = "somecertuser" # neuter pw auth
+ self._test_connection(
+ # NOTE: SSHClient is able to take either the key or the cert & will
+ # set up its internals as needed
+ key_filename=_support(
+ os.path.join("cert_support", "test_rsa.key-cert.pub")
+ ),
+ server_name="SSH-2.0-OpenSSH_{}".format(ver),
+ )
+ assert (
+ self.tc._transport._agreed_pubkey_algorithm
+ == "{}-cert-v01@openssh.com".format(alg)
+ )
+
+ def test_old_openssh_needs_ssh_rsa_for_certs_not_rsa_sha2(self):
+ self._cert_algo_test(ver="7.7", alg="ssh-rsa")
+
+ def test_newer_openssh_uses_rsa_sha2_for_certs_not_ssh_rsa(self):
+ # NOTE: 512 happens to be first in our list and is thus chosen
+ self._cert_algo_test(ver="7.8", alg="rsa-sha2-512")
+
def test_default_key_locations_trigger_cert_loads_if_found(self):
# TODO: what it says on the tin: ~/.ssh/id_rsa tries to load
# ~/.ssh/id_rsa-cert.pub. Right now no other tests actually test that