From 7b2c781640a7a78a9455b86593a1f63c9e8cab92 Mon Sep 17 00:00:00 2001 From: Thomas Wolf Date: Tue, 2 Jan 2024 22:35:42 +0100 Subject: [PATCH] GH-445: strict KEX interoperability tests Run an Apache MINA sshd client against OpenSSH servers that do have or do not have strict KEX. --- .../StrictKexInteroperabilityTest.java | 192 ++++++++++++++++++ .../sshd/common/kex/extensions/client/bob_key | 27 +++ .../common/kex/extensions/client/bob_key.pub | 1 + .../kex/extensions/client/entrypoint.sh | 6 + sshd-mina/pom.xml | 1 + sshd-netty/pom.xml | 1 + 6 files changed, 228 insertions(+) create mode 100644 sshd-core/src/test/java/org/apache/sshd/common/kex/extension/StrictKexInteroperabilityTest.java create mode 100644 sshd-core/src/test/resources/org/apache/sshd/common/kex/extensions/client/bob_key create mode 100644 sshd-core/src/test/resources/org/apache/sshd/common/kex/extensions/client/bob_key.pub create mode 100644 sshd-core/src/test/resources/org/apache/sshd/common/kex/extensions/client/entrypoint.sh diff --git a/sshd-core/src/test/java/org/apache/sshd/common/kex/extension/StrictKexInteroperabilityTest.java b/sshd-core/src/test/java/org/apache/sshd/common/kex/extension/StrictKexInteroperabilityTest.java new file mode 100644 index 000000000..43e6d8a8e --- /dev/null +++ b/sshd-core/src/test/java/org/apache/sshd/common/kex/extension/StrictKexInteroperabilityTest.java @@ -0,0 +1,192 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.sshd.common.kex.extension; + +import java.io.PipedInputStream; +import java.io.PipedOutputStream; +import java.nio.charset.StandardCharsets; + +import org.apache.sshd.client.ClientFactoryManager; +import org.apache.sshd.client.SshClient; +import org.apache.sshd.client.channel.ChannelShell; +import org.apache.sshd.client.session.ClientSession; +import org.apache.sshd.client.session.ClientSessionImpl; +import org.apache.sshd.client.session.SessionFactory; +import org.apache.sshd.common.channel.StreamingChannel; +import org.apache.sshd.common.io.IoSession; +import org.apache.sshd.common.keyprovider.FileKeyPairProvider; +import org.apache.sshd.util.test.BaseTestSupport; +import org.apache.sshd.util.test.CommonTestSupportUtils; +import org.apache.sshd.util.test.ContainerTestCase; +import org.junit.After; +import org.junit.Before; +import org.junit.Test; +import org.junit.experimental.categories.Category; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; +import org.testcontainers.containers.GenericContainer; +import org.testcontainers.containers.output.Slf4jLogConsumer; +import org.testcontainers.containers.wait.strategy.Wait; +import org.testcontainers.images.builder.ImageFromDockerfile; +import org.testcontainers.images.builder.dockerfile.DockerfileBuilder; +import org.testcontainers.utility.MountableFile; + +/** + * Tests to ensure that an Apache MINA sshd client can talk to OpenSSH servers with or without "strict KEX". This + * implicitly tests the message sequence number handling; if sequence numbers get out of sync or are reset wrongly, + * subsequent messages cannot be decrypted correctly and there will be exceptions. + * + * @author Apache MINA SSHD Project + * @see Terrapin Mitigation: "strict-kex" + */ +@Category(ContainerTestCase.class) +public class StrictKexInteroperabilityTest extends BaseTestSupport { + + private static final Logger LOG = LoggerFactory.getLogger(StrictKexInteroperabilityTest.class); + + private static final String TEST_RESOURCES = "org/apache/sshd/common/kex/extensions/client"; + + private SshClient client; + + public StrictKexInteroperabilityTest() { + super(); + } + + @Before + public void setUp() throws Exception { + client = setupTestClient(); + SessionFactory factory = new TestSessionFactory(client); + client.setSessionFactory(factory); + } + + @After + public void tearDown() throws Exception { + if (client != null) { + client.stop(); + } + } + + private DockerfileBuilder strictKexImage(DockerfileBuilder builder, boolean withStrictKex) { + if (!withStrictKex) { + return builder + // CentOS 7 is EOL and thus unlikely to get the security update for strict KEX. + .from("centos:7.9.2009") // + .run("yum install -y openssh-server") // Installs OpenSSH 7.4 + .run("/usr/sbin/sshd-keygen") // Generate multiple host keys + .run("adduser bob"); // Add a user + } else { + return builder + .from("alpine:20231219") // + .run("apk --update add openssh-server") // Installs OpenSSH 9.6 + .run("ssh-keygen -A") // Generate multiple host keys + .run("adduser -D bob") // Add a user + .run("echo 'bob:passwordBob' | chpasswd"); // Give it a password to unlock the user + } + } + + @Test + public void testStrictKexOff() throws Exception { + testStrictKex(false); + } + + @Test + public void testStrictKexOn() throws Exception { + testStrictKex(true); + } + + private void testStrictKex(boolean withStrictKex) throws Exception { + // This tests that the message sequence numbers are handled correctly. Strict KEX resets them to zero on any + // KEX, without strict KEX, they're not reset. If sequence numbers get out of sync, received messages are + // decrypted wrongly and there will be exceptions. + @SuppressWarnings("resource") + GenericContainer sshdContainer = new GenericContainer<>(new ImageFromDockerfile() + .withDockerfileFromBuilder(builder -> strictKexImage(builder, withStrictKex) // + .run("mkdir -p /home/bob/.ssh") // Create the SSH config directory + .entryPoint("/entrypoint.sh") // + .build())) // + .withCopyFileToContainer(MountableFile.forClasspathResource(TEST_RESOURCES + "/bob_key.pub"), + "/home/bob/.ssh/authorized_keys") + // entrypoint must be executable. Spotbugs doesn't like 0777, so use hex + .withCopyFileToContainer( + MountableFile.forClasspathResource(TEST_RESOURCES + "/entrypoint.sh", 0x1ff), + "/entrypoint.sh") + .waitingFor(Wait.forLogMessage(".*Server listening on :: port 22.*\\n", 1)) // + .withExposedPorts(22) // + .withLogConsumer(new Slf4jLogConsumer(LOG)); + sshdContainer.start(); + try { + FileKeyPairProvider keyPairProvider = CommonTestSupportUtils.createTestKeyPairProvider(TEST_RESOURCES + "/bob_key"); + client.setKeyIdentityProvider(keyPairProvider); + client.start(); + try (ClientSession session = client.connect("bob", sshdContainer.getHost(), sshdContainer.getMappedPort(22)) + .verify(CONNECT_TIMEOUT).getSession()) { + session.auth().verify(AUTH_TIMEOUT); + assertTrue("Should authenticate", session.isAuthenticated()); + assertTrue("Unexpected session type " + session.getClass().getName(), session instanceof TestSession); + assertEquals("Unexpected strict KEX usage", withStrictKex, ((TestSession) session).usesStrictKex()); + try (ChannelShell channel = session.createShellChannel()) { + channel.setOut(System.out); + channel.setErr(System.err); + channel.setStreaming(StreamingChannel.Streaming.Sync); + PipedOutputStream pos = new PipedOutputStream(); + PipedInputStream pis = new PipedInputStream(pos); + channel.setIn(pis); + assertTrue("Could not open session", channel.open().await(DEFAULT_TIMEOUT)); + LOG.info("writing some data..."); + pos.write("\n\n".getBytes(StandardCharsets.UTF_8)); + assertTrue("Channel should be open", channel.isOpen()); + assertTrue(session.reExchangeKeys().verify(CONNECT_TIMEOUT).isDone()); + assertTrue("Channel should be open", channel.isOpen()); + LOG.info("writing some data..."); + pos.write("\n\n".getBytes(StandardCharsets.UTF_8)); + assertTrue("Channel should be open", channel.isOpen()); + channel.close(true); + } + } + } finally { + sshdContainer.stop(); + } + } + + // Subclass ClientSessionImpl to get access to the strictKex flag. + + private static class TestSessionFactory extends SessionFactory { + + TestSessionFactory(ClientFactoryManager client) { + super(client); + } + + @Override + protected ClientSessionImpl doCreateSession(IoSession ioSession) throws Exception { + return new TestSession(getClient(), ioSession); + } + } + + private static class TestSession extends ClientSessionImpl { + + TestSession(ClientFactoryManager client, IoSession ioSession) throws Exception { + super(client, ioSession); + } + + boolean usesStrictKex() { + return strictKex; + } + } +} diff --git a/sshd-core/src/test/resources/org/apache/sshd/common/kex/extensions/client/bob_key b/sshd-core/src/test/resources/org/apache/sshd/common/kex/extensions/client/bob_key new file mode 100644 index 000000000..b5b70aeaa --- /dev/null +++ b/sshd-core/src/test/resources/org/apache/sshd/common/kex/extensions/client/bob_key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEAxY3Hr1SqpJIQ9SbFfGMGweVy8jg2TEH3GC1K0LudQHJwogRi ++debdCqUtuSITbpPhjkeZSk9rq198d6RhT6TQmY9J8wLL2/+VXZk/rMVEEjeXQS3 +ImRnL2vVmkAunv6LwfDGHIovkhwj3/lqGWphDAKnHyXusPDwQ3N4LFGgxwXvRGqc +lzmP8H+KDWaaPapk1AZCBIoD4JbL8faBtLNU01r+pB3sIKvfsPJ5DxPErThfrPuD +qIbA3axEqFlgX4aVl3yMnSWjfhLhO7xD3YwrtUhannHt8pZQo5FkwCGWDpkG3xs+ +qK3ZACrhMFMTvPuDS83jDtEzNd5KYb4KnkOPMQIDAQABAoIBAQCE5GktgrD/39pU +b25tzFehW25FjpbIGZ/UvbMUUwDnd5RZCMZj9yv1qyc7GOSwFOKmEgpmVqXNuZt9 +dxFBJuT8x7Xf7Zygnp/icbBivakvuTUMMb3X/t6CwfGAwCgcgHMXVZaPYE275f4k +Dq3Wxv7di3NMusGkeY/GcAipF4gmGKKe7Ck1ifRypF2cDJsgTtsoFUHNNKfnT3gf +OcJsVLRl0osbsxdqU+Tep46+jHrNt8J9n2VeRNRIqGHj0CkNdpLQOs+MjvIO3Hgq +9NUxwIExwaPnBpTLlWwfemCz3JQnlAineMbYBGa1tpAA3Iw56NWcNbiOPyUyffbI +wBC4r1uZAoGBAPESsergFD+ontChEI+h38oM/D9DKCObZR2kz6WArZ54i1dJWOgh +HCsuxgPjxmaddPKghfNhUORdZBynuS5G7n6BfItNilDiFm2KBk12d38OVovUFo1Q +r5akclKf0kFxHt5TzHIrNAv7B4OF0Uk3kuDHM7ITX3qDpTSBLlzPAUUHAoGBANHJ +QIPmuF2q+PXnnSgdEyiETfl/IqUTXQyxda8kRIPJKKHZKPHZePhgJKUq9VP32PrP +AxIBNrS3Netsp+EAApj09hmWUcgJRIU1/wjpVGqUmguYgh8nVFOPDudOJD5ltQ/A +enzQ19IkGroaQB8CBGZsPaBAvqRZ5PLbm+BZEPQHAoGAblaMMGCXY/udlQfjOJpy +f1wqKBpoyMNbKJJCqBGZZaruu+jKVJSy++DQqP8b0+PFnzdxl8+24o8MP0FVNKUq +i6RgiLHY2ORiN4ixEctjLjg1zJIqMEv50g06di7IYUORSVk5fhfgHourCLu66rQQ ++eiy9JKBZOXUO4/U1I26mwkCgYAhfuCuLsiBLCtUGAcfwISuk3FfxMzjTpQs0qjX +rhLCd/vk26eN9gs6nR88v/8ryQb8BNGYrljtwdL6I/8qDbZcdcBVlYq5RcGLA3QV +GCxCWDfAYjlkgAMW1GCsze07iUG/ohvskevjwaAC1u4mBUxujhnI3I2T8EZ+AFKD +H7V1QQKBgQDNt+zjSdLtA9AczxDwWmi5SbS+k+nGbi6AQO9i73wky/wxx7FonfWS +2skkOUIst3HBc0Oz+CJTfNFQK6GVqtzTdlZFhMYS0ua1Djd6q6S648+K0cieY4r5 +5irivHYVN8t7lBcvbA7E7yD6dHXSHsn6yOLTrV382qRfJTbxG7ZVWA== +-----END RSA PRIVATE KEY----- diff --git a/sshd-core/src/test/resources/org/apache/sshd/common/kex/extensions/client/bob_key.pub b/sshd-core/src/test/resources/org/apache/sshd/common/kex/extensions/client/bob_key.pub new file mode 100644 index 000000000..efecd1b08 --- /dev/null +++ b/sshd-core/src/test/resources/org/apache/sshd/common/kex/extensions/client/bob_key.pub @@ -0,0 +1 @@ +ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFjcevVKqkkhD1JsV8YwbB5XLyODZMQfcYLUrQu51AcnCiBGL515t0KpS25IhNuk+GOR5lKT2urX3x3pGFPpNCZj0nzAsvb/5VdmT+sxUQSN5dBLciZGcva9WaQC6e/ovB8MYcii+SHCPf+WoZamEMAqcfJe6w8PBDc3gsUaDHBe9EapyXOY/wf4oNZpo9qmTUBkIEigPglsvx9oG0s1TTWv6kHewgq9+w8nkPE8StOF+s+4OohsDdrESoWWBfhpWXfIydJaN+EuE7vEPdjCu1SFqece3yllCjkWTAIZYOmQbfGz6ordkAKuEwUxO8+4NLzeMO0TM13kphvgqeQ48x user01 diff --git a/sshd-core/src/test/resources/org/apache/sshd/common/kex/extensions/client/entrypoint.sh b/sshd-core/src/test/resources/org/apache/sshd/common/kex/extensions/client/entrypoint.sh new file mode 100644 index 000000000..26489c5f0 --- /dev/null +++ b/sshd-core/src/test/resources/org/apache/sshd/common/kex/extensions/client/entrypoint.sh @@ -0,0 +1,6 @@ +#!/bin/sh + +chown -R bob /home/bob +chmod 0600 /home/bob/.ssh/* + +/usr/sbin/sshd -D -ddd diff --git a/sshd-mina/pom.xml b/sshd-mina/pom.xml index 967b12930..6d1c4ed6a 100644 --- a/sshd-mina/pom.xml +++ b/sshd-mina/pom.xml @@ -124,6 +124,7 @@ **/SessionReKeyHostKeyExchangeTest.java **/HostBoundPubKeyAuthTest.java **/PortForwardingWithOpenSshTest.java + **/StrictKexInteroperabilityTest.java **/OpenSSHCertificateTest.java diff --git a/sshd-netty/pom.xml b/sshd-netty/pom.xml index 5d774029f..ac34b5094 100644 --- a/sshd-netty/pom.xml +++ b/sshd-netty/pom.xml @@ -143,6 +143,7 @@ **/SessionReKeyHostKeyExchangeTest.java **/HostBoundPubKeyAuthTest.java **/PortForwardingWithOpenSshTest.java + **/StrictKexInteroperabilityTest.java **/OpenSSHCertificateTest.java