From aaf23b9c0a88fa042d66306a44d800ce1c592743 Mon Sep 17 00:00:00 2001 From: Vivian Thiebaut Date: Fri, 21 May 2021 14:40:45 -0400 Subject: [PATCH 01/37] initial commit --- monitor.c | 6 ++++++ monitor.h | 1 + sshd.c | 14 ++++++++++++-- 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/monitor.c b/monitor.c index e7f64981a8ea..8e004cf03721 100644 --- a/monitor.c +++ b/monitor.c @@ -1911,6 +1911,12 @@ monitor_reinit(struct monitor *mon) monitor_openfds(mon, 0); } +void +monitor_reinit_withlogs(struct monitor* mon) +{ + monitor_openfds(mon, 1); +} + #ifdef GSSAPI int mm_answer_gss_setup_ctx(struct ssh *ssh, int sock, struct sshbuf *m) diff --git a/monitor.h b/monitor.h index 683e5e07163e..ef479b87bea6 100644 --- a/monitor.h +++ b/monitor.h @@ -78,6 +78,7 @@ struct monitor { struct monitor *monitor_init(void); void monitor_reinit(struct monitor *); +void monitor_reinit_withlogs(struct monitor*); struct Authctxt; void monitor_child_preauth(struct ssh *, struct monitor *); diff --git a/sshd.c b/sshd.c index 8f0ee04b9ed9..6184cd6ed671 100644 --- a/sshd.c +++ b/sshd.c @@ -878,7 +878,7 @@ privsep_postauth(struct ssh *ssh, Authctxt *authctxt) } /* New socket pair */ - monitor_reinit(pmonitor); + monitor_reinit_withlogs(pmonitor); #ifdef FORK_NOT_SUPPORTED if (!privsep_auth_child) { /* parent */ @@ -887,7 +887,8 @@ privsep_postauth(struct ssh *ssh, Authctxt *authctxt) if (posix_spawn_file_actions_init(&actions) != 0 || posix_spawn_file_actions_adddup2(&actions, io_sock_in, STDIN_FILENO) != 0 || posix_spawn_file_actions_adddup2(&actions, io_sock_out, STDOUT_FILENO) != 0 || - posix_spawn_file_actions_adddup2(&actions, pmonitor->m_recvfd, PRIVSEP_MONITOR_FD) != 0) + posix_spawn_file_actions_adddup2(&actions, pmonitor->m_recvfd, PRIVSEP_MONITOR_FD) != 0 || + posix_spawn_file_actions_adddup2(&actions, pmonitor->m_log_sendfd, PRIVSEP_LOG_FD) != 0) fatal("posix_spawn initialization failed"); { @@ -909,12 +910,21 @@ privsep_postauth(struct ssh *ssh, Authctxt *authctxt) /* NEVERREACHED */ exit(0); } + /* child */ close(pmonitor->m_sendfd); close(pmonitor->m_recvfd); + close(pmonitor->m_log_recvfd); + close(pmonitor->m_log_sendfd); pmonitor->m_recvfd = PRIVSEP_MONITOR_FD; + pmonitor->m_log_sendfd = PRIVSEP_LOG_FD; fcntl(pmonitor->m_recvfd, F_SETFD, FD_CLOEXEC); + fcntl(pmonitor->m_log_sendfd, F_SETFD, FD_CLOEXEC); + + /* Arrange for logging to be sent to the monitor */ + set_log_handler(mm_log_handler, pmonitor); + monitor_recv_keystate(pmonitor); do_setusercontext(authctxt->pw); From 4faee49f27ddfaa36fc854288451199ca1f84d53 Mon Sep 17 00:00:00 2001 From: Vivian Thiebaut Date: Mon, 24 May 2021 15:23:22 -0400 Subject: [PATCH 02/37] logs work for sshd --- monitor.c | 12 +++++++++++- monitor_wrap.c | 3 +++ sshd.c | 2 +- 3 files changed, 15 insertions(+), 2 deletions(-) diff --git a/monitor.c b/monitor.c index 8e004cf03721..7719dec778b6 100644 --- a/monitor.c +++ b/monitor.c @@ -422,6 +422,8 @@ monitor_read_log(struct monitor *pmonitor) u_char *p; int r; + printf("Entered Monitor Read Log\n"); + if ((logmsg = sshbuf_new()) == NULL) fatal_f("sshbuf_new"); @@ -449,12 +451,14 @@ monitor_read_log(struct monitor *pmonitor) fatal_fr(r, "reserve msg"); if (atomicio(read, pmonitor->m_log_recvfd, p, len) != len) fatal_f("log fd read: %s", strerror(errno)); + printf("Monitor Logging Message\n"); if ((r = sshbuf_get_u32(logmsg, &level)) != 0 || (r = sshbuf_get_u32(logmsg, &forced)) != 0 || (r = sshbuf_get_cstring(logmsg, &msg, NULL)) != 0) fatal_fr(r, "parse"); /* Log it */ + if (log_level_name(level) == NULL) fatal_f("invalid log level %u (corrupted message?)", level); sshlogdirect(level, forced, "%s [preauth]", msg); @@ -462,6 +466,8 @@ monitor_read_log(struct monitor *pmonitor) sshbuf_free(logmsg); free(msg); + printf("Exited Monitor Read Log\n"); + return 0; } @@ -1888,8 +1894,12 @@ monitor_openfds(struct monitor *mon, int do_logfds) FD_CLOSEONEXEC(pair[1]); mon->m_log_recvfd = pair[0]; mon->m_log_sendfd = pair[1]; - } else + printf("Created Log FDs\n"); + } + else { mon->m_log_recvfd = mon->m_log_sendfd = -1; + printf("Not creating Log FDs\n"); + } } #define MM_MEMSIZE 65536 diff --git a/monitor_wrap.c b/monitor_wrap.c index 748333c75e59..5be7ef3be437 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c @@ -89,6 +89,7 @@ mm_log_handler(LogLevel level, int forced, const char *msg, void *ctx) int r; size_t len; + printf("Entered Log Handler\n"); if (mon->m_log_sendfd == -1) fatal_f("no log channel"); @@ -107,6 +108,8 @@ mm_log_handler(LogLevel level, int forced, const char *msg, void *ctx) sshbuf_mutable_ptr(log_msg), len) != len) fatal_f("write: %s", strerror(errno)); sshbuf_free(log_msg); + + printf("Exited Log Handler\n"); } int diff --git a/sshd.c b/sshd.c index 6184cd6ed671..05cea4817d51 100644 --- a/sshd.c +++ b/sshd.c @@ -136,7 +136,7 @@ #define PRIVSEP_MONITOR_FD (STDERR_FILENO + 1) #define PRIVSEP_LOG_FD (STDERR_FILENO + 2) #define PRIVSEP_UNAUTH_MIN_FREE_FD (PRIVSEP_LOG_FD + 1) -#define PRIVSEP_AUTH_MIN_FREE_FD (PRIVSEP_MONITOR_FD + 1) +#define PRIVSEP_AUTH_MIN_FREE_FD (PRIVSEP_LOG_FD + 1) extern char *__progname; From 56ffb6c04431f3afd7de698f05a4b27b72e07d4f Mon Sep 17 00:00:00 2001 From: Vivian Thiebaut Date: Tue, 25 May 2021 14:25:19 -0400 Subject: [PATCH 03/37] sftp on non admin accounts do logs (error on exit) --- contrib/win32/win32compat/inc/unistd.h | 2 ++ contrib/win32/win32compat/w32-doexec.c | 3 +- contrib/win32/win32compat/w32fd.c | 3 +- sftp-server.c | 39 ++++++++++++++++++++++++++ 4 files changed, 45 insertions(+), 2 deletions(-) diff --git a/contrib/win32/win32compat/inc/unistd.h b/contrib/win32/win32compat/inc/unistd.h index edcad7239dba..85d9a6c24358 100644 --- a/contrib/win32/win32compat/inc/unistd.h +++ b/contrib/win32/win32compat/inc/unistd.h @@ -13,6 +13,8 @@ #define STDOUT_FILENO 1 #define STDERR_FILENO 2 +#define SFTP_SERVER_LOG_FD STDERR_FILENO+1 + int w32_ftruncate(int, off_t); #define ftruncate(a, b) w32_ftruncate((a), (b)) diff --git a/contrib/win32/win32compat/w32-doexec.c b/contrib/win32/win32compat/w32-doexec.c index 25bf2a2a0235..2129fe5a8459 100644 --- a/contrib/win32/win32compat/w32-doexec.c +++ b/contrib/win32/win32compat/w32-doexec.c @@ -396,7 +396,8 @@ int do_exec_windows(struct ssh *ssh, Session *s, const char *command, int pty) { if (posix_spawn_file_actions_init(&actions) != 0 || posix_spawn_file_actions_adddup2(&actions, pipein[0], STDIN_FILENO) != 0 || posix_spawn_file_actions_adddup2(&actions, pipeout[1], STDOUT_FILENO) != 0 || - posix_spawn_file_actions_adddup2(&actions, pipeerr[1], STDERR_FILENO) != 0) { + posix_spawn_file_actions_adddup2(&actions, pipeerr[1], STDERR_FILENO) != 0 || + posix_spawn_file_actions_adddup2(&actions, STDERR_FILENO + 2, SFTP_SERVER_LOG_FD) != 0) { errno = EOTHER; error("posix_spawn initialization failed"); goto cleanup; diff --git a/contrib/win32/win32compat/w32fd.c b/contrib/win32/win32compat/w32fd.c index 01f590169319..9ec182c2d973 100644 --- a/contrib/win32/win32compat/w32fd.c +++ b/contrib/win32/win32compat/w32fd.c @@ -91,7 +91,7 @@ fd_table_initialize() /* table entries representing std in, out and error*/ DWORD wh_index[] = { STD_INPUT_HANDLE , STD_OUTPUT_HANDLE , STD_ERROR_HANDLE }; int fd_num = 0; - + printf("Entering: %s\n", __func__); memset(&fd_table, 0, sizeof(fd_table)); /* prepare std io fds */ @@ -107,6 +107,7 @@ fd_table_initialize() pio->type = NONSOCK_SYNC_FD; pio->handle = wh; fd_table_set(pio, fd_num); + printf("FD:%d is allocated\n", fd_num); } } diff --git a/sftp-server.c b/sftp-server.c index 9727950acac2..a98b115ad3dc 100644 --- a/sftp-server.c +++ b/sftp-server.c @@ -52,6 +52,8 @@ #include "sftp.h" #include "sftp-common.h" +#include "atomicio.h" + char *sftp_realpath(const char *, char *); /* sftp-realpath.c */ /* Maximum data read that we are willing to accept */ @@ -89,6 +91,10 @@ struct Stat { Attrib attrib; }; + +static int log_send_fd = SFTP_SERVER_LOG_FD; + + /* Packet handlers */ static void process_open(u_int32_t id); static void process_close(u_int32_t id); @@ -1641,6 +1647,37 @@ sftp_server_cleanup_exit(int i) _exit(i); } +void +log_handler(LogLevel level, int forced, const char* msg, void* ctx) +{ + struct sshbuf* log_msg; + int* log_fd = (int*)ctx; + int r; + size_t len; + + printf("Entered Log Handler\n"); + if (*log_fd == -1) + fatal_f("no log channel"); + + if ((log_msg = sshbuf_new()) == NULL) + fatal_f("sshbuf_new failed"); + + if ((r = sshbuf_put_u32(log_msg, 0)) != 0 || /* length; filled below */ + (r = sshbuf_put_u32(log_msg, level)) != 0 || + (r = sshbuf_put_u32(log_msg, forced)) != 0 || + (r = sshbuf_put_cstring(log_msg, msg)) != 0) + fatal_fr(r, "assemble"); + if ((len = sshbuf_len(log_msg)) < 4 || len > 0xffffffff) + fatal_f("bad length %zu", len); + POKE_U32(sshbuf_mutable_ptr(log_msg), len - 4); + if (atomicio(vwrite, *log_fd, + sshbuf_mutable_ptr(log_msg), len) != len) + fatal_f("write: %s", strerror(errno)); + sshbuf_free(log_msg); + + printf("Exited Log Handler\n"); +} + static void sftp_server_usage(void) { @@ -1743,6 +1780,8 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw) } log_init(__progname, log_level, log_facility, log_stderr); + + set_log_handler(log_handler, (void*)&log_send_fd); /* * On platforms where we can, avoid making /proc/self/{mem,maps} From 0c11ddfd1916a76a6cf5e19c07c153bdf872e911 Mon Sep 17 00:00:00 2001 From: Vivian Thiebaut Date: Tue, 25 May 2021 15:53:01 -0400 Subject: [PATCH 04/37] no [preauth] tag on post auth logs --- monitor.c | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/monitor.c b/monitor.c index 7719dec778b6..44ddfa05ee3d 100644 --- a/monitor.c +++ b/monitor.c @@ -185,8 +185,8 @@ struct mon_table { #define MON_PERMIT 0x1000 /* Request is permitted */ static int monitor_read(struct ssh *, struct monitor *, struct mon_table *, - struct mon_table **); -static int monitor_read_log(struct monitor *); + struct mon_table **, int); +static int monitor_read_log(struct monitor *, int); struct mon_table mon_dispatch_proto20[] = { #ifdef WITH_OPENSSL @@ -301,7 +301,7 @@ monitor_child_preauth(struct ssh *ssh, struct monitor *pmonitor) auth2_authctxt_reset_info(authctxt); authenticated = (monitor_read(ssh, pmonitor, - mon_dispatch, &ent) == 1); + mon_dispatch, &ent, 1) == 1); /* Special handling for multiple required authentications */ if (options.num_auth_methods != 0) { @@ -361,7 +361,7 @@ monitor_child_preauth(struct ssh *ssh, struct monitor *pmonitor) mm_get_keystate(ssh, pmonitor); /* Drain any buffered messages from the child */ - while (pmonitor->m_log_recvfd != -1 && monitor_read_log(pmonitor) == 0) + while (pmonitor->m_log_recvfd != -1 && monitor_read_log(pmonitor, 1) == 0) ; if (pmonitor->m_recvfd >= 0) @@ -410,11 +410,11 @@ monitor_child_postauth(struct ssh *ssh, struct monitor *pmonitor) } for (;;) - monitor_read(ssh, pmonitor, mon_dispatch, NULL); + monitor_read(ssh, pmonitor, mon_dispatch, NULL, 0); } static int -monitor_read_log(struct monitor *pmonitor) +monitor_read_log(struct monitor *pmonitor, int preauth) { struct sshbuf *logmsg; u_int len, level, forced; @@ -461,8 +461,12 @@ monitor_read_log(struct monitor *pmonitor) if (log_level_name(level) == NULL) fatal_f("invalid log level %u (corrupted message?)", level); - sshlogdirect(level, forced, "%s [preauth]", msg); - + + if (preauth) + sshlogdirect(level, forced, "%s [preauth]", msg); + else + sshlogdirect(level, forced, "%s", msg); + sshbuf_free(logmsg); free(msg); @@ -473,7 +477,7 @@ monitor_read_log(struct monitor *pmonitor) static int monitor_read(struct ssh *ssh, struct monitor *pmonitor, struct mon_table *ent, - struct mon_table **pent) + struct mon_table **pent, int preauth) { struct sshbuf *m; int r, ret; @@ -496,7 +500,7 @@ monitor_read(struct ssh *ssh, struct monitor *pmonitor, struct mon_table *ent, * Drain all log messages before processing next * monitor request. */ - monitor_read_log(pmonitor); + monitor_read_log(pmonitor, preauth); continue; } if (pfd[0].revents) From 97856dee28bb58dcd70fd906357eaea202349ea6 Mon Sep 17 00:00:00 2001 From: Vivian Thiebaut Date: Wed, 26 May 2021 12:23:36 -0400 Subject: [PATCH 05/37] removed print statements --- monitor_wrap.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/monitor_wrap.c b/monitor_wrap.c index 5be7ef3be437..c30e2a2c069d 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c @@ -89,7 +89,6 @@ mm_log_handler(LogLevel level, int forced, const char *msg, void *ctx) int r; size_t len; - printf("Entered Log Handler\n"); if (mon->m_log_sendfd == -1) fatal_f("no log channel"); @@ -109,7 +108,6 @@ mm_log_handler(LogLevel level, int forced, const char *msg, void *ctx) fatal_f("write: %s", strerror(errno)); sshbuf_free(log_msg); - printf("Exited Log Handler\n"); } int From 06c5a17b01d09756a2c1bc008d4f2f561f8a4321 Mon Sep 17 00:00:00 2001 From: Vivian Thiebaut Date: Wed, 26 May 2021 12:36:19 -0400 Subject: [PATCH 06/37] Removed all debug print statements --- contrib/win32/win32compat/w32fd.c | 2 -- monitor.c | 7 ------- monitor_wrap.c | 1 - 3 files changed, 10 deletions(-) diff --git a/contrib/win32/win32compat/w32fd.c b/contrib/win32/win32compat/w32fd.c index 9ec182c2d973..de2274364c0e 100644 --- a/contrib/win32/win32compat/w32fd.c +++ b/contrib/win32/win32compat/w32fd.c @@ -91,7 +91,6 @@ fd_table_initialize() /* table entries representing std in, out and error*/ DWORD wh_index[] = { STD_INPUT_HANDLE , STD_OUTPUT_HANDLE , STD_ERROR_HANDLE }; int fd_num = 0; - printf("Entering: %s\n", __func__); memset(&fd_table, 0, sizeof(fd_table)); /* prepare std io fds */ @@ -107,7 +106,6 @@ fd_table_initialize() pio->type = NONSOCK_SYNC_FD; pio->handle = wh; fd_table_set(pio, fd_num); - printf("FD:%d is allocated\n", fd_num); } } diff --git a/monitor.c b/monitor.c index 44ddfa05ee3d..4891650d92f4 100644 --- a/monitor.c +++ b/monitor.c @@ -422,8 +422,6 @@ monitor_read_log(struct monitor *pmonitor, int preauth) u_char *p; int r; - printf("Entered Monitor Read Log\n"); - if ((logmsg = sshbuf_new()) == NULL) fatal_f("sshbuf_new"); @@ -451,7 +449,6 @@ monitor_read_log(struct monitor *pmonitor, int preauth) fatal_fr(r, "reserve msg"); if (atomicio(read, pmonitor->m_log_recvfd, p, len) != len) fatal_f("log fd read: %s", strerror(errno)); - printf("Monitor Logging Message\n"); if ((r = sshbuf_get_u32(logmsg, &level)) != 0 || (r = sshbuf_get_u32(logmsg, &forced)) != 0 || (r = sshbuf_get_cstring(logmsg, &msg, NULL)) != 0) @@ -470,8 +467,6 @@ monitor_read_log(struct monitor *pmonitor, int preauth) sshbuf_free(logmsg); free(msg); - printf("Exited Monitor Read Log\n"); - return 0; } @@ -1898,11 +1893,9 @@ monitor_openfds(struct monitor *mon, int do_logfds) FD_CLOSEONEXEC(pair[1]); mon->m_log_recvfd = pair[0]; mon->m_log_sendfd = pair[1]; - printf("Created Log FDs\n"); } else { mon->m_log_recvfd = mon->m_log_sendfd = -1; - printf("Not creating Log FDs\n"); } } diff --git a/monitor_wrap.c b/monitor_wrap.c index c30e2a2c069d..748333c75e59 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c @@ -107,7 +107,6 @@ mm_log_handler(LogLevel level, int forced, const char *msg, void *ctx) sshbuf_mutable_ptr(log_msg), len) != len) fatal_f("write: %s", strerror(errno)); sshbuf_free(log_msg); - } int From 407b56327d2c865011c626819198d52f81e3e4ad Mon Sep 17 00:00:00 2001 From: Vivian Thiebaut Date: Wed, 26 May 2021 12:38:47 -0400 Subject: [PATCH 07/37] Another lost print statement --- sftp-server.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/sftp-server.c b/sftp-server.c index a98b115ad3dc..fa801473f471 100644 --- a/sftp-server.c +++ b/sftp-server.c @@ -1655,7 +1655,6 @@ log_handler(LogLevel level, int forced, const char* msg, void* ctx) int r; size_t len; - printf("Entered Log Handler\n"); if (*log_fd == -1) fatal_f("no log channel"); @@ -1675,7 +1674,6 @@ log_handler(LogLevel level, int forced, const char* msg, void* ctx) fatal_f("write: %s", strerror(errno)); sshbuf_free(log_msg); - printf("Exited Log Handler\n"); } static void From 292756c98643252f1faad83380abb2c3198482e6 Mon Sep 17 00:00:00 2001 From: Vivian Thiebaut Date: Thu, 27 May 2021 14:57:51 -0400 Subject: [PATCH 08/37] Changes based on review. Pre-auth tag still printed for all logs that go through monitor --- contrib/win32/win32compat/w32-doexec.c | 11 ++++++++-- monitor.c | 29 ++++++++++++-------------- sftp-server.c | 4 ++-- sshd.c | 2 ++ 4 files changed, 26 insertions(+), 20 deletions(-) diff --git a/contrib/win32/win32compat/w32-doexec.c b/contrib/win32/win32compat/w32-doexec.c index 2129fe5a8459..0700d0246356 100644 --- a/contrib/win32/win32compat/w32-doexec.c +++ b/contrib/win32/win32compat/w32-doexec.c @@ -396,12 +396,19 @@ int do_exec_windows(struct ssh *ssh, Session *s, const char *command, int pty) { if (posix_spawn_file_actions_init(&actions) != 0 || posix_spawn_file_actions_adddup2(&actions, pipein[0], STDIN_FILENO) != 0 || posix_spawn_file_actions_adddup2(&actions, pipeout[1], STDOUT_FILENO) != 0 || - posix_spawn_file_actions_adddup2(&actions, pipeerr[1], STDERR_FILENO) != 0 || - posix_spawn_file_actions_adddup2(&actions, STDERR_FILENO + 2, SFTP_SERVER_LOG_FD) != 0) { + posix_spawn_file_actions_adddup2(&actions, pipeerr[1], STDERR_FILENO) != 0) { errno = EOTHER; error("posix_spawn initialization failed"); goto cleanup; } + + if(strcmp(s->subsys, "sftp") == 0) + if (posix_spawn_file_actions_adddup2(&actions, STDERR_FILENO + 2, SFTP_SERVER_LOG_FD) != 0) { + errno = EOTHER; + error("posix_spawn initialization failed"); + goto cleanup; + } + if (posix_spawn(&pid, spawn_argv[0], &actions, NULL, spawn_argv, NULL) != 0) { errno = EOTHER; error("posix_spawn: %s", strerror(errno)); diff --git a/monitor.c b/monitor.c index 4891650d92f4..fb5ab79a2783 100644 --- a/monitor.c +++ b/monitor.c @@ -185,8 +185,8 @@ struct mon_table { #define MON_PERMIT 0x1000 /* Request is permitted */ static int monitor_read(struct ssh *, struct monitor *, struct mon_table *, - struct mon_table **, int); -static int monitor_read_log(struct monitor *, int); + struct mon_table **); +static int monitor_read_log(struct monitor *); struct mon_table mon_dispatch_proto20[] = { #ifdef WITH_OPENSSL @@ -301,7 +301,7 @@ monitor_child_preauth(struct ssh *ssh, struct monitor *pmonitor) auth2_authctxt_reset_info(authctxt); authenticated = (monitor_read(ssh, pmonitor, - mon_dispatch, &ent, 1) == 1); + mon_dispatch, &ent) == 1); /* Special handling for multiple required authentications */ if (options.num_auth_methods != 0) { @@ -361,7 +361,7 @@ monitor_child_preauth(struct ssh *ssh, struct monitor *pmonitor) mm_get_keystate(ssh, pmonitor); /* Drain any buffered messages from the child */ - while (pmonitor->m_log_recvfd != -1 && monitor_read_log(pmonitor, 1) == 0) + while (pmonitor->m_log_recvfd != -1 && monitor_read_log(pmonitor) == 0) ; if (pmonitor->m_recvfd >= 0) @@ -410,11 +410,11 @@ monitor_child_postauth(struct ssh *ssh, struct monitor *pmonitor) } for (;;) - monitor_read(ssh, pmonitor, mon_dispatch, NULL, 0); + monitor_read(ssh, pmonitor, mon_dispatch, NULL); } static int -monitor_read_log(struct monitor *pmonitor, int preauth) +monitor_read_log(struct monitor *pmonitor) { struct sshbuf *logmsg; u_int len, level, forced; @@ -458,12 +458,8 @@ monitor_read_log(struct monitor *pmonitor, int preauth) if (log_level_name(level) == NULL) fatal_f("invalid log level %u (corrupted message?)", level); - - if (preauth) - sshlogdirect(level, forced, "%s [preauth]", msg); - else - sshlogdirect(level, forced, "%s", msg); - + + sshlogdirect(level, forced, "%s [preauth]", msg); sshbuf_free(logmsg); free(msg); @@ -472,7 +468,7 @@ monitor_read_log(struct monitor *pmonitor, int preauth) static int monitor_read(struct ssh *ssh, struct monitor *pmonitor, struct mon_table *ent, - struct mon_table **pent, int preauth) + struct mon_table **pent) { struct sshbuf *m; int r, ret; @@ -495,7 +491,7 @@ monitor_read(struct ssh *ssh, struct monitor *pmonitor, struct mon_table *ent, * Drain all log messages before processing next * monitor request. */ - monitor_read_log(pmonitor, preauth); + monitor_read_log(pmonitor); continue; } if (pfd[0].revents) @@ -1893,8 +1889,7 @@ monitor_openfds(struct monitor *mon, int do_logfds) FD_CLOSEONEXEC(pair[1]); mon->m_log_recvfd = pair[0]; mon->m_log_sendfd = pair[1]; - } - else { + } else { mon->m_log_recvfd = mon->m_log_sendfd = -1; } } @@ -1918,11 +1913,13 @@ monitor_reinit(struct monitor *mon) monitor_openfds(mon, 0); } +#ifdef WINDOWS void monitor_reinit_withlogs(struct monitor* mon) { monitor_openfds(mon, 1); } +#endif #ifdef GSSAPI int diff --git a/sftp-server.c b/sftp-server.c index fa801473f471..f64256feb038 100644 --- a/sftp-server.c +++ b/sftp-server.c @@ -1778,9 +1778,9 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw) } log_init(__progname, log_level, log_facility, log_stderr); - +#ifdef WINDOWS set_log_handler(log_handler, (void*)&log_send_fd); - +#endif /* * On platforms where we can, avoid making /proc/self/{mem,maps} * available to the user so that sftp access doesn't automatically diff --git a/sshd.c b/sshd.c index 05cea4817d51..83aef113e63a 100644 --- a/sshd.c +++ b/sshd.c @@ -198,6 +198,8 @@ int privsep_auth_child = 0; int io_sock_in = 0; int io_sock_out = 0; +int auth_child_spwaned = 0; + /* * Any really sensitive data in the application is contained in this * structure. The idea is that this structure could be locked into memory so From 6a9b29d23b2168ea47a82b705378b1b4c3f16fba Mon Sep 17 00:00:00 2001 From: Vivian Thiebaut Date: Thu, 27 May 2021 15:02:14 -0400 Subject: [PATCH 09/37] Few mistakes left behind --- monitor.h | 3 ++- sshd.c | 2 -- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/monitor.h b/monitor.h index ef479b87bea6..a9562c5f3951 100644 --- a/monitor.h +++ b/monitor.h @@ -78,8 +78,9 @@ struct monitor { struct monitor *monitor_init(void); void monitor_reinit(struct monitor *); +#ifdef WINDOWS void monitor_reinit_withlogs(struct monitor*); - +#endif struct Authctxt; void monitor_child_preauth(struct ssh *, struct monitor *); void monitor_child_postauth(struct ssh *, struct monitor *); diff --git a/sshd.c b/sshd.c index 83aef113e63a..05cea4817d51 100644 --- a/sshd.c +++ b/sshd.c @@ -198,8 +198,6 @@ int privsep_auth_child = 0; int io_sock_in = 0; int io_sock_out = 0; -int auth_child_spwaned = 0; - /* * Any really sensitive data in the application is contained in this * structure. The idea is that this structure could be locked into memory so From 848ff9b93ec42702b44fed1f211508824bd9901b Mon Sep 17 00:00:00 2001 From: Vivian Thiebaut Date: Thu, 27 May 2021 15:16:35 -0400 Subject: [PATCH 10/37] Added some ifed windows blocks in sshd.c --- sshd.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/sshd.c b/sshd.c index 05cea4817d51..3daa22d1d1a8 100644 --- a/sshd.c +++ b/sshd.c @@ -136,7 +136,12 @@ #define PRIVSEP_MONITOR_FD (STDERR_FILENO + 1) #define PRIVSEP_LOG_FD (STDERR_FILENO + 2) #define PRIVSEP_UNAUTH_MIN_FREE_FD (PRIVSEP_LOG_FD + 1) + +#ifdef WINDOWS #define PRIVSEP_AUTH_MIN_FREE_FD (PRIVSEP_LOG_FD + 1) +#else +#define PRIVSEP_AUTH_MIN_FREE_FD (PRIVSEP_MONITOR_FD + 1) +#endif extern char *__progname; @@ -878,7 +883,11 @@ privsep_postauth(struct ssh *ssh, Authctxt *authctxt) } /* New socket pair */ +#ifdef WINDOWS monitor_reinit_withlogs(pmonitor); +#else + monitor_reinit(pmonitor); +#endif #ifdef FORK_NOT_SUPPORTED if (!privsep_auth_child) { /* parent */ From 4a94b4daee71846ec9f631af4d4871ca1f817705 Mon Sep 17 00:00:00 2001 From: Vivian Thiebaut Date: Thu, 27 May 2021 15:26:03 -0400 Subject: [PATCH 11/37] simple fix --- monitor.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/monitor.c b/monitor.c index fb5ab79a2783..87e62237e50b 100644 --- a/monitor.c +++ b/monitor.c @@ -1889,9 +1889,8 @@ monitor_openfds(struct monitor *mon, int do_logfds) FD_CLOSEONEXEC(pair[1]); mon->m_log_recvfd = pair[0]; mon->m_log_sendfd = pair[1]; - } else { + } else mon->m_log_recvfd = mon->m_log_sendfd = -1; - } } #define MM_MEMSIZE 65536 From 60a0e806528a45caf00c805c7e670a81a73689d1 Mon Sep 17 00:00:00 2001 From: Vivian Thiebaut Date: Thu, 27 May 2021 18:54:13 -0400 Subject: [PATCH 12/37] Fix bash error and other changes --- contrib/win32/openssh/config.h.vs | 1 + contrib/win32/win32compat/w32-doexec.c | 3 ++- sftp-server.c | 11 +++++------ 3 files changed, 8 insertions(+), 7 deletions(-) diff --git a/contrib/win32/openssh/config.h.vs b/contrib/win32/openssh/config.h.vs index 42c1301b0019..3fa418fe3946 100644 --- a/contrib/win32/openssh/config.h.vs +++ b/contrib/win32/openssh/config.h.vs @@ -1710,6 +1710,7 @@ #define _PATH_LS "dir" #define _PATH_DEVNULL "NUL" #define FORK_NOT_SUPPORTED +#define PRIVSEP_AUTH_CHILD_LOG_NOT_SUPPORTED #define HAVE_FREEZERO #define FILESYSTEM_NO_BACKSLASH #define HAVE_LOCALTIME_R diff --git a/contrib/win32/win32compat/w32-doexec.c b/contrib/win32/win32compat/w32-doexec.c index 0700d0246356..e3a94de744a2 100644 --- a/contrib/win32/win32compat/w32-doexec.c +++ b/contrib/win32/win32compat/w32-doexec.c @@ -402,7 +402,8 @@ int do_exec_windows(struct ssh *ssh, Session *s, const char *command, int pty) { goto cleanup; } - if(strcmp(s->subsys, "sftp") == 0) + //Passing the PRIVSEP_LOG_FD (STDERR_FILENO + 2) to sftp-server for logging + if(strstr(exec_command, "sftp-server.exe")) if (posix_spawn_file_actions_adddup2(&actions, STDERR_FILENO + 2, SFTP_SERVER_LOG_FD) != 0) { errno = EOTHER; error("posix_spawn initialization failed"); diff --git a/sftp-server.c b/sftp-server.c index f64256feb038..9075db97232b 100644 --- a/sftp-server.c +++ b/sftp-server.c @@ -51,9 +51,9 @@ #include "sftp.h" #include "sftp-common.h" - +#ifdef WINDOWS #include "atomicio.h" - +#endif char *sftp_realpath(const char *, char *); /* sftp-realpath.c */ /* Maximum data read that we are willing to accept */ @@ -92,9 +92,6 @@ struct Stat { }; -static int log_send_fd = SFTP_SERVER_LOG_FD; - - /* Packet handlers */ static void process_open(u_int32_t id); static void process_close(u_int32_t id); @@ -1779,7 +1776,9 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw) log_init(__progname, log_level, log_facility, log_stderr); #ifdef WINDOWS - set_log_handler(log_handler, (void*)&log_send_fd); + int log_send_fd = SFTP_SERVER_LOG_FD; + if (fcntl(log_send_fd, F_SETFD, FD_CLOEXEC) != -1) + set_log_handler(log_handler, (void*)&log_send_fd); #endif /* * On platforms where we can, avoid making /proc/self/{mem,maps} From b3d3e219a18b5aa74d930e9f7575f340f33162ab Mon Sep 17 00:00:00 2001 From: Vivian Thiebaut Date: Fri, 28 May 2021 11:12:18 -0400 Subject: [PATCH 13/37] isolated my changes with ifdef blocks --- contrib/win32/win32compat/w32fd.c | 1 + monitor.c | 4 ++-- monitor.h | 2 +- sftp-server.c | 4 ++-- sshd.c | 20 +++++++++++++------- 5 files changed, 19 insertions(+), 12 deletions(-) diff --git a/contrib/win32/win32compat/w32fd.c b/contrib/win32/win32compat/w32fd.c index de2274364c0e..85465c703be3 100644 --- a/contrib/win32/win32compat/w32fd.c +++ b/contrib/win32/win32compat/w32fd.c @@ -91,6 +91,7 @@ fd_table_initialize() /* table entries representing std in, out and error*/ DWORD wh_index[] = { STD_INPUT_HANDLE , STD_OUTPUT_HANDLE , STD_ERROR_HANDLE }; int fd_num = 0; + memset(&fd_table, 0, sizeof(fd_table)); /* prepare std io fds */ diff --git a/monitor.c b/monitor.c index 87e62237e50b..d6319ae5e918 100644 --- a/monitor.c +++ b/monitor.c @@ -458,8 +458,8 @@ monitor_read_log(struct monitor *pmonitor) if (log_level_name(level) == NULL) fatal_f("invalid log level %u (corrupted message?)", level); - sshlogdirect(level, forced, "%s [preauth]", msg); + sshbuf_free(logmsg); free(msg); @@ -1912,7 +1912,7 @@ monitor_reinit(struct monitor *mon) monitor_openfds(mon, 0); } -#ifdef WINDOWS +#ifdef PRIVSEP_AUTH_CHILD_LOG_NOT_SUPPORTED void monitor_reinit_withlogs(struct monitor* mon) { diff --git a/monitor.h b/monitor.h index a9562c5f3951..ab8f0ca0db30 100644 --- a/monitor.h +++ b/monitor.h @@ -78,7 +78,7 @@ struct monitor { struct monitor *monitor_init(void); void monitor_reinit(struct monitor *); -#ifdef WINDOWS +#ifdef PRIVSEP_AUTH_CHILD_LOG_NOT_SUPPORTED void monitor_reinit_withlogs(struct monitor*); #endif struct Authctxt; diff --git a/sftp-server.c b/sftp-server.c index 9075db97232b..31ca53886ba6 100644 --- a/sftp-server.c +++ b/sftp-server.c @@ -51,7 +51,7 @@ #include "sftp.h" #include "sftp-common.h" -#ifdef WINDOWS +#ifdef PRIVSEP_AUTH_CHILD_LOG_NOT_SUPPORTED #include "atomicio.h" #endif char *sftp_realpath(const char *, char *); /* sftp-realpath.c */ @@ -1775,7 +1775,7 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw) } log_init(__progname, log_level, log_facility, log_stderr); -#ifdef WINDOWS +#ifdef PRIVSEP_AUTH_CHILD_LOG_NOT_SUPPORTED int log_send_fd = SFTP_SERVER_LOG_FD; if (fcntl(log_send_fd, F_SETFD, FD_CLOEXEC) != -1) set_log_handler(log_handler, (void*)&log_send_fd); diff --git a/sshd.c b/sshd.c index 3daa22d1d1a8..0c47d58e7b20 100644 --- a/sshd.c +++ b/sshd.c @@ -137,7 +137,7 @@ #define PRIVSEP_LOG_FD (STDERR_FILENO + 2) #define PRIVSEP_UNAUTH_MIN_FREE_FD (PRIVSEP_LOG_FD + 1) -#ifdef WINDOWS +#ifdef PRIVSEP_AUTH_CHILD_LOG_NOT_SUPPORTED #define PRIVSEP_AUTH_MIN_FREE_FD (PRIVSEP_LOG_FD + 1) #else #define PRIVSEP_AUTH_MIN_FREE_FD (PRIVSEP_MONITOR_FD + 1) @@ -883,7 +883,7 @@ privsep_postauth(struct ssh *ssh, Authctxt *authctxt) } /* New socket pair */ -#ifdef WINDOWS +#ifdef PRIVSEP_AUTH_CHILD_LOG_NOT_SUPPORTED monitor_reinit_withlogs(pmonitor); #else monitor_reinit(pmonitor); @@ -896,10 +896,14 @@ privsep_postauth(struct ssh *ssh, Authctxt *authctxt) if (posix_spawn_file_actions_init(&actions) != 0 || posix_spawn_file_actions_adddup2(&actions, io_sock_in, STDIN_FILENO) != 0 || posix_spawn_file_actions_adddup2(&actions, io_sock_out, STDOUT_FILENO) != 0 || - posix_spawn_file_actions_adddup2(&actions, pmonitor->m_recvfd, PRIVSEP_MONITOR_FD) != 0 || - posix_spawn_file_actions_adddup2(&actions, pmonitor->m_log_sendfd, PRIVSEP_LOG_FD) != 0) + posix_spawn_file_actions_adddup2(&actions, pmonitor->m_recvfd, PRIVSEP_MONITOR_FD) != 0) fatal("posix_spawn initialization failed"); +#ifdef PRIVSEP_AUTH_CHILD_LOG_NOT_SUPPORTED + if (posix_spawn_file_actions_adddup2(&actions, pmonitor->m_log_sendfd, PRIVSEP_LOG_FD) != 0) + fatal("posix_spawn initialization failed"); +#endif + { char** argv = privsep_child_cmdline(1); if (__posix_spawn_asuser(&pmonitor->m_pid, argv[0], &actions, NULL, argv, NULL, authctxt->pw->pw_name) != 0) @@ -923,16 +927,18 @@ privsep_postauth(struct ssh *ssh, Authctxt *authctxt) /* child */ close(pmonitor->m_sendfd); close(pmonitor->m_recvfd); + pmonitor->m_recvfd = PRIVSEP_MONITOR_FD; + fcntl(pmonitor->m_recvfd, F_SETFD, FD_CLOEXEC); + +#ifdef PRIVSEP_AUTH_CHILD_LOG_NOT_SUPPORTED close(pmonitor->m_log_recvfd); close(pmonitor->m_log_sendfd); - - pmonitor->m_recvfd = PRIVSEP_MONITOR_FD; pmonitor->m_log_sendfd = PRIVSEP_LOG_FD; - fcntl(pmonitor->m_recvfd, F_SETFD, FD_CLOEXEC); fcntl(pmonitor->m_log_sendfd, F_SETFD, FD_CLOEXEC); /* Arrange for logging to be sent to the monitor */ set_log_handler(mm_log_handler, pmonitor); +#endif monitor_recv_keystate(pmonitor); From 7dfd466fe51470dd86c5f1c1f714229ff4d6d324 Mon Sep 17 00:00:00 2001 From: Vivian Thiebaut Date: Fri, 28 May 2021 11:22:29 -0400 Subject: [PATCH 14/37] Erasing unnecessary changes --- contrib/win32/win32compat/w32fd.c | 2 +- sftp-server.c | 1 - sshd.c | 1 - 3 files changed, 1 insertion(+), 3 deletions(-) diff --git a/contrib/win32/win32compat/w32fd.c b/contrib/win32/win32compat/w32fd.c index 85465c703be3..01f590169319 100644 --- a/contrib/win32/win32compat/w32fd.c +++ b/contrib/win32/win32compat/w32fd.c @@ -91,7 +91,7 @@ fd_table_initialize() /* table entries representing std in, out and error*/ DWORD wh_index[] = { STD_INPUT_HANDLE , STD_OUTPUT_HANDLE , STD_ERROR_HANDLE }; int fd_num = 0; - + memset(&fd_table, 0, sizeof(fd_table)); /* prepare std io fds */ diff --git a/sftp-server.c b/sftp-server.c index 31ca53886ba6..89b8331cfeac 100644 --- a/sftp-server.c +++ b/sftp-server.c @@ -91,7 +91,6 @@ struct Stat { Attrib attrib; }; - /* Packet handlers */ static void process_open(u_int32_t id); static void process_close(u_int32_t id); diff --git a/sshd.c b/sshd.c index 0c47d58e7b20..429e0589c319 100644 --- a/sshd.c +++ b/sshd.c @@ -923,7 +923,6 @@ privsep_postauth(struct ssh *ssh, Authctxt *authctxt) /* NEVERREACHED */ exit(0); } - /* child */ close(pmonitor->m_sendfd); close(pmonitor->m_recvfd); From 8022d0a2559bbb439c0c2ead51c13ff226c72790 Mon Sep 17 00:00:00 2001 From: Vivian Thiebaut Date: Fri, 28 May 2021 16:34:22 -0400 Subject: [PATCH 15/37] Only user [preauth] tag on preauth child logs --- monitor.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/monitor.c b/monitor.c index d6319ae5e918..614350bb2213 100644 --- a/monitor.c +++ b/monitor.c @@ -458,8 +458,12 @@ monitor_read_log(struct monitor *pmonitor) if (log_level_name(level) == NULL) fatal_f("invalid log level %u (corrupted message?)", level); - sshlogdirect(level, forced, "%s [preauth]", msg); + if (authctxt->authenticated == 0) + sshlogdirect(level, forced, "%s [preauth]", msg); + else + sshlogdirect(level, forced, "%s", msg); + sshbuf_free(logmsg); free(msg); From 34f502224f5b198f3c5b67bbc8723b92cd0b5856 Mon Sep 17 00:00:00 2001 From: Vivian Thiebaut Date: Tue, 1 Jun 2021 14:16:38 -0400 Subject: [PATCH 16/37] Log sftp-server messages in the correct file --- contrib/win32/win32compat/w32log.c | 53 +++++++++++++++++++++++------- monitor.c | 27 +++++++++++++-- monitor_wrap.c | 1 + sftp-server.c | 10 ++++-- sshd.c | 4 +++ 5 files changed, 78 insertions(+), 17 deletions(-) diff --git a/contrib/win32/win32compat/w32log.c b/contrib/win32/win32compat/w32log.c index 93ef082131c4..52b7f904bf0f 100644 --- a/contrib/win32/win32compat/w32log.c +++ b/contrib/win32/win32compat/w32log.c @@ -40,6 +40,7 @@ #define MSGBUFSIZ 1024 static int logfd = -1; +static int sftp_server_logfd = -1; const char* identity = NULL; int log_facility = 0; @@ -85,14 +86,16 @@ syslog_etw(int priority, const char *format, const char *formatBuffer) free(w_payload); } - /* * log file location will be - "%programData%\\openssh\\logs\\.log" */ void openlog_file() { - if (logfd != -1) + if (strcmp(identity, "sshd") == 0 && logfd != -1) + return; + + if (strcmp(identity, "sftp-server") == 0 && sftp_server_logfd != -1) return; wchar_t *logs_dir = L"\\logs\\"; @@ -115,16 +118,36 @@ openlog_file() wcscat_s(ssh_cfg_path, _countof(ssh_cfg_path), L"\\ssh"); /* "%programData%\\ssh" */ if ((wcsncat_s(log_file, PATH_MAX + 12, ssh_cfg_path, wcslen(ssh_cfg_path)) != 0) || - (wcsncat_s(log_file, PATH_MAX + 12, logs_dir, 6) != 0) || - (wcsncat_s(log_file, PATH_MAX + 12, tail + 1, wcslen(tail + 1) - 3) != 0 ) || - (wcsncat_s(log_file, PATH_MAX + 12, L"log", 3) != 0)) + (wcsncat_s(log_file, PATH_MAX + 12, logs_dir, 6) != 0)) return; + + if (strcmp(identity, "sftp-server") == 0) { + wchar_t* id = utf8_to_utf16(identity); + if ((wcsncat_s(log_file, PATH_MAX + 12, id, wcslen(id)) != 0) || + (wcsncat_s(log_file, PATH_MAX + 12, L".log", 4) != 0)) { + free(id); + return; + } + free(id); + } + + if (strcmp(identity, "sshd") == 0) + if ((wcsncat_s(log_file, PATH_MAX + 12, tail + 1, wcslen(tail + 1) - 3) != 0) || + (wcsncat_s(log_file, PATH_MAX + 12, L"log", 3) != 0)) + return; + } - errno_t err = _wsopen_s(&logfd, log_file, O_WRONLY | O_CREAT | O_APPEND, SH_DENYNO, S_IREAD | S_IWRITE); - - if (logfd != -1) - SetHandleInformation((HANDLE)_get_osfhandle(logfd), HANDLE_FLAG_INHERIT, 0); + errno_t err; + if (strcmp(identity, "sftp-server") == 0) { + err = _wsopen_s(&sftp_server_logfd, log_file, O_WRONLY | O_CREAT | O_APPEND, SH_DENYNO, S_IREAD | S_IWRITE); + if (sftp_server_logfd != -1) + SetHandleInformation((HANDLE)_get_osfhandle(sftp_server_logfd), HANDLE_FLAG_INHERIT, 0); + } else { + err = _wsopen_s(&logfd, log_file, O_WRONLY | O_CREAT | O_APPEND, SH_DENYNO, S_IREAD | S_IWRITE); + if (logfd != -1) + SetHandleInformation((HANDLE)_get_osfhandle(logfd), HANDLE_FLAG_INHERIT, 0); + } } void @@ -133,8 +156,14 @@ syslog_file(int priority, const char *format, const char *formatBuffer) char msgbufTimestamp[MSGBUFSIZ]; SYSTEMTIME st; int r; + int msg_fd; + + if (strcmp(identity, "sftp-server") == 0) + msg_fd = sftp_server_logfd; + else + msg_fd = logfd; - if (logfd == -1) + if (msg_fd == -1) return; GetLocalTime(&st); @@ -142,11 +171,11 @@ syslog_file(int priority, const char *format, const char *formatBuffer) GetCurrentProcessId(), st.wYear, st.wMonth, st.wDay, st.wHour, st.wMinute, st.wSecond, st.wMilliseconds, formatBuffer); if (r == -1) { - _write(logfd, "_snprintf_s failed.", 20); + _write(msg_fd, "_snprintf_s failed.", 20); return; } msgbufTimestamp[strnlen(msgbufTimestamp, MSGBUFSIZ)] = '\0'; - _write(logfd, msgbufTimestamp, (unsigned int)strnlen(msgbufTimestamp, MSGBUFSIZ)); + _write(msg_fd, msgbufTimestamp, (unsigned int)strnlen(msgbufTimestamp, MSGBUFSIZ)); } void diff --git a/monitor.c b/monitor.c index 614350bb2213..585b716fd7d7 100644 --- a/monitor.c +++ b/monitor.c @@ -106,6 +106,7 @@ extern ServerOptions options; extern u_int utmp_len; extern struct sshbuf *loginmsg; extern struct sshauthopt *auth_opts; /* XXX move to permanent ssh->authctxt? */ +extern int log_stderr; /* State exported from the child */ static struct sshbuf *child_state; @@ -419,9 +420,12 @@ monitor_read_log(struct monitor *pmonitor) struct sshbuf *logmsg; u_int len, level, forced; char *msg; + char *pname; u_char *p; int r; + u_int sftp_log_level, sftp_log_facility, sftp_log_stderr; + if ((logmsg = sshbuf_new()) == NULL) fatal_f("sshbuf_new"); @@ -449,6 +453,16 @@ monitor_read_log(struct monitor *pmonitor) fatal_fr(r, "reserve msg"); if (atomicio(read, pmonitor->m_log_recvfd, p, len) != len) fatal_f("log fd read: %s", strerror(errno)); + if ((r = sshbuf_get_cstring(logmsg, &pname, NULL)) != 0) + fatal_fr(r, "parse"); + + if (strcmp(pname, "sftp-server") == 0) { + if ((r = sshbuf_get_u32(logmsg, &sftp_log_level)) != 0 || + (r = sshbuf_get_u32(logmsg, &sftp_log_facility)) != 0 || + (r = sshbuf_get_u32(logmsg, &sftp_log_stderr)) != 0) + fatal_fr(r, "parse"); + } + if ((r = sshbuf_get_u32(logmsg, &level)) != 0 || (r = sshbuf_get_u32(logmsg, &forced)) != 0 || (r = sshbuf_get_cstring(logmsg, &msg, NULL)) != 0) @@ -459,10 +473,17 @@ monitor_read_log(struct monitor *pmonitor) if (log_level_name(level) == NULL) fatal_f("invalid log level %u (corrupted message?)", level); - if (authctxt->authenticated == 0) + if (authctxt->authenticated == 0) sshlogdirect(level, forced, "%s [preauth]", msg); - else - sshlogdirect(level, forced, "%s", msg); + else { + if (strcmp(pname, "sftp-server") == 0) { + log_init(pname, sftp_log_level, sftp_log_facility, sftp_log_stderr); + sshlogdirect(level, forced, "%s", msg); + log_init(pname, options.log_level, options.log_facility, log_stderr); + } else + sshlogdirect(level, forced, "%s", msg); + } + sshbuf_free(logmsg); free(msg); diff --git a/monitor_wrap.c b/monitor_wrap.c index 748333c75e59..d0b7e318e7eb 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c @@ -96,6 +96,7 @@ mm_log_handler(LogLevel level, int forced, const char *msg, void *ctx) fatal_f("sshbuf_new failed"); if ((r = sshbuf_put_u32(log_msg, 0)) != 0 || /* length; filled below */ + (r = sshbuf_put_cstring(log_msg, "sshd")) != 0 || (r = sshbuf_put_u32(log_msg, level)) != 0 || (r = sshbuf_put_u32(log_msg, forced)) != 0 || (r = sshbuf_put_cstring(log_msg, msg)) != 0) diff --git a/sftp-server.c b/sftp-server.c index 89b8331cfeac..0a5ceb5ed6eb 100644 --- a/sftp-server.c +++ b/sftp-server.c @@ -61,6 +61,8 @@ char *sftp_realpath(const char *, char *); /* sftp-realpath.c */ /* Our verbosity */ static LogLevel log_level = SYSLOG_LEVEL_ERROR; +static SyslogFacility log_facility = SYSLOG_FACILITY_AUTH; +int log_stderr = 0; /* Our client */ static struct passwd *pw = NULL; @@ -1658,6 +1660,10 @@ log_handler(LogLevel level, int forced, const char* msg, void* ctx) fatal_f("sshbuf_new failed"); if ((r = sshbuf_put_u32(log_msg, 0)) != 0 || /* length; filled below */ + (r = sshbuf_put_cstring(log_msg, __progname)) != 0 || + (r = sshbuf_put_u32(log_msg, log_level)) != 0 || + (r = sshbuf_put_u32(log_msg, log_facility)) != 0 || + (r = sshbuf_put_u32(log_msg, log_stderr)) != 0 || (r = sshbuf_put_u32(log_msg, level)) != 0 || (r = sshbuf_put_u32(log_msg, forced)) != 0 || (r = sshbuf_put_cstring(log_msg, msg)) != 0) @@ -1690,9 +1696,9 @@ int sftp_server_main(int argc, char **argv, struct passwd *user_pw) { fd_set *rset, *wset; - int i, r, in, out, max, ch, skipargs = 0, log_stderr = 0; + int i, r, in, out, max, ch, skipargs = 0; ssize_t len, olen, set_size; - SyslogFacility log_facility = SYSLOG_FACILITY_AUTH; + //SyslogFacility log_facility = SYSLOG_FACILITY_AUTH; char *cp, *homedir = NULL, uidstr[32], buf[4*4096]; long mask; diff --git a/sshd.c b/sshd.c index 429e0589c319..43b94a752b40 100644 --- a/sshd.c +++ b/sshd.c @@ -174,7 +174,11 @@ static int inetd_flag = 0; static int no_daemon_flag = 0; /* debug goes to stderr unless inetd_flag is set */ +#ifdef PRIVSEP_AUTH_CHILD_LOG_NOT_SUPPORTED +int log_stderr = 0; +#else static int log_stderr = 0; +#endif /* Saved arguments to main(). */ static char **saved_argv; From d0bd84df3bd2e9e4634f18a1fabe03eaf62ab5b4 Mon Sep 17 00:00:00 2001 From: Vivian Thiebaut Date: Tue, 1 Jun 2021 15:07:25 -0400 Subject: [PATCH 17/37] Make sure sshd logs don't get writen on sftp-server.log --- monitor.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/monitor.c b/monitor.c index 585b716fd7d7..bf7a5ddb1c66 100644 --- a/monitor.c +++ b/monitor.c @@ -479,7 +479,7 @@ monitor_read_log(struct monitor *pmonitor) if (strcmp(pname, "sftp-server") == 0) { log_init(pname, sftp_log_level, sftp_log_facility, sftp_log_stderr); sshlogdirect(level, forced, "%s", msg); - log_init(pname, options.log_level, options.log_facility, log_stderr); + log_init("sshd", options.log_level, options.log_facility, log_stderr); } else sshlogdirect(level, forced, "%s", msg); } From f56822bab63588985722ef55f0001bb122104289 Mon Sep 17 00:00:00 2001 From: Vivian Thiebaut Date: Wed, 2 Jun 2021 12:33:06 -0400 Subject: [PATCH 18/37] Corrections based on review --- contrib/win32/openssh/config.h.vs | 1 - contrib/win32/win32compat/w32log.c | 48 +++++++++++++++--------------- monitor.c | 22 +++++++++----- monitor.h | 2 +- monitor_wrap.c | 4 ++- sftp-server.c | 30 ++++++++++++------- sshd.c | 22 ++++++++------ 7 files changed, 75 insertions(+), 54 deletions(-) diff --git a/contrib/win32/openssh/config.h.vs b/contrib/win32/openssh/config.h.vs index 3fa418fe3946..42c1301b0019 100644 --- a/contrib/win32/openssh/config.h.vs +++ b/contrib/win32/openssh/config.h.vs @@ -1710,7 +1710,6 @@ #define _PATH_LS "dir" #define _PATH_DEVNULL "NUL" #define FORK_NOT_SUPPORTED -#define PRIVSEP_AUTH_CHILD_LOG_NOT_SUPPORTED #define HAVE_FREEZERO #define FILESYSTEM_NO_BACKSLASH #define HAVE_LOCALTIME_R diff --git a/contrib/win32/win32compat/w32log.c b/contrib/win32/win32compat/w32log.c index 52b7f904bf0f..c670e0a09afe 100644 --- a/contrib/win32/win32compat/w32log.c +++ b/contrib/win32/win32compat/w32log.c @@ -92,12 +92,12 @@ syslog_etw(int priority, const char *format, const char *formatBuffer) void openlog_file() { - if (strcmp(identity, "sshd") == 0 && logfd != -1) - return; - if (strcmp(identity, "sftp-server") == 0 && sftp_server_logfd != -1) return; + if (strcmp(identity, "sftp-server") != 0 && logfd != -1) + return; + wchar_t *logs_dir = L"\\logs\\"; wchar_t module_path[PATH_MAX] = { 0 }, log_file[PATH_MAX + 12] = { 0 }; @@ -117,37 +117,37 @@ openlog_file() wcscat_s(ssh_cfg_path, _countof(ssh_cfg_path), __wprogdata); /* "%programData%" */ wcscat_s(ssh_cfg_path, _countof(ssh_cfg_path), L"\\ssh"); /* "%programData%\\ssh" */ - if ((wcsncat_s(log_file, PATH_MAX + 12, ssh_cfg_path, wcslen(ssh_cfg_path)) != 0) || - (wcsncat_s(log_file, PATH_MAX + 12, logs_dir, 6) != 0)) - return; - + wchar_t* tmp_identity = NULL; if (strcmp(identity, "sftp-server") == 0) { - wchar_t* id = utf8_to_utf16(identity); - if ((wcsncat_s(log_file, PATH_MAX + 12, id, wcslen(id)) != 0) || - (wcsncat_s(log_file, PATH_MAX + 12, L".log", 4) != 0)) { - free(id); + tmp_identity = utf8_to_utf16(identity); + if (!tmp_identity) return; - } - free(id); } - - if (strcmp(identity, "sshd") == 0) - if ((wcsncat_s(log_file, PATH_MAX + 12, tail + 1, wcslen(tail + 1) - 3) != 0) || - (wcsncat_s(log_file, PATH_MAX + 12, L"log", 3) != 0)) + else { + tmp_identity = malloc((wcslen(tail) - 4) * sizeof(wchar_t)); + if (!tmp_identity) + return; + if (wcsncpy_s(tmp_identity, wcslen(tail) - 4, tail + 1, wcslen(tail) - 5) != 0) return; + } + + if ((wcsncat_s(log_file, PATH_MAX + 12, ssh_cfg_path, wcslen(ssh_cfg_path)) != 0) || + (wcsncat_s(log_file, PATH_MAX + 12, logs_dir, 6) != 0) || + (wcsncat_s(log_file, PATH_MAX + 12, tmp_identity, wcslen(tmp_identity)) != 0) || + (wcsncat_s(log_file, PATH_MAX + 12, L".log", 4) != 0)) + { + free(tmp_identity); + return; + } + free(tmp_identity); } errno_t err; - if (strcmp(identity, "sftp-server") == 0) { + if (strcmp(identity, "sftp-server") == 0) err = _wsopen_s(&sftp_server_logfd, log_file, O_WRONLY | O_CREAT | O_APPEND, SH_DENYNO, S_IREAD | S_IWRITE); - if (sftp_server_logfd != -1) - SetHandleInformation((HANDLE)_get_osfhandle(sftp_server_logfd), HANDLE_FLAG_INHERIT, 0); - } else { + else err = _wsopen_s(&logfd, log_file, O_WRONLY | O_CREAT | O_APPEND, SH_DENYNO, S_IREAD | S_IWRITE); - if (logfd != -1) - SetHandleInformation((HANDLE)_get_osfhandle(logfd), HANDLE_FLAG_INHERIT, 0); - } } void diff --git a/monitor.c b/monitor.c index bf7a5ddb1c66..abd5de4dbc7e 100644 --- a/monitor.c +++ b/monitor.c @@ -106,7 +106,9 @@ extern ServerOptions options; extern u_int utmp_len; extern struct sshbuf *loginmsg; extern struct sshauthopt *auth_opts; /* XXX move to permanent ssh->authctxt? */ +#ifdef WINDOWS extern int log_stderr; +#endif /* State exported from the child */ static struct sshbuf *child_state; @@ -420,12 +422,9 @@ monitor_read_log(struct monitor *pmonitor) struct sshbuf *logmsg; u_int len, level, forced; char *msg; - char *pname; u_char *p; int r; - - u_int sftp_log_level, sftp_log_facility, sftp_log_stderr; - + if ((logmsg = sshbuf_new()) == NULL) fatal_f("sshbuf_new"); @@ -453,6 +452,10 @@ monitor_read_log(struct monitor *pmonitor) fatal_fr(r, "reserve msg"); if (atomicio(read, pmonitor->m_log_recvfd, p, len) != len) fatal_f("log fd read: %s", strerror(errno)); + +#ifdef WINDOWS + char* pname; + u_int sftp_log_level, sftp_log_facility, sftp_log_stderr; if ((r = sshbuf_get_cstring(logmsg, &pname, NULL)) != 0) fatal_fr(r, "parse"); @@ -462,6 +465,7 @@ monitor_read_log(struct monitor *pmonitor) (r = sshbuf_get_u32(logmsg, &sftp_log_stderr)) != 0) fatal_fr(r, "parse"); } +#endif if ((r = sshbuf_get_u32(logmsg, &level)) != 0 || (r = sshbuf_get_u32(logmsg, &forced)) != 0 || @@ -469,10 +473,10 @@ monitor_read_log(struct monitor *pmonitor) fatal_fr(r, "parse"); /* Log it */ - if (log_level_name(level) == NULL) fatal_f("invalid log level %u (corrupted message?)", level); - + +#ifdef WINDOWS if (authctxt->authenticated == 0) sshlogdirect(level, forced, "%s [preauth]", msg); else { @@ -483,7 +487,9 @@ monitor_read_log(struct monitor *pmonitor) } else sshlogdirect(level, forced, "%s", msg); } - +#else + sshlogdirect(level, forced, "%s [preauth]", msg); +#endif sshbuf_free(logmsg); free(msg); @@ -1937,7 +1943,7 @@ monitor_reinit(struct monitor *mon) monitor_openfds(mon, 0); } -#ifdef PRIVSEP_AUTH_CHILD_LOG_NOT_SUPPORTED +#ifdef WINDOWS void monitor_reinit_withlogs(struct monitor* mon) { diff --git a/monitor.h b/monitor.h index ab8f0ca0db30..a9562c5f3951 100644 --- a/monitor.h +++ b/monitor.h @@ -78,7 +78,7 @@ struct monitor { struct monitor *monitor_init(void); void monitor_reinit(struct monitor *); -#ifdef PRIVSEP_AUTH_CHILD_LOG_NOT_SUPPORTED +#ifdef WINDOWS void monitor_reinit_withlogs(struct monitor*); #endif struct Authctxt; diff --git a/monitor_wrap.c b/monitor_wrap.c index d0b7e318e7eb..d193f0116e61 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c @@ -96,8 +96,10 @@ mm_log_handler(LogLevel level, int forced, const char *msg, void *ctx) fatal_f("sshbuf_new failed"); if ((r = sshbuf_put_u32(log_msg, 0)) != 0 || /* length; filled below */ +#ifdef WINDOWS (r = sshbuf_put_cstring(log_msg, "sshd")) != 0 || - (r = sshbuf_put_u32(log_msg, level)) != 0 || +#endif + (r = sshbuf_put_u32(log_msg, level)) != 0 || (r = sshbuf_put_u32(log_msg, forced)) != 0 || (r = sshbuf_put_cstring(log_msg, msg)) != 0) fatal_fr(r, "assemble"); diff --git a/sftp-server.c b/sftp-server.c index 0a5ceb5ed6eb..addf548ab2b2 100644 --- a/sftp-server.c +++ b/sftp-server.c @@ -51,9 +51,7 @@ #include "sftp.h" #include "sftp-common.h" -#ifdef PRIVSEP_AUTH_CHILD_LOG_NOT_SUPPORTED -#include "atomicio.h" -#endif + char *sftp_realpath(const char *, char *); /* sftp-realpath.c */ /* Maximum data read that we are willing to accept */ @@ -61,8 +59,10 @@ char *sftp_realpath(const char *, char *); /* sftp-realpath.c */ /* Our verbosity */ static LogLevel log_level = SYSLOG_LEVEL_ERROR; -static SyslogFacility log_facility = SYSLOG_FACILITY_AUTH; -int log_stderr = 0; +#ifdef WINDOWS +static SyslogFacility log_facility_g = SYSLOG_FACILITY_AUTH; +int log_stderr_g = 0; +#endif /* Our client */ static struct passwd *pw = NULL; @@ -1645,9 +1645,11 @@ sftp_server_cleanup_exit(int i) _exit(i); } +#ifdef WINDOWS void log_handler(LogLevel level, int forced, const char* msg, void* ctx) { + #include "atomicio.h" struct sshbuf* log_msg; int* log_fd = (int*)ctx; int r; @@ -1662,8 +1664,8 @@ log_handler(LogLevel level, int forced, const char* msg, void* ctx) if ((r = sshbuf_put_u32(log_msg, 0)) != 0 || /* length; filled below */ (r = sshbuf_put_cstring(log_msg, __progname)) != 0 || (r = sshbuf_put_u32(log_msg, log_level)) != 0 || - (r = sshbuf_put_u32(log_msg, log_facility)) != 0 || - (r = sshbuf_put_u32(log_msg, log_stderr)) != 0 || + (r = sshbuf_put_u32(log_msg, log_facility_g)) != 0 || + (r = sshbuf_put_u32(log_msg, log_stderr_g)) != 0 || (r = sshbuf_put_u32(log_msg, level)) != 0 || (r = sshbuf_put_u32(log_msg, forced)) != 0 || (r = sshbuf_put_cstring(log_msg, msg)) != 0) @@ -1677,6 +1679,7 @@ log_handler(LogLevel level, int forced, const char* msg, void* ctx) sshbuf_free(log_msg); } +#endif static void sftp_server_usage(void) @@ -1696,9 +1699,9 @@ int sftp_server_main(int argc, char **argv, struct passwd *user_pw) { fd_set *rset, *wset; - int i, r, in, out, max, ch, skipargs = 0; + int i, r, in, out, max, ch, skipargs = 0, log_stderr = 0; ssize_t len, olen, set_size; - //SyslogFacility log_facility = SYSLOG_FACILITY_AUTH; + SyslogFacility log_facility = SYSLOG_FACILITY_AUTH; char *cp, *homedir = NULL, uidstr[32], buf[4*4096]; long mask; @@ -1780,8 +1783,15 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw) } log_init(__progname, log_level, log_facility, log_stderr); -#ifdef PRIVSEP_AUTH_CHILD_LOG_NOT_SUPPORTED +#ifdef WINDOWS + /* + * SSHD process running in SYSTEM will write the logs in sftp-server.log. + * That allows the logs for non-admin user processes to be written. + * Log Handler sends log messages to SSHD process. + */ int log_send_fd = SFTP_SERVER_LOG_FD; + log_facility_g = log_facility; + log_stderr_g = log_stderr; if (fcntl(log_send_fd, F_SETFD, FD_CLOEXEC) != -1) set_log_handler(log_handler, (void*)&log_send_fd); #endif diff --git a/sshd.c b/sshd.c index 43b94a752b40..68825a2579e8 100644 --- a/sshd.c +++ b/sshd.c @@ -137,7 +137,7 @@ #define PRIVSEP_LOG_FD (STDERR_FILENO + 2) #define PRIVSEP_UNAUTH_MIN_FREE_FD (PRIVSEP_LOG_FD + 1) -#ifdef PRIVSEP_AUTH_CHILD_LOG_NOT_SUPPORTED +#ifdef WINDOWS #define PRIVSEP_AUTH_MIN_FREE_FD (PRIVSEP_LOG_FD + 1) #else #define PRIVSEP_AUTH_MIN_FREE_FD (PRIVSEP_MONITOR_FD + 1) @@ -174,7 +174,7 @@ static int inetd_flag = 0; static int no_daemon_flag = 0; /* debug goes to stderr unless inetd_flag is set */ -#ifdef PRIVSEP_AUTH_CHILD_LOG_NOT_SUPPORTED +#ifdef WINDOWS int log_stderr = 0; #else static int log_stderr = 0; @@ -887,7 +887,7 @@ privsep_postauth(struct ssh *ssh, Authctxt *authctxt) } /* New socket pair */ -#ifdef PRIVSEP_AUTH_CHILD_LOG_NOT_SUPPORTED +#ifdef WINDOWS monitor_reinit_withlogs(pmonitor); #else monitor_reinit(pmonitor); @@ -900,13 +900,11 @@ privsep_postauth(struct ssh *ssh, Authctxt *authctxt) if (posix_spawn_file_actions_init(&actions) != 0 || posix_spawn_file_actions_adddup2(&actions, io_sock_in, STDIN_FILENO) != 0 || posix_spawn_file_actions_adddup2(&actions, io_sock_out, STDOUT_FILENO) != 0 || +#ifdef WINDOWS + posix_spawn_file_actions_adddup2(&actions, pmonitor->m_log_sendfd, PRIVSEP_LOG_FD) != 0 || +#endif posix_spawn_file_actions_adddup2(&actions, pmonitor->m_recvfd, PRIVSEP_MONITOR_FD) != 0) fatal("posix_spawn initialization failed"); - -#ifdef PRIVSEP_AUTH_CHILD_LOG_NOT_SUPPORTED - if (posix_spawn_file_actions_adddup2(&actions, pmonitor->m_log_sendfd, PRIVSEP_LOG_FD) != 0) - fatal("posix_spawn initialization failed"); -#endif { char** argv = privsep_child_cmdline(1); @@ -933,7 +931,13 @@ privsep_postauth(struct ssh *ssh, Authctxt *authctxt) pmonitor->m_recvfd = PRIVSEP_MONITOR_FD; fcntl(pmonitor->m_recvfd, F_SETFD, FD_CLOEXEC); -#ifdef PRIVSEP_AUTH_CHILD_LOG_NOT_SUPPORTED +#ifdef WINDOWS + /* + * Logs for authenticated child are sent to the monitor + * to be written by parent process runing in SYSTEM. + * That allows logs for non-admin child processes to be + * recorded. + */ close(pmonitor->m_log_recvfd); close(pmonitor->m_log_sendfd); pmonitor->m_log_sendfd = PRIVSEP_LOG_FD; From 843e4b4c54d1593862ba5d1023729a9476b7b1ec Mon Sep 17 00:00:00 2001 From: Vivian Thiebaut Date: Wed, 2 Jun 2021 12:41:44 -0400 Subject: [PATCH 19/37] Removed a few unnecessary changes --- contrib/win32/win32compat/w32log.c | 7 ++++--- monitor.c | 2 +- sshd.c | 2 +- 3 files changed, 6 insertions(+), 5 deletions(-) diff --git a/contrib/win32/win32compat/w32log.c b/contrib/win32/win32compat/w32log.c index c670e0a09afe..4d9e7eb6a6ec 100644 --- a/contrib/win32/win32compat/w32log.c +++ b/contrib/win32/win32compat/w32log.c @@ -86,6 +86,7 @@ syslog_etw(int priority, const char *format, const char *formatBuffer) free(w_payload); } + /* * log file location will be - "%programData%\\openssh\\logs\\.log" */ @@ -132,9 +133,9 @@ openlog_file() } if ((wcsncat_s(log_file, PATH_MAX + 12, ssh_cfg_path, wcslen(ssh_cfg_path)) != 0) || - (wcsncat_s(log_file, PATH_MAX + 12, logs_dir, 6) != 0) || - (wcsncat_s(log_file, PATH_MAX + 12, tmp_identity, wcslen(tmp_identity)) != 0) || - (wcsncat_s(log_file, PATH_MAX + 12, L".log", 4) != 0)) + (wcsncat_s(log_file, PATH_MAX + 12, logs_dir, 6) != 0) || + (wcsncat_s(log_file, PATH_MAX + 12, tmp_identity, wcslen(tmp_identity)) != 0) || + (wcsncat_s(log_file, PATH_MAX + 12, L".log", 4) != 0)) { free(tmp_identity); return; diff --git a/monitor.c b/monitor.c index abd5de4dbc7e..0906d6182f6b 100644 --- a/monitor.c +++ b/monitor.c @@ -424,7 +424,7 @@ monitor_read_log(struct monitor *pmonitor) char *msg; u_char *p; int r; - + if ((logmsg = sshbuf_new()) == NULL) fatal_f("sshbuf_new"); diff --git a/sshd.c b/sshd.c index 68825a2579e8..bfbedcfafc3d 100644 --- a/sshd.c +++ b/sshd.c @@ -905,7 +905,7 @@ privsep_postauth(struct ssh *ssh, Authctxt *authctxt) #endif posix_spawn_file_actions_adddup2(&actions, pmonitor->m_recvfd, PRIVSEP_MONITOR_FD) != 0) fatal("posix_spawn initialization failed"); - + { char** argv = privsep_child_cmdline(1); if (__posix_spawn_asuser(&pmonitor->m_pid, argv[0], &actions, NULL, argv, NULL, authctxt->pw->pw_name) != 0) From cf09f99bde803d2459a156a2427236a200714f06 Mon Sep 17 00:00:00 2001 From: Vivian Thiebaut Date: Wed, 2 Jun 2021 13:04:11 -0400 Subject: [PATCH 20/37] Reordered new properties being sent to monitor --- monitor.c | 21 ++++++++++----------- monitor_wrap.c | 9 ++++++--- sftp-server.c | 8 ++++---- 3 files changed, 20 insertions(+), 18 deletions(-) diff --git a/monitor.c b/monitor.c index 0906d6182f6b..2bbd56171208 100644 --- a/monitor.c +++ b/monitor.c @@ -452,7 +452,15 @@ monitor_read_log(struct monitor *pmonitor) fatal_fr(r, "reserve msg"); if (atomicio(read, pmonitor->m_log_recvfd, p, len) != len) fatal_f("log fd read: %s", strerror(errno)); + + if ((r = sshbuf_get_u32(logmsg, &level)) != 0 || + (r = sshbuf_get_u32(logmsg, &forced)) != 0 || + (r = sshbuf_get_cstring(logmsg, &msg, NULL)) != 0) + fatal_fr(r, "parse"); + if (log_level_name(level) == NULL) + fatal_f("invalid log level %u (corrupted message?)", level); + #ifdef WINDOWS char* pname; u_int sftp_log_level, sftp_log_facility, sftp_log_stderr; @@ -465,18 +473,8 @@ monitor_read_log(struct monitor *pmonitor) (r = sshbuf_get_u32(logmsg, &sftp_log_stderr)) != 0) fatal_fr(r, "parse"); } -#endif - if ((r = sshbuf_get_u32(logmsg, &level)) != 0 || - (r = sshbuf_get_u32(logmsg, &forced)) != 0 || - (r = sshbuf_get_cstring(logmsg, &msg, NULL)) != 0) - fatal_fr(r, "parse"); - - /* Log it */ - if (log_level_name(level) == NULL) - fatal_f("invalid log level %u (corrupted message?)", level); - -#ifdef WINDOWS + /*log it*/ if (authctxt->authenticated == 0) sshlogdirect(level, forced, "%s [preauth]", msg); else { @@ -488,6 +486,7 @@ monitor_read_log(struct monitor *pmonitor) sshlogdirect(level, forced, "%s", msg); } #else + /*log it*/ sshlogdirect(level, forced, "%s [preauth]", msg); #endif diff --git a/monitor_wrap.c b/monitor_wrap.c index d193f0116e61..fad8f02b1148 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c @@ -96,13 +96,16 @@ mm_log_handler(LogLevel level, int forced, const char *msg, void *ctx) fatal_f("sshbuf_new failed"); if ((r = sshbuf_put_u32(log_msg, 0)) != 0 || /* length; filled below */ -#ifdef WINDOWS - (r = sshbuf_put_cstring(log_msg, "sshd")) != 0 || -#endif (r = sshbuf_put_u32(log_msg, level)) != 0 || (r = sshbuf_put_u32(log_msg, forced)) != 0 || (r = sshbuf_put_cstring(log_msg, msg)) != 0) fatal_fr(r, "assemble"); + +#ifdef WINDOWS + if (r = sshbuf_put_cstring(log_msg, "sshd") != 0) + fatal_fr(r, "assemble"); +#endif + if ((len = sshbuf_len(log_msg)) < 4 || len > 0xffffffff) fatal_f("bad length %zu", len); POKE_U32(sshbuf_mutable_ptr(log_msg), len - 4); diff --git a/sftp-server.c b/sftp-server.c index addf548ab2b2..6b9bd7d9286c 100644 --- a/sftp-server.c +++ b/sftp-server.c @@ -1662,13 +1662,13 @@ log_handler(LogLevel level, int forced, const char* msg, void* ctx) fatal_f("sshbuf_new failed"); if ((r = sshbuf_put_u32(log_msg, 0)) != 0 || /* length; filled below */ + (r = sshbuf_put_u32(log_msg, level)) != 0 || + (r = sshbuf_put_u32(log_msg, forced)) != 0 || + (r = sshbuf_put_cstring(log_msg, msg)) != 0 || (r = sshbuf_put_cstring(log_msg, __progname)) != 0 || (r = sshbuf_put_u32(log_msg, log_level)) != 0 || (r = sshbuf_put_u32(log_msg, log_facility_g)) != 0 || - (r = sshbuf_put_u32(log_msg, log_stderr_g)) != 0 || - (r = sshbuf_put_u32(log_msg, level)) != 0 || - (r = sshbuf_put_u32(log_msg, forced)) != 0 || - (r = sshbuf_put_cstring(log_msg, msg)) != 0) + (r = sshbuf_put_u32(log_msg, log_stderr_g)) != 0) fatal_fr(r, "assemble"); if ((len = sshbuf_len(log_msg)) < 4 || len > 0xffffffff) fatal_f("bad length %zu", len); From a2473e6b55926fe00ffb8b80a5bd710e8b95dd3d Mon Sep 17 00:00:00 2001 From: Vivian Thiebaut Date: Wed, 2 Jun 2021 13:07:19 -0400 Subject: [PATCH 21/37] spaces vs tab --- monitor.c | 4 ++-- monitor_wrap.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/monitor.c b/monitor.c index 2bbd56171208..3c556f00ac84 100644 --- a/monitor.c +++ b/monitor.c @@ -454,8 +454,8 @@ monitor_read_log(struct monitor *pmonitor) fatal_f("log fd read: %s", strerror(errno)); if ((r = sshbuf_get_u32(logmsg, &level)) != 0 || - (r = sshbuf_get_u32(logmsg, &forced)) != 0 || - (r = sshbuf_get_cstring(logmsg, &msg, NULL)) != 0) + (r = sshbuf_get_u32(logmsg, &forced)) != 0 || + (r = sshbuf_get_cstring(logmsg, &msg, NULL)) != 0) fatal_fr(r, "parse"); if (log_level_name(level) == NULL) diff --git a/monitor_wrap.c b/monitor_wrap.c index fad8f02b1148..7ae9a4099c08 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c @@ -96,7 +96,7 @@ mm_log_handler(LogLevel level, int forced, const char *msg, void *ctx) fatal_f("sshbuf_new failed"); if ((r = sshbuf_put_u32(log_msg, 0)) != 0 || /* length; filled below */ - (r = sshbuf_put_u32(log_msg, level)) != 0 || + (r = sshbuf_put_u32(log_msg, level)) != 0 || (r = sshbuf_put_u32(log_msg, forced)) != 0 || (r = sshbuf_put_cstring(log_msg, msg)) != 0) fatal_fr(r, "assemble"); From e29b8eed58576029ec015b5d34d2a54c3250ad88 Mon Sep 17 00:00:00 2001 From: Vivian Thiebaut Date: Wed, 2 Jun 2021 14:45:30 -0400 Subject: [PATCH 22/37] Added comments and moved things around --- contrib/win32/win32compat/w32log.c | 33 +++++++++++++++--------------- monitor_wrap.c | 7 +++++++ sftp-server.c | 6 +++--- sshd.c | 3 ++- 4 files changed, 29 insertions(+), 20 deletions(-) diff --git a/contrib/win32/win32compat/w32log.c b/contrib/win32/win32compat/w32log.c index 4d9e7eb6a6ec..530c34230aba 100644 --- a/contrib/win32/win32compat/w32log.c +++ b/contrib/win32/win32compat/w32log.c @@ -101,6 +101,7 @@ openlog_file() wchar_t *logs_dir = L"\\logs\\"; wchar_t module_path[PATH_MAX] = { 0 }, log_file[PATH_MAX + 12] = { 0 }; + wchar_t* tmp_identity = NULL; if (GetModuleFileNameW(NULL, module_path, PATH_MAX) == 0) return; @@ -117,38 +118,38 @@ openlog_file() wchar_t ssh_cfg_path[PATH_MAX] = {0 ,}; wcscat_s(ssh_cfg_path, _countof(ssh_cfg_path), __wprogdata); /* "%programData%" */ wcscat_s(ssh_cfg_path, _countof(ssh_cfg_path), L"\\ssh"); /* "%programData%\\ssh" */ - - wchar_t* tmp_identity = NULL; if (strcmp(identity, "sftp-server") == 0) { tmp_identity = utf8_to_utf16(identity); if (!tmp_identity) - return; + goto cleanup; } else { - tmp_identity = malloc((wcslen(tail) - 4) * sizeof(wchar_t)); + tmp_identity = malloc(wcslen(tail) * sizeof(wchar_t)); if (!tmp_identity) - return; - if (wcsncpy_s(tmp_identity, wcslen(tail) - 4, tail + 1, wcslen(tail) - 5) != 0) - return; + goto cleanup; + if (wcsncpy_s(tmp_identity, wcslen(tail), tail + 1, wcslen(tail) - 5) != 0) { + goto cleanup; + } } if ((wcsncat_s(log_file, PATH_MAX + 12, ssh_cfg_path, wcslen(ssh_cfg_path)) != 0) || (wcsncat_s(log_file, PATH_MAX + 12, logs_dir, 6) != 0) || (wcsncat_s(log_file, PATH_MAX + 12, tmp_identity, wcslen(tmp_identity)) != 0) || (wcsncat_s(log_file, PATH_MAX + 12, L".log", 4) != 0)) - { - free(tmp_identity); - return; - } - - free(tmp_identity); + goto cleanup; } errno_t err; + int* fd_ptr = &logfd; + if (strcmp(identity, "sftp-server") == 0) - err = _wsopen_s(&sftp_server_logfd, log_file, O_WRONLY | O_CREAT | O_APPEND, SH_DENYNO, S_IREAD | S_IWRITE); - else - err = _wsopen_s(&logfd, log_file, O_WRONLY | O_CREAT | O_APPEND, SH_DENYNO, S_IREAD | S_IWRITE); + fd_ptr = &sftp_server_logfd; + + err = _wsopen_s(fd_ptr, log_file, O_WRONLY | O_CREAT | O_APPEND, SH_DENYNO, S_IREAD | S_IWRITE); + +cleanup: + if (tmp_identity) + free(tmp_identity); } void diff --git a/monitor_wrap.c b/monitor_wrap.c index 7ae9a4099c08..9d0f476d28bc 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c @@ -102,6 +102,13 @@ mm_log_handler(LogLevel level, int forced, const char *msg, void *ctx) fatal_fr(r, "assemble"); #ifdef WINDOWS + /* + * Log messages are fowarded to SSHD parent process from + * both sshd children and sftp-server processes. + * Attach progname to the end of the message so that SSHD + * parent process can differentitate between messages + * coming from sshd children and sftp-server. + */ if (r = sshbuf_put_cstring(log_msg, "sshd") != 0) fatal_fr(r, "assemble"); #endif diff --git a/sftp-server.c b/sftp-server.c index 6b9bd7d9286c..095e8d4c6a8e 100644 --- a/sftp-server.c +++ b/sftp-server.c @@ -1785,9 +1785,9 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw) log_init(__progname, log_level, log_facility, log_stderr); #ifdef WINDOWS /* - * SSHD process running in SYSTEM will write the logs in sftp-server.log. - * That allows the logs for non-admin user processes to be written. - * Log Handler sends log messages to SSHD process. + * SFTP-Server fowards log messages to SSHD System process. + * SSHD system process logs the messages to either ETW or sftp-server.log. + * This allows us to log the messages of both non-admin and admin users. */ int log_send_fd = SFTP_SERVER_LOG_FD; log_facility_g = log_facility; diff --git a/sshd.c b/sshd.c index bfbedcfafc3d..915f3a23b92c 100644 --- a/sshd.c +++ b/sshd.c @@ -901,7 +901,8 @@ privsep_postauth(struct ssh *ssh, Authctxt *authctxt) posix_spawn_file_actions_adddup2(&actions, io_sock_in, STDIN_FILENO) != 0 || posix_spawn_file_actions_adddup2(&actions, io_sock_out, STDOUT_FILENO) != 0 || #ifdef WINDOWS - posix_spawn_file_actions_adddup2(&actions, pmonitor->m_log_sendfd, PRIVSEP_LOG_FD) != 0 || + /*Allow authenticated child process to foward log messages to parent for processing*/ + posix_spawn_file_actions_adddup2(&actions, pmonitor->m_log_sendfd, PRIVSEP_LOG_FD) != 0 || #endif posix_spawn_file_actions_adddup2(&actions, pmonitor->m_recvfd, PRIVSEP_MONITOR_FD) != 0) fatal("posix_spawn initialization failed"); From 3afb7bb45d7246bacad539315643c62f88cd2b5c Mon Sep 17 00:00:00 2001 From: Vivian Thiebaut Date: Wed, 2 Jun 2021 14:48:46 -0400 Subject: [PATCH 23/37] typo fix --- contrib/win32/win32compat/w32log.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/contrib/win32/win32compat/w32log.c b/contrib/win32/win32compat/w32log.c index 530c34230aba..b8cf3f9f7f04 100644 --- a/contrib/win32/win32compat/w32log.c +++ b/contrib/win32/win32compat/w32log.c @@ -139,13 +139,12 @@ openlog_file() goto cleanup; } - errno_t err; int* fd_ptr = &logfd; if (strcmp(identity, "sftp-server") == 0) fd_ptr = &sftp_server_logfd; - err = _wsopen_s(fd_ptr, log_file, O_WRONLY | O_CREAT | O_APPEND, SH_DENYNO, S_IREAD | S_IWRITE); + errno_t err = _wsopen_s(fd_ptr, log_file, O_WRONLY | O_CREAT | O_APPEND, SH_DENYNO, S_IREAD | S_IWRITE); cleanup: if (tmp_identity) From af41ac4fae59d297973f85e291f1892653cba414 Mon Sep 17 00:00:00 2001 From: Vivian Thiebaut Date: Wed, 2 Jun 2021 15:03:03 -0400 Subject: [PATCH 24/37] minimizing ifdef blocks --- monitor.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/monitor.c b/monitor.c index 3c556f00ac84..e8b8185a4a8f 100644 --- a/monitor.c +++ b/monitor.c @@ -106,9 +106,6 @@ extern ServerOptions options; extern u_int utmp_len; extern struct sshbuf *loginmsg; extern struct sshauthopt *auth_opts; /* XXX move to permanent ssh->authctxt? */ -#ifdef WINDOWS -extern int log_stderr; -#endif /* State exported from the child */ static struct sshbuf *child_state; @@ -464,6 +461,7 @@ monitor_read_log(struct monitor *pmonitor) #ifdef WINDOWS char* pname; u_int sftp_log_level, sftp_log_facility, sftp_log_stderr; + extern int log_stderr; if ((r = sshbuf_get_cstring(logmsg, &pname, NULL)) != 0) fatal_fr(r, "parse"); From 618a0cb970ad50da6ac6ec13713cc5b41c65ee27 Mon Sep 17 00:00:00 2001 From: Vivian Thiebaut Date: Thu, 10 Jun 2021 13:39:21 -0400 Subject: [PATCH 25/37] Testing logs for admin and non admin users --- contrib/win32/openssh/OpenSSHTestHelper.psm1 | 29 ++- .../pesterTests/FileBasedLogging.tests.ps1 | 245 ++++++++++++++++++ 2 files changed, 269 insertions(+), 5 deletions(-) create mode 100644 regress/pesterTests/FileBasedLogging.tests.ps1 diff --git a/contrib/win32/openssh/OpenSSHTestHelper.psm1 b/contrib/win32/openssh/OpenSSHTestHelper.psm1 index b6009cdf7e66..43f02b6b1e46 100644 --- a/contrib/win32/openssh/OpenSSHTestHelper.psm1 +++ b/contrib/win32/openssh/OpenSSHTestHelper.psm1 @@ -13,8 +13,10 @@ $TestSetupLogFileName = "TestSetupLog.txt" $SSOUser = "sshtest_ssouser" $PubKeyUser = "sshtest_pubkeyuser" $PasswdUser = "sshtest_passwduser" +$AdminUser = "sshtest_adminuser" +$NonAdminUser = "sshtest_nonadminuser" $OpenSSHTestAccountsPassword = "P@ssw0rd_1" -$OpenSSHTestAccounts = $Script:SSOUser, $Script:PubKeyUser, $Script:PasswdUser +$OpenSSHTestAccounts = $Script:SSOUser, $Script:PubKeyUser, $Script:PasswdUser, $Script:AdminUser, $Script:NonAdminUser $SSHDTestSvcName = "sshdTestSvc" $Script:TestDataPath = "$env:SystemDrive\OpenSSHTests" @@ -65,6 +67,8 @@ function Set-OpenSSHTestEnvironment $Global:OpenSSHTestInfo.Add("SSOUser", $SSOUser) # test user with single sign on capability $Global:OpenSSHTestInfo.Add("PubKeyUser", $PubKeyUser) # test user to be used with explicit key for key auth $Global:OpenSSHTestInfo.Add("PasswdUser", $PasswdUser) # test user to be used for password auth + $Global:OpenSSHTestInfo.Add("AdminUser", $AdminUser) # test user to be used for admin logging tests + $Global:OpenSSHTestInfo.Add("NonAdminUser", $NonAdminUser) # test user to be used for non-admin logging tests $Global:OpenSSHTestInfo.Add("TestAccountPW", $OpenSSHTestAccountsPassword) # common password for all test accounts $Global:OpenSSHTestInfo.Add("DebugMode", $DebugMode.IsPresent) # run openssh E2E in debug mode @@ -205,11 +209,26 @@ WARNING: Following changes will be made to OpenSSH configuration net user $user $Script:OpenSSHTestAccountsPassword /ADD 2>&1 >> $Script:TestSetupLogFile } } - - #setup single sign on for ssouser + + #setup single sign on for ssouser $ssouserProfile = Get-LocalUserProfile -User $SSOUser + Write-Host $ssouserProfile $Global:OpenSSHTestInfo.Add("SSOUserProfile", $ssouserProfile) - $Global:OpenSSHTestInfo.Add("PubKeyUserProfile", (Get-LocalUserProfile -User $PubKeyUser)) + + $PubKeyUserProfile = Get-LocalUserProfile -User $PubKeyUser + Write-Host $PubKeyUserProfile + $Global:OpenSSHTestInfo.Add("PubKeyUserProfile", $PubKeyUserProfile) + + $AdminUserProfile = Get-LocalUserProfile -User $AdminUser + Write-Host $AdminUserProfile + $Global:OpenSSHTestInfo.Add("AdminUserProfile", $AdminUserProfile) + + $NonAdminUserProfile = Get-LocalUserProfile -User $NonAdminUser + Write-Host $NonAdminUserProfile + $Global:OpenSSHTestInfo.Add("NonAdminUserProfile", $NonAdminUserProfile) + + #make $AdminUser admin + net localgroup Administrators $AdminUser /add New-Item -ItemType Directory -Path (Join-Path $ssouserProfile .ssh) -Force -ErrorAction SilentlyContinue | out-null $authorizedKeyPath = Join-Path $ssouserProfile .ssh\authorized_keys @@ -338,7 +357,7 @@ function Get-LocalUserProfile param([string]$User) $sid = Get-UserSID -User $User $userProfileRegistry = Join-Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" $sid - if (-not (Test-Path $userProfileRegistry) ) { + if (-not (Test-Path $userProfileRegistry) ) { #create profile if (-not($env:DISPLAY)) { $env:DISPLAY = 1 } $askpass_util = Join-Path $Script:E2ETestDirectory "utilities\askpass_util\askpass_util.exe" diff --git a/regress/pesterTests/FileBasedLogging.tests.ps1 b/regress/pesterTests/FileBasedLogging.tests.ps1 new file mode 100644 index 000000000000..65bbc8ca45ab --- /dev/null +++ b/regress/pesterTests/FileBasedLogging.tests.ps1 @@ -0,0 +1,245 @@ +If ($PSVersiontable.PSVersion.Major -le 2) {$PSScriptRoot = Split-Path -Parent $MyInvocation.MyCommand.Path} +Import-Module $PSScriptRoot\CommonUtils.psm1 -Force +Import-Module OpenSSHUtils -Force +$tC = 1 +$tI = 0 +$suite = "FileBasedLogging" +Describe "Tests for admin and non-admin file based logs" -Tags "CI" { + BeforeAll { + if($OpenSSHTestInfo -eq $null) + { + Throw "`$OpenSSHTestInfo is null. Please run Set-OpenSSHTestEnvironment to set test environments." + } + + $testDir = "$($OpenSSHTestInfo["TestDataPath"])\$suite" + if( -not (Test-path $testDir -PathType Container)) + { + $null = New-Item $testDir -ItemType directory -Force -ErrorAction SilentlyContinue + } + + $sshLogName = "test.txt" + $sshdLogName = "sshdlog.txt" + $server = $OpenSSHTestInfo["Target"] + $opensshbinpath = $OpenSSHTestInfo['OpenSSHBinPath'] + $nonadminusername = $OpenSSHTestInfo['NonAdminUser'] + $adminusername = $OpenSSHTestInfo['AdminUser'] + $password = $OpenSSHTestInfo['TestAccountPW'] + $port = 47002 + Remove-Item -Path (Join-Path $testDir "*$sshLogName") -Force -ErrorAction SilentlyContinue + + <# Setup sshd_config file#> + + $sshdconfig_ori = Join-Path $Global:OpenSSHTestInfo["ServiceConfigDir"] sshd_config + Write-Host $sshdconfig_ori + $sshdconfig_custom = Join-Path $Global:OpenSSHTestInfo["ServiceConfigDir"] sshd_config_custom + if (Test-Path $sshdconfig_custom) { + Remove-Item $sshdconfig_custom -Force + } + Copy-Item $sshdconfig_ori $sshdconfig_custom + get-acl $sshdconfig_ori | set-acl $sshdconfig_custom + $content = Get-Content -Path $sshdconfig_custom + $newContent = $content -replace "Subsystem sftp sftp-server.exe -l DEBUG3", "Subsystem sftp sftp-server.exe -l DEBUG3 -f LOCAL0" + $newContent | Set-Content -Path $sshdconfig_custom + + #skip when the task schedular (*-ScheduledTask) cmdlets does not exist + $ts = (get-command get-ScheduledTask -ErrorAction SilentlyContinue) + $skip = $ts -eq $null + if(-not $skip) + { + Stop-SSHDTestDaemon -Port $port + } + if(($platform -eq [PlatformType]::Windows) -and ([Environment]::OSVersion.Version.Major -le 6)) + { + #suppress the firewall blocking dialogue on win7 + netsh advfirewall firewall add rule name="sshd" program="$($OpenSSHTestInfo['OpenSSHBinPath'])\sshd.exe" protocol=any action=allow dir=in + } + } + + AfterEach { $tI++ } + + AfterAll { + if(($platform -eq [PlatformType]::Windows) -and ($psversiontable.BuildVersion.Major -le 6)) + { + netsh advfirewall firewall delete rule name="sshd" program="$($OpenSSHTestInfo['OpenSSHBinPath'])\sshd.exe" protocol=any dir=in + } + } + + + Context "Tests Logs for SSH connections" { + BeforeAll { + $sshdConfigPath = $sshdconfig_custom + + Add-PasswordSetting -Pass $password + + $tI=1 + } + + BeforeEach { + $sshlog = Join-Path $testDir "$tC.$tI.$sshLogName" + $sshdlog = Join-Path $testDir "$tC.$tI.$sshdLogName" + + if (Test-Path $sshdlog -PathType Leaf) { + Clear-Content $sshdlog + } + + if(-not $skip) + { + Stop-SSHDTestDaemon -Port $port + } + } + + AfterAll { + Remove-PasswordSetting + $tC++ + } + + It "$tC.$tI-Nonadmin SSH Connection" -skip:$skip { + Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-ddd -f $sshdConfigPath -E $sshdlog" -Port $port + $o = ssh -vvv -p $port -E $sshlog $nonadminusername@$server echo 1234 + $o | Should Be 1234 + Stop-SSHDTestDaemon -Port $port + $sshdlog | Should Contain "KEX done \[preauth\]" + $sshdlog | Should Contain "exec_command: echo 1234" + } + + It "$tC.$tI-Admin SSH Connection" -skip:$skip { + Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-ddd -f $sshdConfigPath -E $sshdlog" -Port $port + $o = ssh -vvv -p $port -E $sshlog $adminusername@$server echo 1234 + $o | Should Be 1234 + Stop-SSHDTestDaemon -Port $port + $sshdlog | Should Contain "KEX done \[preauth\]" + $sshdlog | Should Contain "exec_command: echo 1234" + } + + } + + Context "Tests Logs for SFTP connections" { + + BeforeAll { + + $sshdConfigPath = $sshdconfig_custom + + function Setup-KeyBasedAuth + { + param([string] $Username, [string] $KeyFilePath, [string] $UserProfile) + + + $userSSHProfilePath = Join-Path $UserProfile .ssh + Write-Host "SSH Profile Path: $userSSHProfilePath" + + if (-not (Test-Path $userSSHProfilePath -PathType Container)) { + New-Item $userSSHProfilePath -ItemType directory -Force -ErrorAction Stop | Out-Null + } + + $authorizedkeyPath = Join-Path $userSSHProfilePath authorized_keys + + if($OpenSSHTestInfo["NoLibreSSL"]) + { + ssh-keygen.exe -t ed25519 -f $KeyFilePath -Z -P `"`" aes128-ctr + } + else + { + ssh-keygen.exe -t ed25519 -f $KeyFilePath -P `"`" + } + + + Copy-Item "$keyFilePath.pub" $authorizedkeyPath -Force -ErrorAction SilentlyContinue + + Repair-AuthorizedKeyPermission -Filepath $authorizedkeyPath -confirm:$false + } + + $AdminUserProfile = $OpenSSHTestInfo['AdminUserProfile'] + $NonAdminUserProfile = $OpenSSHTestInfo['NonAdminUserProfile'] + + $KeyFileName = $nonadminusername + "_sshtest_fileBasedLog_ed25519" + $NonadminKeyFilePath = Join-Path $testDir $keyFileName + Remove-Item -path "$NonadminKeyFilePath*" -Force -ErrorAction SilentlyContinue + Setup-KeyBasedAuth -Username $nonadminusername -KeyFilePath $NonadminKeyFilePath -UserProfile $NonAdminUserProfile + + $KeyFileName = $adminusername + "_sshtest_fileBasedLog_ed25519" + $AdminKeyFilePath = Join-Path $testDir $keyFileName + Remove-Item -path "$AdminKeyFilePath*" -Force -ErrorAction SilentlyContinue + Setup-KeyBasedAuth -Username $adminusername -KeyFilePath $AdminKeyFilePath -UserProfile $AdminUserProfile + + + #create batch file + $commands = +"ls +exit" + + $batchFilePath = Join-Path $testDir "$tC.$tI.commands.txt" + Set-Content $batchFilePath -Encoding UTF8 -value $commands + + # clear logs so that next testcase will get fresh logs. + Clear-Content "$env:ProgramData\ssh\logs\sftp-server.log" -Force -ErrorAction SilentlyContinue + + + $tI = 1 + } + + BeforeEach { + #clean sftp log file + $sshlog = Join-Path $testDir "$tC.$tI.$sshLogName" + $sshdlog = Join-Path $testDir "$tC.$tI.$sshdLogName" + if(-not $skip) + { + Stop-SSHDTestDaemon -Port $port + } + } + + AfterAll { + Remove-Item -path "$NonadminKeyFilePath*" -Force -ErrorAction SilentlyContinue + Remove-Item -path "$AdminKeyFilePath*" -Force -ErrorAction SilentlyContinue + + $tC++ + } + + It "$tC.$tI-Nonadmin SFTP Connection" -skip:$skip { + + Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-ddd -f $sshdConfigPath -E $sshdlog" -Port $port + + sftp -P $port -i $NonadminKeyFilePath -b $batchFilePath $nonadminusername@$server + + Stop-SSHDTestDaemon -Port $port + + #Copy sftp-log files into test directory + $sftplog = Join-Path $testDir "$tC.$tI.sftp-server.log" + Copy-Item "$env:ProgramData\ssh\logs\sftp-server.log" $sftplog -Force -ErrorAction SilentlyContinue + + # clear logs so that next testcase will get fresh logs. + Clear-Content "$env:ProgramData\ssh\logs\sftp-server.log" -Force -ErrorAction SilentlyContinue + + #checks + $sshdlog | Should Contain "Accepted publickey for $nonadminusername" + $sshdlog | Should Contain "KEX done \[preauth\]" + $sshdlog | Should Contain "debug2: subsystem request for sftp by user $nonadminusername" + $sftplog | Should Contain "session opened for local user $nonadminusername" + $sftplog | Should Contain "debug3: request 3: opendir" + $sftplog | Should Contain "session closed for local user $nonadminusername" + } + + It "$tC.$tI-Admin SFTP Connection" -skip:$skip { + + Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-ddd -f $sshdConfigPath -E $sshdlog" -Port $port + + sftp -P $port -i $AdminKeyFilePath -b $batchFilePath $adminusername@$server + + Stop-SSHDTestDaemon -Port $port + + #Copy sftp-log files into test directory + $sftplog = Join-Path $testDir "$tC.$tI.sftp-server.log" + Copy-Item "$env:ProgramData\ssh\logs\sftp-server.log" $sftplog -Force -ErrorAction SilentlyContinue + + # clear logs so that next testcase will get fresh logs. + Clear-Content "$env:ProgramData\ssh\logs\sftp-server.log" -Force -ErrorAction SilentlyContinue + + #checks + $sshdlog | Should Contain "Accepted publickey for $adminusername" + $sshdlog | Should Contain "KEX done \[preauth\]" + $sshdlog | Should Contain "debug2: subsystem request for sftp by user $adminusername" + $sftplog | Should Contain "session opened for local user $adminusername" + $sftplog | Should Contain "debug3: request 3: opendir" + $sftplog | Should Contain "session closed for local user $adminusername" + } + } +} From 3df10ed46f161a8c6eb2d5e142c3a67c5cc5477e Mon Sep 17 00:00:00 2001 From: Vivian Thiebaut Date: Thu, 10 Jun 2021 13:55:42 -0400 Subject: [PATCH 26/37] Changed tabs into spaces in test scripts for consistency --- contrib/win32/openssh/OpenSSHTestHelper.psm1 | 36 +-- .../pesterTests/FileBasedLogging.tests.ps1 | 276 +++++++++--------- 2 files changed, 151 insertions(+), 161 deletions(-) diff --git a/contrib/win32/openssh/OpenSSHTestHelper.psm1 b/contrib/win32/openssh/OpenSSHTestHelper.psm1 index 43f02b6b1e46..9f5da6eaacd5 100644 --- a/contrib/win32/openssh/OpenSSHTestHelper.psm1 +++ b/contrib/win32/openssh/OpenSSHTestHelper.psm1 @@ -67,8 +67,8 @@ function Set-OpenSSHTestEnvironment $Global:OpenSSHTestInfo.Add("SSOUser", $SSOUser) # test user with single sign on capability $Global:OpenSSHTestInfo.Add("PubKeyUser", $PubKeyUser) # test user to be used with explicit key for key auth $Global:OpenSSHTestInfo.Add("PasswdUser", $PasswdUser) # test user to be used for password auth - $Global:OpenSSHTestInfo.Add("AdminUser", $AdminUser) # test user to be used for admin logging tests - $Global:OpenSSHTestInfo.Add("NonAdminUser", $NonAdminUser) # test user to be used for non-admin logging tests + $Global:OpenSSHTestInfo.Add("AdminUser", $AdminUser) # test user to be used for admin logging tests + $Global:OpenSSHTestInfo.Add("NonAdminUser", $NonAdminUser) # test user to be used for non-admin logging tests $Global:OpenSSHTestInfo.Add("TestAccountPW", $OpenSSHTestAccountsPassword) # common password for all test accounts $Global:OpenSSHTestInfo.Add("DebugMode", $DebugMode.IsPresent) # run openssh E2E in debug mode @@ -209,26 +209,22 @@ WARNING: Following changes will be made to OpenSSH configuration net user $user $Script:OpenSSHTestAccountsPassword /ADD 2>&1 >> $Script:TestSetupLogFile } } - - #setup single sign on for ssouser + + #setup single sign on for ssouser $ssouserProfile = Get-LocalUserProfile -User $SSOUser - Write-Host $ssouserProfile $Global:OpenSSHTestInfo.Add("SSOUserProfile", $ssouserProfile) - - $PubKeyUserProfile = Get-LocalUserProfile -User $PubKeyUser - Write-Host $PubKeyUserProfile + + $PubKeyUserProfile = Get-LocalUserProfile -User $PubKeyUser $Global:OpenSSHTestInfo.Add("PubKeyUserProfile", $PubKeyUserProfile) - - $AdminUserProfile = Get-LocalUserProfile -User $AdminUser - Write-Host $AdminUserProfile - $Global:OpenSSHTestInfo.Add("AdminUserProfile", $AdminUserProfile) - - $NonAdminUserProfile = Get-LocalUserProfile -User $NonAdminUser - Write-Host $NonAdminUserProfile - $Global:OpenSSHTestInfo.Add("NonAdminUserProfile", $NonAdminUserProfile) - - #make $AdminUser admin - net localgroup Administrators $AdminUser /add + + $AdminUserProfile = Get-LocalUserProfile -User $AdminUser + $Global:OpenSSHTestInfo.Add("AdminUserProfile", $AdminUserProfile) + + $NonAdminUserProfile = Get-LocalUserProfile -User $NonAdminUser + $Global:OpenSSHTestInfo.Add("NonAdminUserProfile", $NonAdminUserProfile) + + #make $AdminUser admin + net localgroup Administrators $AdminUser /add New-Item -ItemType Directory -Path (Join-Path $ssouserProfile .ssh) -Force -ErrorAction SilentlyContinue | out-null $authorizedKeyPath = Join-Path $ssouserProfile .ssh\authorized_keys @@ -357,7 +353,7 @@ function Get-LocalUserProfile param([string]$User) $sid = Get-UserSID -User $User $userProfileRegistry = Join-Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" $sid - if (-not (Test-Path $userProfileRegistry) ) { + if (-not (Test-Path $userProfileRegistry) ) { #create profile if (-not($env:DISPLAY)) { $env:DISPLAY = 1 } $askpass_util = Join-Path $Script:E2ETestDirectory "utilities\askpass_util\askpass_util.exe" diff --git a/regress/pesterTests/FileBasedLogging.tests.ps1 b/regress/pesterTests/FileBasedLogging.tests.ps1 index 65bbc8ca45ab..e86d7cb8d1a5 100644 --- a/regress/pesterTests/FileBasedLogging.tests.ps1 +++ b/regress/pesterTests/FileBasedLogging.tests.ps1 @@ -21,25 +21,25 @@ Describe "Tests for admin and non-admin file based logs" -Tags "CI" { $sshdLogName = "sshdlog.txt" $server = $OpenSSHTestInfo["Target"] $opensshbinpath = $OpenSSHTestInfo['OpenSSHBinPath'] - $nonadminusername = $OpenSSHTestInfo['NonAdminUser'] - $adminusername = $OpenSSHTestInfo['AdminUser'] - $password = $OpenSSHTestInfo['TestAccountPW'] + $nonadminusername = $OpenSSHTestInfo['NonAdminUser'] + $adminusername = $OpenSSHTestInfo['AdminUser'] + $password = $OpenSSHTestInfo['TestAccountPW'] $port = 47002 - Remove-Item -Path (Join-Path $testDir "*$sshLogName") -Force -ErrorAction SilentlyContinue + Remove-Item -Path (Join-Path $testDir "*$sshLogName") -Force -ErrorAction SilentlyContinue - <# Setup sshd_config file#> + <# Setup sshd_config file#> - $sshdconfig_ori = Join-Path $Global:OpenSSHTestInfo["ServiceConfigDir"] sshd_config - Write-Host $sshdconfig_ori + $sshdconfig_ori = Join-Path $Global:OpenSSHTestInfo["ServiceConfigDir"] sshd_config + Write-Host $sshdconfig_ori $sshdconfig_custom = Join-Path $Global:OpenSSHTestInfo["ServiceConfigDir"] sshd_config_custom if (Test-Path $sshdconfig_custom) { Remove-Item $sshdconfig_custom -Force } Copy-Item $sshdconfig_ori $sshdconfig_custom get-acl $sshdconfig_ori | set-acl $sshdconfig_custom - $content = Get-Content -Path $sshdconfig_custom - $newContent = $content -replace "Subsystem sftp sftp-server.exe -l DEBUG3", "Subsystem sftp sftp-server.exe -l DEBUG3 -f LOCAL0" - $newContent | Set-Content -Path $sshdconfig_custom + $content = Get-Content -Path $sshdconfig_custom + $newContent = $content -replace "Subsystem sftp sftp-server.exe -l DEBUG3", "Subsystem sftp sftp-server.exe -l DEBUG3 -f LOCAL0" + $newContent | Set-Content -Path $sshdconfig_custom #skip when the task schedular (*-ScheduledTask) cmdlets does not exist $ts = (get-command get-ScheduledTask -ErrorAction SilentlyContinue) @@ -67,21 +67,21 @@ Describe "Tests for admin and non-admin file based logs" -Tags "CI" { Context "Tests Logs for SSH connections" { BeforeAll { - $sshdConfigPath = $sshdconfig_custom - - Add-PasswordSetting -Pass $password - + $sshdConfigPath = $sshdconfig_custom + + Add-PasswordSetting -Pass $password + $tI=1 } BeforeEach { $sshlog = Join-Path $testDir "$tC.$tI.$sshLogName" $sshdlog = Join-Path $testDir "$tC.$tI.$sshdLogName" - - if (Test-Path $sshdlog -PathType Leaf) { - Clear-Content $sshdlog - } - + + if (Test-Path $sshdlog -PathType Leaf) { + Clear-Content $sshdlog + } + if(-not $skip) { Stop-SSHDTestDaemon -Port $port @@ -94,152 +94,146 @@ Describe "Tests for admin and non-admin file based logs" -Tags "CI" { } It "$tC.$tI-Nonadmin SSH Connection" -skip:$skip { - Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-ddd -f $sshdConfigPath -E $sshdlog" -Port $port - $o = ssh -vvv -p $port -E $sshlog $nonadminusername@$server echo 1234 - $o | Should Be 1234 - Stop-SSHDTestDaemon -Port $port - $sshdlog | Should Contain "KEX done \[preauth\]" - $sshdlog | Should Contain "exec_command: echo 1234" + Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-ddd -f $sshdConfigPath -E $sshdlog" -Port $port + $o = ssh -vvv -p $port -E $sshlog $nonadminusername@$server echo 1234 + $o | Should Be 1234 + Stop-SSHDTestDaemon -Port $port + $sshdlog | Should Contain "KEX done \[preauth\]" + $sshdlog | Should Contain "exec_command: echo 1234" } - - It "$tC.$tI-Admin SSH Connection" -skip:$skip { - Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-ddd -f $sshdConfigPath -E $sshdlog" -Port $port - $o = ssh -vvv -p $port -E $sshlog $adminusername@$server echo 1234 - $o | Should Be 1234 - Stop-SSHDTestDaemon -Port $port - $sshdlog | Should Contain "KEX done \[preauth\]" - $sshdlog | Should Contain "exec_command: echo 1234" + + It "$tC.$tI-Admin SSH Connection" -skip:$skip { + Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-ddd -f $sshdConfigPath -E $sshdlog" -Port $port + $o = ssh -vvv -p $port -E $sshlog $adminusername@$server echo 1234 + $o | Should Be 1234 + Stop-SSHDTestDaemon -Port $port + $sshdlog | Should Contain "KEX done \[preauth\]" + $sshdlog | Should Contain "exec_command: echo 1234" } } - Context "Tests Logs for SFTP connections" { + Context "Tests Logs for SFTP connections" { - BeforeAll { - - $sshdConfigPath = $sshdconfig_custom - - function Setup-KeyBasedAuth - { - param([string] $Username, [string] $KeyFilePath, [string] $UserProfile) - - - $userSSHProfilePath = Join-Path $UserProfile .ssh - Write-Host "SSH Profile Path: $userSSHProfilePath" - - if (-not (Test-Path $userSSHProfilePath -PathType Container)) { - New-Item $userSSHProfilePath -ItemType directory -Force -ErrorAction Stop | Out-Null - } - - $authorizedkeyPath = Join-Path $userSSHProfilePath authorized_keys - - if($OpenSSHTestInfo["NoLibreSSL"]) - { - ssh-keygen.exe -t ed25519 -f $KeyFilePath -Z -P `"`" aes128-ctr - } - else - { - ssh-keygen.exe -t ed25519 -f $KeyFilePath -P `"`" - } - - - Copy-Item "$keyFilePath.pub" $authorizedkeyPath -Force -ErrorAction SilentlyContinue - - Repair-AuthorizedKeyPermission -Filepath $authorizedkeyPath -confirm:$false - } - - $AdminUserProfile = $OpenSSHTestInfo['AdminUserProfile'] - $NonAdminUserProfile = $OpenSSHTestInfo['NonAdminUserProfile'] - - $KeyFileName = $nonadminusername + "_sshtest_fileBasedLog_ed25519" - $NonadminKeyFilePath = Join-Path $testDir $keyFileName - Remove-Item -path "$NonadminKeyFilePath*" -Force -ErrorAction SilentlyContinue - Setup-KeyBasedAuth -Username $nonadminusername -KeyFilePath $NonadminKeyFilePath -UserProfile $NonAdminUserProfile - - $KeyFileName = $adminusername + "_sshtest_fileBasedLog_ed25519" - $AdminKeyFilePath = Join-Path $testDir $keyFileName - Remove-Item -path "$AdminKeyFilePath*" -Force -ErrorAction SilentlyContinue - Setup-KeyBasedAuth -Username $adminusername -KeyFilePath $AdminKeyFilePath -UserProfile $AdminUserProfile - + BeforeAll { + + $sshdConfigPath = $sshdconfig_custom - #create batch file - $commands = + function Setup-KeyBasedAuth + { + param([string] $Username, [string] $KeyFilePath, [string] $UserProfile) + + $userSSHProfilePath = Join-Path $UserProfile .ssh + Write-Host "SSH Profile Path: $userSSHProfilePath" + + if (-not (Test-Path $userSSHProfilePath -PathType Container)) { + New-Item $userSSHProfilePath -ItemType directory -Force -ErrorAction Stop | Out-Null + } + + $authorizedkeyPath = Join-Path $userSSHProfilePath authorized_keys + + if($OpenSSHTestInfo["NoLibreSSL"]) + { + ssh-keygen.exe -t ed25519 -f $KeyFilePath -Z -P `"`" aes128-ctr + } + else + { + ssh-keygen.exe -t ed25519 -f $KeyFilePath -P `"`" + } + + Copy-Item "$keyFilePath.pub" $authorizedkeyPath -Force -ErrorAction SilentlyContinue + + Repair-AuthorizedKeyPermission -Filepath $authorizedkeyPath -confirm:$false + } + + $AdminUserProfile = $OpenSSHTestInfo['AdminUserProfile'] + $NonAdminUserProfile = $OpenSSHTestInfo['NonAdminUserProfile'] + + $KeyFileName = $nonadminusername + "_sshtest_fileBasedLog_ed25519" + $NonadminKeyFilePath = Join-Path $testDir $keyFileName + Remove-Item -path "$NonadminKeyFilePath*" -Force -ErrorAction SilentlyContinue + Setup-KeyBasedAuth -Username $nonadminusername -KeyFilePath $NonadminKeyFilePath -UserProfile $NonAdminUserProfile + + $KeyFileName = $adminusername + "_sshtest_fileBasedLog_ed25519" + $AdminKeyFilePath = Join-Path $testDir $keyFileName + Remove-Item -path "$AdminKeyFilePath*" -Force -ErrorAction SilentlyContinue + Setup-KeyBasedAuth -Username $adminusername -KeyFilePath $AdminKeyFilePath -UserProfile $AdminUserProfile + + #create batch file + $commands = "ls exit" - - $batchFilePath = Join-Path $testDir "$tC.$tI.commands.txt" - Set-Content $batchFilePath -Encoding UTF8 -value $commands - - # clear logs so that next testcase will get fresh logs. + + $batchFilePath = Join-Path $testDir "$tC.$tI.commands.txt" + Set-Content $batchFilePath -Encoding UTF8 -value $commands + + # clear logs so that next testcase will get fresh logs. Clear-Content "$env:ProgramData\ssh\logs\sftp-server.log" -Force -ErrorAction SilentlyContinue - - - $tI = 1 + + $tI = 1 } - BeforeEach { - #clean sftp log file - $sshlog = Join-Path $testDir "$tC.$tI.$sshLogName" + BeforeEach { + #clean sftp log file + $sshlog = Join-Path $testDir "$tC.$tI.$sshLogName" $sshdlog = Join-Path $testDir "$tC.$tI.$sshdLogName" - if(-not $skip) + if(-not $skip) { Stop-SSHDTestDaemon -Port $port } - } - - AfterAll { - Remove-Item -path "$NonadminKeyFilePath*" -Force -ErrorAction SilentlyContinue - Remove-Item -path "$AdminKeyFilePath*" -Force -ErrorAction SilentlyContinue - - $tC++ - } - - It "$tC.$tI-Nonadmin SFTP Connection" -skip:$skip { - - Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-ddd -f $sshdConfigPath -E $sshdlog" -Port $port + } - sftp -P $port -i $NonadminKeyFilePath -b $batchFilePath $nonadminusername@$server + AfterAll { + Remove-Item -path "$NonadminKeyFilePath*" -Force -ErrorAction SilentlyContinue + Remove-Item -path "$AdminKeyFilePath*" -Force -ErrorAction SilentlyContinue - Stop-SSHDTestDaemon -Port $port - - #Copy sftp-log files into test directory - $sftplog = Join-Path $testDir "$tC.$tI.sftp-server.log" - Copy-Item "$env:ProgramData\ssh\logs\sftp-server.log" $sftplog -Force -ErrorAction SilentlyContinue - + $tC++ + } + + It "$tC.$tI-Nonadmin SFTP Connection" -skip:$skip { + + Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-ddd -f $sshdConfigPath -E $sshdlog" -Port $port + + sftp -P $port -i $NonadminKeyFilePath -b $batchFilePath $nonadminusername@$server + + Stop-SSHDTestDaemon -Port $port + + #Copy sftp-log files into test directory + $sftplog = Join-Path $testDir "$tC.$tI.sftp-server.log" + Copy-Item "$env:ProgramData\ssh\logs\sftp-server.log" $sftplog -Force -ErrorAction SilentlyContinue + # clear logs so that next testcase will get fresh logs. Clear-Content "$env:ProgramData\ssh\logs\sftp-server.log" -Force -ErrorAction SilentlyContinue - - #checks - $sshdlog | Should Contain "Accepted publickey for $nonadminusername" - $sshdlog | Should Contain "KEX done \[preauth\]" - $sshdlog | Should Contain "debug2: subsystem request for sftp by user $nonadminusername" - $sftplog | Should Contain "session opened for local user $nonadminusername" - $sftplog | Should Contain "debug3: request 3: opendir" - $sftplog | Should Contain "session closed for local user $nonadminusername" + + $sshdlog | Should Contain "Accepted publickey for $nonadminusername" + $sshdlog | Should Contain "KEX done \[preauth\]" + $sshdlog | Should Contain "debug2: subsystem request for sftp by user $nonadminusername" + $sftplog | Should Contain "session opened for local user $nonadminusername" + $sftplog | Should Contain "debug3: request 3: opendir" + $sftplog | Should Contain "session closed for local user $nonadminusername" } - - It "$tC.$tI-Admin SFTP Connection" -skip:$skip { - - Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-ddd -f $sshdConfigPath -E $sshdlog" -Port $port - sftp -P $port -i $AdminKeyFilePath -b $batchFilePath $adminusername@$server + It "$tC.$tI-Admin SFTP Connection" -skip:$skip { + + Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-ddd -f $sshdConfigPath -E $sshdlog" -Port $port - Stop-SSHDTestDaemon -Port $port - - #Copy sftp-log files into test directory - $sftplog = Join-Path $testDir "$tC.$tI.sftp-server.log" - Copy-Item "$env:ProgramData\ssh\logs\sftp-server.log" $sftplog -Force -ErrorAction SilentlyContinue - + sftp -P $port -i $AdminKeyFilePath -b $batchFilePath $adminusername@$server + + Stop-SSHDTestDaemon -Port $port + + #Copy sftp-log files into test directory + $sftplog = Join-Path $testDir "$tC.$tI.sftp-server.log" + Copy-Item "$env:ProgramData\ssh\logs\sftp-server.log" $sftplog -Force -ErrorAction SilentlyContinue + # clear logs so that next testcase will get fresh logs. Clear-Content "$env:ProgramData\ssh\logs\sftp-server.log" -Force -ErrorAction SilentlyContinue - - #checks - $sshdlog | Should Contain "Accepted publickey for $adminusername" - $sshdlog | Should Contain "KEX done \[preauth\]" - $sshdlog | Should Contain "debug2: subsystem request for sftp by user $adminusername" - $sftplog | Should Contain "session opened for local user $adminusername" - $sftplog | Should Contain "debug3: request 3: opendir" - $sftplog | Should Contain "session closed for local user $adminusername" + + $sshdlog | Should Contain "Accepted publickey for $adminusername" + $sshdlog | Should Contain "KEX done \[preauth\]" + $sshdlog | Should Contain "debug2: subsystem request for sftp by user $adminusername" + $sftplog | Should Contain "session opened for local user $adminusername" + $sftplog | Should Contain "debug3: request 3: opendir" + $sftplog | Should Contain "session closed for local user $adminusername" } - } + } } From 0d4b90d9824bd002d7ddd2d8de52ca94e8a44040 Mon Sep 17 00:00:00 2001 From: Vivian Thiebaut Date: Thu, 10 Jun 2021 14:43:38 -0400 Subject: [PATCH 27/37] Revert "Changed tabs into spaces in test scripts for consistency" This reverts commit 3df10ed46f161a8c6eb2d5e142c3a67c5cc5477e. --- contrib/win32/openssh/OpenSSHTestHelper.psm1 | 36 ++- .../pesterTests/FileBasedLogging.tests.ps1 | 276 +++++++++--------- 2 files changed, 161 insertions(+), 151 deletions(-) diff --git a/contrib/win32/openssh/OpenSSHTestHelper.psm1 b/contrib/win32/openssh/OpenSSHTestHelper.psm1 index 9f5da6eaacd5..43f02b6b1e46 100644 --- a/contrib/win32/openssh/OpenSSHTestHelper.psm1 +++ b/contrib/win32/openssh/OpenSSHTestHelper.psm1 @@ -67,8 +67,8 @@ function Set-OpenSSHTestEnvironment $Global:OpenSSHTestInfo.Add("SSOUser", $SSOUser) # test user with single sign on capability $Global:OpenSSHTestInfo.Add("PubKeyUser", $PubKeyUser) # test user to be used with explicit key for key auth $Global:OpenSSHTestInfo.Add("PasswdUser", $PasswdUser) # test user to be used for password auth - $Global:OpenSSHTestInfo.Add("AdminUser", $AdminUser) # test user to be used for admin logging tests - $Global:OpenSSHTestInfo.Add("NonAdminUser", $NonAdminUser) # test user to be used for non-admin logging tests + $Global:OpenSSHTestInfo.Add("AdminUser", $AdminUser) # test user to be used for admin logging tests + $Global:OpenSSHTestInfo.Add("NonAdminUser", $NonAdminUser) # test user to be used for non-admin logging tests $Global:OpenSSHTestInfo.Add("TestAccountPW", $OpenSSHTestAccountsPassword) # common password for all test accounts $Global:OpenSSHTestInfo.Add("DebugMode", $DebugMode.IsPresent) # run openssh E2E in debug mode @@ -209,22 +209,26 @@ WARNING: Following changes will be made to OpenSSH configuration net user $user $Script:OpenSSHTestAccountsPassword /ADD 2>&1 >> $Script:TestSetupLogFile } } - - #setup single sign on for ssouser + + #setup single sign on for ssouser $ssouserProfile = Get-LocalUserProfile -User $SSOUser + Write-Host $ssouserProfile $Global:OpenSSHTestInfo.Add("SSOUserProfile", $ssouserProfile) - - $PubKeyUserProfile = Get-LocalUserProfile -User $PubKeyUser + + $PubKeyUserProfile = Get-LocalUserProfile -User $PubKeyUser + Write-Host $PubKeyUserProfile $Global:OpenSSHTestInfo.Add("PubKeyUserProfile", $PubKeyUserProfile) - - $AdminUserProfile = Get-LocalUserProfile -User $AdminUser - $Global:OpenSSHTestInfo.Add("AdminUserProfile", $AdminUserProfile) - - $NonAdminUserProfile = Get-LocalUserProfile -User $NonAdminUser - $Global:OpenSSHTestInfo.Add("NonAdminUserProfile", $NonAdminUserProfile) - - #make $AdminUser admin - net localgroup Administrators $AdminUser /add + + $AdminUserProfile = Get-LocalUserProfile -User $AdminUser + Write-Host $AdminUserProfile + $Global:OpenSSHTestInfo.Add("AdminUserProfile", $AdminUserProfile) + + $NonAdminUserProfile = Get-LocalUserProfile -User $NonAdminUser + Write-Host $NonAdminUserProfile + $Global:OpenSSHTestInfo.Add("NonAdminUserProfile", $NonAdminUserProfile) + + #make $AdminUser admin + net localgroup Administrators $AdminUser /add New-Item -ItemType Directory -Path (Join-Path $ssouserProfile .ssh) -Force -ErrorAction SilentlyContinue | out-null $authorizedKeyPath = Join-Path $ssouserProfile .ssh\authorized_keys @@ -353,7 +357,7 @@ function Get-LocalUserProfile param([string]$User) $sid = Get-UserSID -User $User $userProfileRegistry = Join-Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" $sid - if (-not (Test-Path $userProfileRegistry) ) { + if (-not (Test-Path $userProfileRegistry) ) { #create profile if (-not($env:DISPLAY)) { $env:DISPLAY = 1 } $askpass_util = Join-Path $Script:E2ETestDirectory "utilities\askpass_util\askpass_util.exe" diff --git a/regress/pesterTests/FileBasedLogging.tests.ps1 b/regress/pesterTests/FileBasedLogging.tests.ps1 index e86d7cb8d1a5..65bbc8ca45ab 100644 --- a/regress/pesterTests/FileBasedLogging.tests.ps1 +++ b/regress/pesterTests/FileBasedLogging.tests.ps1 @@ -21,25 +21,25 @@ Describe "Tests for admin and non-admin file based logs" -Tags "CI" { $sshdLogName = "sshdlog.txt" $server = $OpenSSHTestInfo["Target"] $opensshbinpath = $OpenSSHTestInfo['OpenSSHBinPath'] - $nonadminusername = $OpenSSHTestInfo['NonAdminUser'] - $adminusername = $OpenSSHTestInfo['AdminUser'] - $password = $OpenSSHTestInfo['TestAccountPW'] + $nonadminusername = $OpenSSHTestInfo['NonAdminUser'] + $adminusername = $OpenSSHTestInfo['AdminUser'] + $password = $OpenSSHTestInfo['TestAccountPW'] $port = 47002 - Remove-Item -Path (Join-Path $testDir "*$sshLogName") -Force -ErrorAction SilentlyContinue + Remove-Item -Path (Join-Path $testDir "*$sshLogName") -Force -ErrorAction SilentlyContinue - <# Setup sshd_config file#> + <# Setup sshd_config file#> - $sshdconfig_ori = Join-Path $Global:OpenSSHTestInfo["ServiceConfigDir"] sshd_config - Write-Host $sshdconfig_ori + $sshdconfig_ori = Join-Path $Global:OpenSSHTestInfo["ServiceConfigDir"] sshd_config + Write-Host $sshdconfig_ori $sshdconfig_custom = Join-Path $Global:OpenSSHTestInfo["ServiceConfigDir"] sshd_config_custom if (Test-Path $sshdconfig_custom) { Remove-Item $sshdconfig_custom -Force } Copy-Item $sshdconfig_ori $sshdconfig_custom get-acl $sshdconfig_ori | set-acl $sshdconfig_custom - $content = Get-Content -Path $sshdconfig_custom - $newContent = $content -replace "Subsystem sftp sftp-server.exe -l DEBUG3", "Subsystem sftp sftp-server.exe -l DEBUG3 -f LOCAL0" - $newContent | Set-Content -Path $sshdconfig_custom + $content = Get-Content -Path $sshdconfig_custom + $newContent = $content -replace "Subsystem sftp sftp-server.exe -l DEBUG3", "Subsystem sftp sftp-server.exe -l DEBUG3 -f LOCAL0" + $newContent | Set-Content -Path $sshdconfig_custom #skip when the task schedular (*-ScheduledTask) cmdlets does not exist $ts = (get-command get-ScheduledTask -ErrorAction SilentlyContinue) @@ -67,21 +67,21 @@ Describe "Tests for admin and non-admin file based logs" -Tags "CI" { Context "Tests Logs for SSH connections" { BeforeAll { - $sshdConfigPath = $sshdconfig_custom - - Add-PasswordSetting -Pass $password - + $sshdConfigPath = $sshdconfig_custom + + Add-PasswordSetting -Pass $password + $tI=1 } BeforeEach { $sshlog = Join-Path $testDir "$tC.$tI.$sshLogName" $sshdlog = Join-Path $testDir "$tC.$tI.$sshdLogName" - - if (Test-Path $sshdlog -PathType Leaf) { - Clear-Content $sshdlog - } - + + if (Test-Path $sshdlog -PathType Leaf) { + Clear-Content $sshdlog + } + if(-not $skip) { Stop-SSHDTestDaemon -Port $port @@ -94,146 +94,152 @@ Describe "Tests for admin and non-admin file based logs" -Tags "CI" { } It "$tC.$tI-Nonadmin SSH Connection" -skip:$skip { - Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-ddd -f $sshdConfigPath -E $sshdlog" -Port $port - $o = ssh -vvv -p $port -E $sshlog $nonadminusername@$server echo 1234 - $o | Should Be 1234 - Stop-SSHDTestDaemon -Port $port - $sshdlog | Should Contain "KEX done \[preauth\]" - $sshdlog | Should Contain "exec_command: echo 1234" + Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-ddd -f $sshdConfigPath -E $sshdlog" -Port $port + $o = ssh -vvv -p $port -E $sshlog $nonadminusername@$server echo 1234 + $o | Should Be 1234 + Stop-SSHDTestDaemon -Port $port + $sshdlog | Should Contain "KEX done \[preauth\]" + $sshdlog | Should Contain "exec_command: echo 1234" } - - It "$tC.$tI-Admin SSH Connection" -skip:$skip { - Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-ddd -f $sshdConfigPath -E $sshdlog" -Port $port - $o = ssh -vvv -p $port -E $sshlog $adminusername@$server echo 1234 - $o | Should Be 1234 - Stop-SSHDTestDaemon -Port $port - $sshdlog | Should Contain "KEX done \[preauth\]" - $sshdlog | Should Contain "exec_command: echo 1234" + + It "$tC.$tI-Admin SSH Connection" -skip:$skip { + Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-ddd -f $sshdConfigPath -E $sshdlog" -Port $port + $o = ssh -vvv -p $port -E $sshlog $adminusername@$server echo 1234 + $o | Should Be 1234 + Stop-SSHDTestDaemon -Port $port + $sshdlog | Should Contain "KEX done \[preauth\]" + $sshdlog | Should Contain "exec_command: echo 1234" } } - Context "Tests Logs for SFTP connections" { + Context "Tests Logs for SFTP connections" { - BeforeAll { - - $sshdConfigPath = $sshdconfig_custom + BeforeAll { - function Setup-KeyBasedAuth - { - param([string] $Username, [string] $KeyFilePath, [string] $UserProfile) - - $userSSHProfilePath = Join-Path $UserProfile .ssh - Write-Host "SSH Profile Path: $userSSHProfilePath" - - if (-not (Test-Path $userSSHProfilePath -PathType Container)) { - New-Item $userSSHProfilePath -ItemType directory -Force -ErrorAction Stop | Out-Null - } - - $authorizedkeyPath = Join-Path $userSSHProfilePath authorized_keys - - if($OpenSSHTestInfo["NoLibreSSL"]) - { - ssh-keygen.exe -t ed25519 -f $KeyFilePath -Z -P `"`" aes128-ctr - } - else - { - ssh-keygen.exe -t ed25519 -f $KeyFilePath -P `"`" - } - - Copy-Item "$keyFilePath.pub" $authorizedkeyPath -Force -ErrorAction SilentlyContinue - - Repair-AuthorizedKeyPermission -Filepath $authorizedkeyPath -confirm:$false - } - - $AdminUserProfile = $OpenSSHTestInfo['AdminUserProfile'] - $NonAdminUserProfile = $OpenSSHTestInfo['NonAdminUserProfile'] - - $KeyFileName = $nonadminusername + "_sshtest_fileBasedLog_ed25519" - $NonadminKeyFilePath = Join-Path $testDir $keyFileName - Remove-Item -path "$NonadminKeyFilePath*" -Force -ErrorAction SilentlyContinue - Setup-KeyBasedAuth -Username $nonadminusername -KeyFilePath $NonadminKeyFilePath -UserProfile $NonAdminUserProfile - - $KeyFileName = $adminusername + "_sshtest_fileBasedLog_ed25519" - $AdminKeyFilePath = Join-Path $testDir $keyFileName - Remove-Item -path "$AdminKeyFilePath*" -Force -ErrorAction SilentlyContinue - Setup-KeyBasedAuth -Username $adminusername -KeyFilePath $AdminKeyFilePath -UserProfile $AdminUserProfile - - #create batch file - $commands = + $sshdConfigPath = $sshdconfig_custom + + function Setup-KeyBasedAuth + { + param([string] $Username, [string] $KeyFilePath, [string] $UserProfile) + + + $userSSHProfilePath = Join-Path $UserProfile .ssh + Write-Host "SSH Profile Path: $userSSHProfilePath" + + if (-not (Test-Path $userSSHProfilePath -PathType Container)) { + New-Item $userSSHProfilePath -ItemType directory -Force -ErrorAction Stop | Out-Null + } + + $authorizedkeyPath = Join-Path $userSSHProfilePath authorized_keys + + if($OpenSSHTestInfo["NoLibreSSL"]) + { + ssh-keygen.exe -t ed25519 -f $KeyFilePath -Z -P `"`" aes128-ctr + } + else + { + ssh-keygen.exe -t ed25519 -f $KeyFilePath -P `"`" + } + + + Copy-Item "$keyFilePath.pub" $authorizedkeyPath -Force -ErrorAction SilentlyContinue + + Repair-AuthorizedKeyPermission -Filepath $authorizedkeyPath -confirm:$false + } + + $AdminUserProfile = $OpenSSHTestInfo['AdminUserProfile'] + $NonAdminUserProfile = $OpenSSHTestInfo['NonAdminUserProfile'] + + $KeyFileName = $nonadminusername + "_sshtest_fileBasedLog_ed25519" + $NonadminKeyFilePath = Join-Path $testDir $keyFileName + Remove-Item -path "$NonadminKeyFilePath*" -Force -ErrorAction SilentlyContinue + Setup-KeyBasedAuth -Username $nonadminusername -KeyFilePath $NonadminKeyFilePath -UserProfile $NonAdminUserProfile + + $KeyFileName = $adminusername + "_sshtest_fileBasedLog_ed25519" + $AdminKeyFilePath = Join-Path $testDir $keyFileName + Remove-Item -path "$AdminKeyFilePath*" -Force -ErrorAction SilentlyContinue + Setup-KeyBasedAuth -Username $adminusername -KeyFilePath $AdminKeyFilePath -UserProfile $AdminUserProfile + + + #create batch file + $commands = "ls exit" - - $batchFilePath = Join-Path $testDir "$tC.$tI.commands.txt" - Set-Content $batchFilePath -Encoding UTF8 -value $commands - - # clear logs so that next testcase will get fresh logs. + + $batchFilePath = Join-Path $testDir "$tC.$tI.commands.txt" + Set-Content $batchFilePath -Encoding UTF8 -value $commands + + # clear logs so that next testcase will get fresh logs. Clear-Content "$env:ProgramData\ssh\logs\sftp-server.log" -Force -ErrorAction SilentlyContinue - - $tI = 1 + + + $tI = 1 } - BeforeEach { - #clean sftp log file - $sshlog = Join-Path $testDir "$tC.$tI.$sshLogName" + BeforeEach { + #clean sftp log file + $sshlog = Join-Path $testDir "$tC.$tI.$sshLogName" $sshdlog = Join-Path $testDir "$tC.$tI.$sshdLogName" - if(-not $skip) + if(-not $skip) { Stop-SSHDTestDaemon -Port $port } - } - - AfterAll { - Remove-Item -path "$NonadminKeyFilePath*" -Force -ErrorAction SilentlyContinue - Remove-Item -path "$AdminKeyFilePath*" -Force -ErrorAction SilentlyContinue - - $tC++ - } - - It "$tC.$tI-Nonadmin SFTP Connection" -skip:$skip { - - Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-ddd -f $sshdConfigPath -E $sshdlog" -Port $port - - sftp -P $port -i $NonadminKeyFilePath -b $batchFilePath $nonadminusername@$server + } + + AfterAll { + Remove-Item -path "$NonadminKeyFilePath*" -Force -ErrorAction SilentlyContinue + Remove-Item -path "$AdminKeyFilePath*" -Force -ErrorAction SilentlyContinue + + $tC++ + } + + It "$tC.$tI-Nonadmin SFTP Connection" -skip:$skip { + + Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-ddd -f $sshdConfigPath -E $sshdlog" -Port $port - Stop-SSHDTestDaemon -Port $port + sftp -P $port -i $NonadminKeyFilePath -b $batchFilePath $nonadminusername@$server - #Copy sftp-log files into test directory - $sftplog = Join-Path $testDir "$tC.$tI.sftp-server.log" - Copy-Item "$env:ProgramData\ssh\logs\sftp-server.log" $sftplog -Force -ErrorAction SilentlyContinue - + Stop-SSHDTestDaemon -Port $port + + #Copy sftp-log files into test directory + $sftplog = Join-Path $testDir "$tC.$tI.sftp-server.log" + Copy-Item "$env:ProgramData\ssh\logs\sftp-server.log" $sftplog -Force -ErrorAction SilentlyContinue + # clear logs so that next testcase will get fresh logs. Clear-Content "$env:ProgramData\ssh\logs\sftp-server.log" -Force -ErrorAction SilentlyContinue - - $sshdlog | Should Contain "Accepted publickey for $nonadminusername" - $sshdlog | Should Contain "KEX done \[preauth\]" - $sshdlog | Should Contain "debug2: subsystem request for sftp by user $nonadminusername" - $sftplog | Should Contain "session opened for local user $nonadminusername" - $sftplog | Should Contain "debug3: request 3: opendir" - $sftplog | Should Contain "session closed for local user $nonadminusername" + + #checks + $sshdlog | Should Contain "Accepted publickey for $nonadminusername" + $sshdlog | Should Contain "KEX done \[preauth\]" + $sshdlog | Should Contain "debug2: subsystem request for sftp by user $nonadminusername" + $sftplog | Should Contain "session opened for local user $nonadminusername" + $sftplog | Should Contain "debug3: request 3: opendir" + $sftplog | Should Contain "session closed for local user $nonadminusername" } + + It "$tC.$tI-Admin SFTP Connection" -skip:$skip { + + Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-ddd -f $sshdConfigPath -E $sshdlog" -Port $port - It "$tC.$tI-Admin SFTP Connection" -skip:$skip { - - Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-ddd -f $sshdConfigPath -E $sshdlog" -Port $port - - sftp -P $port -i $AdminKeyFilePath -b $batchFilePath $adminusername@$server - - Stop-SSHDTestDaemon -Port $port + sftp -P $port -i $AdminKeyFilePath -b $batchFilePath $adminusername@$server - #Copy sftp-log files into test directory - $sftplog = Join-Path $testDir "$tC.$tI.sftp-server.log" - Copy-Item "$env:ProgramData\ssh\logs\sftp-server.log" $sftplog -Force -ErrorAction SilentlyContinue - + Stop-SSHDTestDaemon -Port $port + + #Copy sftp-log files into test directory + $sftplog = Join-Path $testDir "$tC.$tI.sftp-server.log" + Copy-Item "$env:ProgramData\ssh\logs\sftp-server.log" $sftplog -Force -ErrorAction SilentlyContinue + # clear logs so that next testcase will get fresh logs. Clear-Content "$env:ProgramData\ssh\logs\sftp-server.log" -Force -ErrorAction SilentlyContinue - - $sshdlog | Should Contain "Accepted publickey for $adminusername" - $sshdlog | Should Contain "KEX done \[preauth\]" - $sshdlog | Should Contain "debug2: subsystem request for sftp by user $adminusername" - $sftplog | Should Contain "session opened for local user $adminusername" - $sftplog | Should Contain "debug3: request 3: opendir" - $sftplog | Should Contain "session closed for local user $adminusername" + + #checks + $sshdlog | Should Contain "Accepted publickey for $adminusername" + $sshdlog | Should Contain "KEX done \[preauth\]" + $sshdlog | Should Contain "debug2: subsystem request for sftp by user $adminusername" + $sftplog | Should Contain "session opened for local user $adminusername" + $sftplog | Should Contain "debug3: request 3: opendir" + $sftplog | Should Contain "session closed for local user $adminusername" } - } + } } From f673003b61d99fc07015d5da36ab84c9fb39c419 Mon Sep 17 00:00:00 2001 From: Vivian Thiebaut Date: Thu, 10 Jun 2021 14:45:07 -0400 Subject: [PATCH 28/37] Revert "Testing logs for admin and non admin users" This reverts commit 618a0cb970ad50da6ac6ec13713cc5b41c65ee27. --- contrib/win32/openssh/OpenSSHTestHelper.psm1 | 29 +-- .../pesterTests/FileBasedLogging.tests.ps1 | 245 ------------------ 2 files changed, 5 insertions(+), 269 deletions(-) delete mode 100644 regress/pesterTests/FileBasedLogging.tests.ps1 diff --git a/contrib/win32/openssh/OpenSSHTestHelper.psm1 b/contrib/win32/openssh/OpenSSHTestHelper.psm1 index 43f02b6b1e46..b6009cdf7e66 100644 --- a/contrib/win32/openssh/OpenSSHTestHelper.psm1 +++ b/contrib/win32/openssh/OpenSSHTestHelper.psm1 @@ -13,10 +13,8 @@ $TestSetupLogFileName = "TestSetupLog.txt" $SSOUser = "sshtest_ssouser" $PubKeyUser = "sshtest_pubkeyuser" $PasswdUser = "sshtest_passwduser" -$AdminUser = "sshtest_adminuser" -$NonAdminUser = "sshtest_nonadminuser" $OpenSSHTestAccountsPassword = "P@ssw0rd_1" -$OpenSSHTestAccounts = $Script:SSOUser, $Script:PubKeyUser, $Script:PasswdUser, $Script:AdminUser, $Script:NonAdminUser +$OpenSSHTestAccounts = $Script:SSOUser, $Script:PubKeyUser, $Script:PasswdUser $SSHDTestSvcName = "sshdTestSvc" $Script:TestDataPath = "$env:SystemDrive\OpenSSHTests" @@ -67,8 +65,6 @@ function Set-OpenSSHTestEnvironment $Global:OpenSSHTestInfo.Add("SSOUser", $SSOUser) # test user with single sign on capability $Global:OpenSSHTestInfo.Add("PubKeyUser", $PubKeyUser) # test user to be used with explicit key for key auth $Global:OpenSSHTestInfo.Add("PasswdUser", $PasswdUser) # test user to be used for password auth - $Global:OpenSSHTestInfo.Add("AdminUser", $AdminUser) # test user to be used for admin logging tests - $Global:OpenSSHTestInfo.Add("NonAdminUser", $NonAdminUser) # test user to be used for non-admin logging tests $Global:OpenSSHTestInfo.Add("TestAccountPW", $OpenSSHTestAccountsPassword) # common password for all test accounts $Global:OpenSSHTestInfo.Add("DebugMode", $DebugMode.IsPresent) # run openssh E2E in debug mode @@ -209,26 +205,11 @@ WARNING: Following changes will be made to OpenSSH configuration net user $user $Script:OpenSSHTestAccountsPassword /ADD 2>&1 >> $Script:TestSetupLogFile } } - - #setup single sign on for ssouser + + #setup single sign on for ssouser $ssouserProfile = Get-LocalUserProfile -User $SSOUser - Write-Host $ssouserProfile $Global:OpenSSHTestInfo.Add("SSOUserProfile", $ssouserProfile) - - $PubKeyUserProfile = Get-LocalUserProfile -User $PubKeyUser - Write-Host $PubKeyUserProfile - $Global:OpenSSHTestInfo.Add("PubKeyUserProfile", $PubKeyUserProfile) - - $AdminUserProfile = Get-LocalUserProfile -User $AdminUser - Write-Host $AdminUserProfile - $Global:OpenSSHTestInfo.Add("AdminUserProfile", $AdminUserProfile) - - $NonAdminUserProfile = Get-LocalUserProfile -User $NonAdminUser - Write-Host $NonAdminUserProfile - $Global:OpenSSHTestInfo.Add("NonAdminUserProfile", $NonAdminUserProfile) - - #make $AdminUser admin - net localgroup Administrators $AdminUser /add + $Global:OpenSSHTestInfo.Add("PubKeyUserProfile", (Get-LocalUserProfile -User $PubKeyUser)) New-Item -ItemType Directory -Path (Join-Path $ssouserProfile .ssh) -Force -ErrorAction SilentlyContinue | out-null $authorizedKeyPath = Join-Path $ssouserProfile .ssh\authorized_keys @@ -357,7 +338,7 @@ function Get-LocalUserProfile param([string]$User) $sid = Get-UserSID -User $User $userProfileRegistry = Join-Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" $sid - if (-not (Test-Path $userProfileRegistry) ) { + if (-not (Test-Path $userProfileRegistry) ) { #create profile if (-not($env:DISPLAY)) { $env:DISPLAY = 1 } $askpass_util = Join-Path $Script:E2ETestDirectory "utilities\askpass_util\askpass_util.exe" diff --git a/regress/pesterTests/FileBasedLogging.tests.ps1 b/regress/pesterTests/FileBasedLogging.tests.ps1 deleted file mode 100644 index 65bbc8ca45ab..000000000000 --- a/regress/pesterTests/FileBasedLogging.tests.ps1 +++ /dev/null @@ -1,245 +0,0 @@ -If ($PSVersiontable.PSVersion.Major -le 2) {$PSScriptRoot = Split-Path -Parent $MyInvocation.MyCommand.Path} -Import-Module $PSScriptRoot\CommonUtils.psm1 -Force -Import-Module OpenSSHUtils -Force -$tC = 1 -$tI = 0 -$suite = "FileBasedLogging" -Describe "Tests for admin and non-admin file based logs" -Tags "CI" { - BeforeAll { - if($OpenSSHTestInfo -eq $null) - { - Throw "`$OpenSSHTestInfo is null. Please run Set-OpenSSHTestEnvironment to set test environments." - } - - $testDir = "$($OpenSSHTestInfo["TestDataPath"])\$suite" - if( -not (Test-path $testDir -PathType Container)) - { - $null = New-Item $testDir -ItemType directory -Force -ErrorAction SilentlyContinue - } - - $sshLogName = "test.txt" - $sshdLogName = "sshdlog.txt" - $server = $OpenSSHTestInfo["Target"] - $opensshbinpath = $OpenSSHTestInfo['OpenSSHBinPath'] - $nonadminusername = $OpenSSHTestInfo['NonAdminUser'] - $adminusername = $OpenSSHTestInfo['AdminUser'] - $password = $OpenSSHTestInfo['TestAccountPW'] - $port = 47002 - Remove-Item -Path (Join-Path $testDir "*$sshLogName") -Force -ErrorAction SilentlyContinue - - <# Setup sshd_config file#> - - $sshdconfig_ori = Join-Path $Global:OpenSSHTestInfo["ServiceConfigDir"] sshd_config - Write-Host $sshdconfig_ori - $sshdconfig_custom = Join-Path $Global:OpenSSHTestInfo["ServiceConfigDir"] sshd_config_custom - if (Test-Path $sshdconfig_custom) { - Remove-Item $sshdconfig_custom -Force - } - Copy-Item $sshdconfig_ori $sshdconfig_custom - get-acl $sshdconfig_ori | set-acl $sshdconfig_custom - $content = Get-Content -Path $sshdconfig_custom - $newContent = $content -replace "Subsystem sftp sftp-server.exe -l DEBUG3", "Subsystem sftp sftp-server.exe -l DEBUG3 -f LOCAL0" - $newContent | Set-Content -Path $sshdconfig_custom - - #skip when the task schedular (*-ScheduledTask) cmdlets does not exist - $ts = (get-command get-ScheduledTask -ErrorAction SilentlyContinue) - $skip = $ts -eq $null - if(-not $skip) - { - Stop-SSHDTestDaemon -Port $port - } - if(($platform -eq [PlatformType]::Windows) -and ([Environment]::OSVersion.Version.Major -le 6)) - { - #suppress the firewall blocking dialogue on win7 - netsh advfirewall firewall add rule name="sshd" program="$($OpenSSHTestInfo['OpenSSHBinPath'])\sshd.exe" protocol=any action=allow dir=in - } - } - - AfterEach { $tI++ } - - AfterAll { - if(($platform -eq [PlatformType]::Windows) -and ($psversiontable.BuildVersion.Major -le 6)) - { - netsh advfirewall firewall delete rule name="sshd" program="$($OpenSSHTestInfo['OpenSSHBinPath'])\sshd.exe" protocol=any dir=in - } - } - - - Context "Tests Logs for SSH connections" { - BeforeAll { - $sshdConfigPath = $sshdconfig_custom - - Add-PasswordSetting -Pass $password - - $tI=1 - } - - BeforeEach { - $sshlog = Join-Path $testDir "$tC.$tI.$sshLogName" - $sshdlog = Join-Path $testDir "$tC.$tI.$sshdLogName" - - if (Test-Path $sshdlog -PathType Leaf) { - Clear-Content $sshdlog - } - - if(-not $skip) - { - Stop-SSHDTestDaemon -Port $port - } - } - - AfterAll { - Remove-PasswordSetting - $tC++ - } - - It "$tC.$tI-Nonadmin SSH Connection" -skip:$skip { - Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-ddd -f $sshdConfigPath -E $sshdlog" -Port $port - $o = ssh -vvv -p $port -E $sshlog $nonadminusername@$server echo 1234 - $o | Should Be 1234 - Stop-SSHDTestDaemon -Port $port - $sshdlog | Should Contain "KEX done \[preauth\]" - $sshdlog | Should Contain "exec_command: echo 1234" - } - - It "$tC.$tI-Admin SSH Connection" -skip:$skip { - Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-ddd -f $sshdConfigPath -E $sshdlog" -Port $port - $o = ssh -vvv -p $port -E $sshlog $adminusername@$server echo 1234 - $o | Should Be 1234 - Stop-SSHDTestDaemon -Port $port - $sshdlog | Should Contain "KEX done \[preauth\]" - $sshdlog | Should Contain "exec_command: echo 1234" - } - - } - - Context "Tests Logs for SFTP connections" { - - BeforeAll { - - $sshdConfigPath = $sshdconfig_custom - - function Setup-KeyBasedAuth - { - param([string] $Username, [string] $KeyFilePath, [string] $UserProfile) - - - $userSSHProfilePath = Join-Path $UserProfile .ssh - Write-Host "SSH Profile Path: $userSSHProfilePath" - - if (-not (Test-Path $userSSHProfilePath -PathType Container)) { - New-Item $userSSHProfilePath -ItemType directory -Force -ErrorAction Stop | Out-Null - } - - $authorizedkeyPath = Join-Path $userSSHProfilePath authorized_keys - - if($OpenSSHTestInfo["NoLibreSSL"]) - { - ssh-keygen.exe -t ed25519 -f $KeyFilePath -Z -P `"`" aes128-ctr - } - else - { - ssh-keygen.exe -t ed25519 -f $KeyFilePath -P `"`" - } - - - Copy-Item "$keyFilePath.pub" $authorizedkeyPath -Force -ErrorAction SilentlyContinue - - Repair-AuthorizedKeyPermission -Filepath $authorizedkeyPath -confirm:$false - } - - $AdminUserProfile = $OpenSSHTestInfo['AdminUserProfile'] - $NonAdminUserProfile = $OpenSSHTestInfo['NonAdminUserProfile'] - - $KeyFileName = $nonadminusername + "_sshtest_fileBasedLog_ed25519" - $NonadminKeyFilePath = Join-Path $testDir $keyFileName - Remove-Item -path "$NonadminKeyFilePath*" -Force -ErrorAction SilentlyContinue - Setup-KeyBasedAuth -Username $nonadminusername -KeyFilePath $NonadminKeyFilePath -UserProfile $NonAdminUserProfile - - $KeyFileName = $adminusername + "_sshtest_fileBasedLog_ed25519" - $AdminKeyFilePath = Join-Path $testDir $keyFileName - Remove-Item -path "$AdminKeyFilePath*" -Force -ErrorAction SilentlyContinue - Setup-KeyBasedAuth -Username $adminusername -KeyFilePath $AdminKeyFilePath -UserProfile $AdminUserProfile - - - #create batch file - $commands = -"ls -exit" - - $batchFilePath = Join-Path $testDir "$tC.$tI.commands.txt" - Set-Content $batchFilePath -Encoding UTF8 -value $commands - - # clear logs so that next testcase will get fresh logs. - Clear-Content "$env:ProgramData\ssh\logs\sftp-server.log" -Force -ErrorAction SilentlyContinue - - - $tI = 1 - } - - BeforeEach { - #clean sftp log file - $sshlog = Join-Path $testDir "$tC.$tI.$sshLogName" - $sshdlog = Join-Path $testDir "$tC.$tI.$sshdLogName" - if(-not $skip) - { - Stop-SSHDTestDaemon -Port $port - } - } - - AfterAll { - Remove-Item -path "$NonadminKeyFilePath*" -Force -ErrorAction SilentlyContinue - Remove-Item -path "$AdminKeyFilePath*" -Force -ErrorAction SilentlyContinue - - $tC++ - } - - It "$tC.$tI-Nonadmin SFTP Connection" -skip:$skip { - - Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-ddd -f $sshdConfigPath -E $sshdlog" -Port $port - - sftp -P $port -i $NonadminKeyFilePath -b $batchFilePath $nonadminusername@$server - - Stop-SSHDTestDaemon -Port $port - - #Copy sftp-log files into test directory - $sftplog = Join-Path $testDir "$tC.$tI.sftp-server.log" - Copy-Item "$env:ProgramData\ssh\logs\sftp-server.log" $sftplog -Force -ErrorAction SilentlyContinue - - # clear logs so that next testcase will get fresh logs. - Clear-Content "$env:ProgramData\ssh\logs\sftp-server.log" -Force -ErrorAction SilentlyContinue - - #checks - $sshdlog | Should Contain "Accepted publickey for $nonadminusername" - $sshdlog | Should Contain "KEX done \[preauth\]" - $sshdlog | Should Contain "debug2: subsystem request for sftp by user $nonadminusername" - $sftplog | Should Contain "session opened for local user $nonadminusername" - $sftplog | Should Contain "debug3: request 3: opendir" - $sftplog | Should Contain "session closed for local user $nonadminusername" - } - - It "$tC.$tI-Admin SFTP Connection" -skip:$skip { - - Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-ddd -f $sshdConfigPath -E $sshdlog" -Port $port - - sftp -P $port -i $AdminKeyFilePath -b $batchFilePath $adminusername@$server - - Stop-SSHDTestDaemon -Port $port - - #Copy sftp-log files into test directory - $sftplog = Join-Path $testDir "$tC.$tI.sftp-server.log" - Copy-Item "$env:ProgramData\ssh\logs\sftp-server.log" $sftplog -Force -ErrorAction SilentlyContinue - - # clear logs so that next testcase will get fresh logs. - Clear-Content "$env:ProgramData\ssh\logs\sftp-server.log" -Force -ErrorAction SilentlyContinue - - #checks - $sshdlog | Should Contain "Accepted publickey for $adminusername" - $sshdlog | Should Contain "KEX done \[preauth\]" - $sshdlog | Should Contain "debug2: subsystem request for sftp by user $adminusername" - $sftplog | Should Contain "session opened for local user $adminusername" - $sftplog | Should Contain "debug3: request 3: opendir" - $sftplog | Should Contain "session closed for local user $adminusername" - } - } -} From 16d80978392d652280d96f7d3a758ba8c66702c3 Mon Sep 17 00:00:00 2001 From: Vivian Thiebaut Date: Thu, 10 Jun 2021 14:48:46 -0400 Subject: [PATCH 29/37] Add New Test File --- .../pesterTests/FileBasedLogging.tests.ps1 | 239 ++++++++++++++++++ 1 file changed, 239 insertions(+) create mode 100644 regress/pesterTests/FileBasedLogging.tests.ps1 diff --git a/regress/pesterTests/FileBasedLogging.tests.ps1 b/regress/pesterTests/FileBasedLogging.tests.ps1 new file mode 100644 index 000000000000..e86d7cb8d1a5 --- /dev/null +++ b/regress/pesterTests/FileBasedLogging.tests.ps1 @@ -0,0 +1,239 @@ +If ($PSVersiontable.PSVersion.Major -le 2) {$PSScriptRoot = Split-Path -Parent $MyInvocation.MyCommand.Path} +Import-Module $PSScriptRoot\CommonUtils.psm1 -Force +Import-Module OpenSSHUtils -Force +$tC = 1 +$tI = 0 +$suite = "FileBasedLogging" +Describe "Tests for admin and non-admin file based logs" -Tags "CI" { + BeforeAll { + if($OpenSSHTestInfo -eq $null) + { + Throw "`$OpenSSHTestInfo is null. Please run Set-OpenSSHTestEnvironment to set test environments." + } + + $testDir = "$($OpenSSHTestInfo["TestDataPath"])\$suite" + if( -not (Test-path $testDir -PathType Container)) + { + $null = New-Item $testDir -ItemType directory -Force -ErrorAction SilentlyContinue + } + + $sshLogName = "test.txt" + $sshdLogName = "sshdlog.txt" + $server = $OpenSSHTestInfo["Target"] + $opensshbinpath = $OpenSSHTestInfo['OpenSSHBinPath'] + $nonadminusername = $OpenSSHTestInfo['NonAdminUser'] + $adminusername = $OpenSSHTestInfo['AdminUser'] + $password = $OpenSSHTestInfo['TestAccountPW'] + $port = 47002 + Remove-Item -Path (Join-Path $testDir "*$sshLogName") -Force -ErrorAction SilentlyContinue + + <# Setup sshd_config file#> + + $sshdconfig_ori = Join-Path $Global:OpenSSHTestInfo["ServiceConfigDir"] sshd_config + Write-Host $sshdconfig_ori + $sshdconfig_custom = Join-Path $Global:OpenSSHTestInfo["ServiceConfigDir"] sshd_config_custom + if (Test-Path $sshdconfig_custom) { + Remove-Item $sshdconfig_custom -Force + } + Copy-Item $sshdconfig_ori $sshdconfig_custom + get-acl $sshdconfig_ori | set-acl $sshdconfig_custom + $content = Get-Content -Path $sshdconfig_custom + $newContent = $content -replace "Subsystem sftp sftp-server.exe -l DEBUG3", "Subsystem sftp sftp-server.exe -l DEBUG3 -f LOCAL0" + $newContent | Set-Content -Path $sshdconfig_custom + + #skip when the task schedular (*-ScheduledTask) cmdlets does not exist + $ts = (get-command get-ScheduledTask -ErrorAction SilentlyContinue) + $skip = $ts -eq $null + if(-not $skip) + { + Stop-SSHDTestDaemon -Port $port + } + if(($platform -eq [PlatformType]::Windows) -and ([Environment]::OSVersion.Version.Major -le 6)) + { + #suppress the firewall blocking dialogue on win7 + netsh advfirewall firewall add rule name="sshd" program="$($OpenSSHTestInfo['OpenSSHBinPath'])\sshd.exe" protocol=any action=allow dir=in + } + } + + AfterEach { $tI++ } + + AfterAll { + if(($platform -eq [PlatformType]::Windows) -and ($psversiontable.BuildVersion.Major -le 6)) + { + netsh advfirewall firewall delete rule name="sshd" program="$($OpenSSHTestInfo['OpenSSHBinPath'])\sshd.exe" protocol=any dir=in + } + } + + + Context "Tests Logs for SSH connections" { + BeforeAll { + $sshdConfigPath = $sshdconfig_custom + + Add-PasswordSetting -Pass $password + + $tI=1 + } + + BeforeEach { + $sshlog = Join-Path $testDir "$tC.$tI.$sshLogName" + $sshdlog = Join-Path $testDir "$tC.$tI.$sshdLogName" + + if (Test-Path $sshdlog -PathType Leaf) { + Clear-Content $sshdlog + } + + if(-not $skip) + { + Stop-SSHDTestDaemon -Port $port + } + } + + AfterAll { + Remove-PasswordSetting + $tC++ + } + + It "$tC.$tI-Nonadmin SSH Connection" -skip:$skip { + Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-ddd -f $sshdConfigPath -E $sshdlog" -Port $port + $o = ssh -vvv -p $port -E $sshlog $nonadminusername@$server echo 1234 + $o | Should Be 1234 + Stop-SSHDTestDaemon -Port $port + $sshdlog | Should Contain "KEX done \[preauth\]" + $sshdlog | Should Contain "exec_command: echo 1234" + } + + It "$tC.$tI-Admin SSH Connection" -skip:$skip { + Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-ddd -f $sshdConfigPath -E $sshdlog" -Port $port + $o = ssh -vvv -p $port -E $sshlog $adminusername@$server echo 1234 + $o | Should Be 1234 + Stop-SSHDTestDaemon -Port $port + $sshdlog | Should Contain "KEX done \[preauth\]" + $sshdlog | Should Contain "exec_command: echo 1234" + } + + } + + Context "Tests Logs for SFTP connections" { + + BeforeAll { + + $sshdConfigPath = $sshdconfig_custom + + function Setup-KeyBasedAuth + { + param([string] $Username, [string] $KeyFilePath, [string] $UserProfile) + + $userSSHProfilePath = Join-Path $UserProfile .ssh + Write-Host "SSH Profile Path: $userSSHProfilePath" + + if (-not (Test-Path $userSSHProfilePath -PathType Container)) { + New-Item $userSSHProfilePath -ItemType directory -Force -ErrorAction Stop | Out-Null + } + + $authorizedkeyPath = Join-Path $userSSHProfilePath authorized_keys + + if($OpenSSHTestInfo["NoLibreSSL"]) + { + ssh-keygen.exe -t ed25519 -f $KeyFilePath -Z -P `"`" aes128-ctr + } + else + { + ssh-keygen.exe -t ed25519 -f $KeyFilePath -P `"`" + } + + Copy-Item "$keyFilePath.pub" $authorizedkeyPath -Force -ErrorAction SilentlyContinue + + Repair-AuthorizedKeyPermission -Filepath $authorizedkeyPath -confirm:$false + } + + $AdminUserProfile = $OpenSSHTestInfo['AdminUserProfile'] + $NonAdminUserProfile = $OpenSSHTestInfo['NonAdminUserProfile'] + + $KeyFileName = $nonadminusername + "_sshtest_fileBasedLog_ed25519" + $NonadminKeyFilePath = Join-Path $testDir $keyFileName + Remove-Item -path "$NonadminKeyFilePath*" -Force -ErrorAction SilentlyContinue + Setup-KeyBasedAuth -Username $nonadminusername -KeyFilePath $NonadminKeyFilePath -UserProfile $NonAdminUserProfile + + $KeyFileName = $adminusername + "_sshtest_fileBasedLog_ed25519" + $AdminKeyFilePath = Join-Path $testDir $keyFileName + Remove-Item -path "$AdminKeyFilePath*" -Force -ErrorAction SilentlyContinue + Setup-KeyBasedAuth -Username $adminusername -KeyFilePath $AdminKeyFilePath -UserProfile $AdminUserProfile + + #create batch file + $commands = +"ls +exit" + + $batchFilePath = Join-Path $testDir "$tC.$tI.commands.txt" + Set-Content $batchFilePath -Encoding UTF8 -value $commands + + # clear logs so that next testcase will get fresh logs. + Clear-Content "$env:ProgramData\ssh\logs\sftp-server.log" -Force -ErrorAction SilentlyContinue + + $tI = 1 + } + + BeforeEach { + #clean sftp log file + $sshlog = Join-Path $testDir "$tC.$tI.$sshLogName" + $sshdlog = Join-Path $testDir "$tC.$tI.$sshdLogName" + if(-not $skip) + { + Stop-SSHDTestDaemon -Port $port + } + } + + AfterAll { + Remove-Item -path "$NonadminKeyFilePath*" -Force -ErrorAction SilentlyContinue + Remove-Item -path "$AdminKeyFilePath*" -Force -ErrorAction SilentlyContinue + + $tC++ + } + + It "$tC.$tI-Nonadmin SFTP Connection" -skip:$skip { + + Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-ddd -f $sshdConfigPath -E $sshdlog" -Port $port + + sftp -P $port -i $NonadminKeyFilePath -b $batchFilePath $nonadminusername@$server + + Stop-SSHDTestDaemon -Port $port + + #Copy sftp-log files into test directory + $sftplog = Join-Path $testDir "$tC.$tI.sftp-server.log" + Copy-Item "$env:ProgramData\ssh\logs\sftp-server.log" $sftplog -Force -ErrorAction SilentlyContinue + + # clear logs so that next testcase will get fresh logs. + Clear-Content "$env:ProgramData\ssh\logs\sftp-server.log" -Force -ErrorAction SilentlyContinue + + $sshdlog | Should Contain "Accepted publickey for $nonadminusername" + $sshdlog | Should Contain "KEX done \[preauth\]" + $sshdlog | Should Contain "debug2: subsystem request for sftp by user $nonadminusername" + $sftplog | Should Contain "session opened for local user $nonadminusername" + $sftplog | Should Contain "debug3: request 3: opendir" + $sftplog | Should Contain "session closed for local user $nonadminusername" + } + + It "$tC.$tI-Admin SFTP Connection" -skip:$skip { + + Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-ddd -f $sshdConfigPath -E $sshdlog" -Port $port + + sftp -P $port -i $AdminKeyFilePath -b $batchFilePath $adminusername@$server + + Stop-SSHDTestDaemon -Port $port + + #Copy sftp-log files into test directory + $sftplog = Join-Path $testDir "$tC.$tI.sftp-server.log" + Copy-Item "$env:ProgramData\ssh\logs\sftp-server.log" $sftplog -Force -ErrorAction SilentlyContinue + + # clear logs so that next testcase will get fresh logs. + Clear-Content "$env:ProgramData\ssh\logs\sftp-server.log" -Force -ErrorAction SilentlyContinue + + $sshdlog | Should Contain "Accepted publickey for $adminusername" + $sshdlog | Should Contain "KEX done \[preauth\]" + $sshdlog | Should Contain "debug2: subsystem request for sftp by user $adminusername" + $sftplog | Should Contain "session opened for local user $adminusername" + $sftplog | Should Contain "debug3: request 3: opendir" + $sftplog | Should Contain "session closed for local user $adminusername" + } + } +} From b93d5a4ecd97c4d9c65037841f8195ead99ce128 Mon Sep 17 00:00:00 2001 From: Vivian Thiebaut Date: Thu, 10 Jun 2021 15:00:34 -0400 Subject: [PATCH 30/37] Revert "Add New Test File" This reverts commit 16d80978392d652280d96f7d3a758ba8c66702c3. --- .../pesterTests/FileBasedLogging.tests.ps1 | 239 ------------------ 1 file changed, 239 deletions(-) delete mode 100644 regress/pesterTests/FileBasedLogging.tests.ps1 diff --git a/regress/pesterTests/FileBasedLogging.tests.ps1 b/regress/pesterTests/FileBasedLogging.tests.ps1 deleted file mode 100644 index e86d7cb8d1a5..000000000000 --- a/regress/pesterTests/FileBasedLogging.tests.ps1 +++ /dev/null @@ -1,239 +0,0 @@ -If ($PSVersiontable.PSVersion.Major -le 2) {$PSScriptRoot = Split-Path -Parent $MyInvocation.MyCommand.Path} -Import-Module $PSScriptRoot\CommonUtils.psm1 -Force -Import-Module OpenSSHUtils -Force -$tC = 1 -$tI = 0 -$suite = "FileBasedLogging" -Describe "Tests for admin and non-admin file based logs" -Tags "CI" { - BeforeAll { - if($OpenSSHTestInfo -eq $null) - { - Throw "`$OpenSSHTestInfo is null. Please run Set-OpenSSHTestEnvironment to set test environments." - } - - $testDir = "$($OpenSSHTestInfo["TestDataPath"])\$suite" - if( -not (Test-path $testDir -PathType Container)) - { - $null = New-Item $testDir -ItemType directory -Force -ErrorAction SilentlyContinue - } - - $sshLogName = "test.txt" - $sshdLogName = "sshdlog.txt" - $server = $OpenSSHTestInfo["Target"] - $opensshbinpath = $OpenSSHTestInfo['OpenSSHBinPath'] - $nonadminusername = $OpenSSHTestInfo['NonAdminUser'] - $adminusername = $OpenSSHTestInfo['AdminUser'] - $password = $OpenSSHTestInfo['TestAccountPW'] - $port = 47002 - Remove-Item -Path (Join-Path $testDir "*$sshLogName") -Force -ErrorAction SilentlyContinue - - <# Setup sshd_config file#> - - $sshdconfig_ori = Join-Path $Global:OpenSSHTestInfo["ServiceConfigDir"] sshd_config - Write-Host $sshdconfig_ori - $sshdconfig_custom = Join-Path $Global:OpenSSHTestInfo["ServiceConfigDir"] sshd_config_custom - if (Test-Path $sshdconfig_custom) { - Remove-Item $sshdconfig_custom -Force - } - Copy-Item $sshdconfig_ori $sshdconfig_custom - get-acl $sshdconfig_ori | set-acl $sshdconfig_custom - $content = Get-Content -Path $sshdconfig_custom - $newContent = $content -replace "Subsystem sftp sftp-server.exe -l DEBUG3", "Subsystem sftp sftp-server.exe -l DEBUG3 -f LOCAL0" - $newContent | Set-Content -Path $sshdconfig_custom - - #skip when the task schedular (*-ScheduledTask) cmdlets does not exist - $ts = (get-command get-ScheduledTask -ErrorAction SilentlyContinue) - $skip = $ts -eq $null - if(-not $skip) - { - Stop-SSHDTestDaemon -Port $port - } - if(($platform -eq [PlatformType]::Windows) -and ([Environment]::OSVersion.Version.Major -le 6)) - { - #suppress the firewall blocking dialogue on win7 - netsh advfirewall firewall add rule name="sshd" program="$($OpenSSHTestInfo['OpenSSHBinPath'])\sshd.exe" protocol=any action=allow dir=in - } - } - - AfterEach { $tI++ } - - AfterAll { - if(($platform -eq [PlatformType]::Windows) -and ($psversiontable.BuildVersion.Major -le 6)) - { - netsh advfirewall firewall delete rule name="sshd" program="$($OpenSSHTestInfo['OpenSSHBinPath'])\sshd.exe" protocol=any dir=in - } - } - - - Context "Tests Logs for SSH connections" { - BeforeAll { - $sshdConfigPath = $sshdconfig_custom - - Add-PasswordSetting -Pass $password - - $tI=1 - } - - BeforeEach { - $sshlog = Join-Path $testDir "$tC.$tI.$sshLogName" - $sshdlog = Join-Path $testDir "$tC.$tI.$sshdLogName" - - if (Test-Path $sshdlog -PathType Leaf) { - Clear-Content $sshdlog - } - - if(-not $skip) - { - Stop-SSHDTestDaemon -Port $port - } - } - - AfterAll { - Remove-PasswordSetting - $tC++ - } - - It "$tC.$tI-Nonadmin SSH Connection" -skip:$skip { - Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-ddd -f $sshdConfigPath -E $sshdlog" -Port $port - $o = ssh -vvv -p $port -E $sshlog $nonadminusername@$server echo 1234 - $o | Should Be 1234 - Stop-SSHDTestDaemon -Port $port - $sshdlog | Should Contain "KEX done \[preauth\]" - $sshdlog | Should Contain "exec_command: echo 1234" - } - - It "$tC.$tI-Admin SSH Connection" -skip:$skip { - Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-ddd -f $sshdConfigPath -E $sshdlog" -Port $port - $o = ssh -vvv -p $port -E $sshlog $adminusername@$server echo 1234 - $o | Should Be 1234 - Stop-SSHDTestDaemon -Port $port - $sshdlog | Should Contain "KEX done \[preauth\]" - $sshdlog | Should Contain "exec_command: echo 1234" - } - - } - - Context "Tests Logs for SFTP connections" { - - BeforeAll { - - $sshdConfigPath = $sshdconfig_custom - - function Setup-KeyBasedAuth - { - param([string] $Username, [string] $KeyFilePath, [string] $UserProfile) - - $userSSHProfilePath = Join-Path $UserProfile .ssh - Write-Host "SSH Profile Path: $userSSHProfilePath" - - if (-not (Test-Path $userSSHProfilePath -PathType Container)) { - New-Item $userSSHProfilePath -ItemType directory -Force -ErrorAction Stop | Out-Null - } - - $authorizedkeyPath = Join-Path $userSSHProfilePath authorized_keys - - if($OpenSSHTestInfo["NoLibreSSL"]) - { - ssh-keygen.exe -t ed25519 -f $KeyFilePath -Z -P `"`" aes128-ctr - } - else - { - ssh-keygen.exe -t ed25519 -f $KeyFilePath -P `"`" - } - - Copy-Item "$keyFilePath.pub" $authorizedkeyPath -Force -ErrorAction SilentlyContinue - - Repair-AuthorizedKeyPermission -Filepath $authorizedkeyPath -confirm:$false - } - - $AdminUserProfile = $OpenSSHTestInfo['AdminUserProfile'] - $NonAdminUserProfile = $OpenSSHTestInfo['NonAdminUserProfile'] - - $KeyFileName = $nonadminusername + "_sshtest_fileBasedLog_ed25519" - $NonadminKeyFilePath = Join-Path $testDir $keyFileName - Remove-Item -path "$NonadminKeyFilePath*" -Force -ErrorAction SilentlyContinue - Setup-KeyBasedAuth -Username $nonadminusername -KeyFilePath $NonadminKeyFilePath -UserProfile $NonAdminUserProfile - - $KeyFileName = $adminusername + "_sshtest_fileBasedLog_ed25519" - $AdminKeyFilePath = Join-Path $testDir $keyFileName - Remove-Item -path "$AdminKeyFilePath*" -Force -ErrorAction SilentlyContinue - Setup-KeyBasedAuth -Username $adminusername -KeyFilePath $AdminKeyFilePath -UserProfile $AdminUserProfile - - #create batch file - $commands = -"ls -exit" - - $batchFilePath = Join-Path $testDir "$tC.$tI.commands.txt" - Set-Content $batchFilePath -Encoding UTF8 -value $commands - - # clear logs so that next testcase will get fresh logs. - Clear-Content "$env:ProgramData\ssh\logs\sftp-server.log" -Force -ErrorAction SilentlyContinue - - $tI = 1 - } - - BeforeEach { - #clean sftp log file - $sshlog = Join-Path $testDir "$tC.$tI.$sshLogName" - $sshdlog = Join-Path $testDir "$tC.$tI.$sshdLogName" - if(-not $skip) - { - Stop-SSHDTestDaemon -Port $port - } - } - - AfterAll { - Remove-Item -path "$NonadminKeyFilePath*" -Force -ErrorAction SilentlyContinue - Remove-Item -path "$AdminKeyFilePath*" -Force -ErrorAction SilentlyContinue - - $tC++ - } - - It "$tC.$tI-Nonadmin SFTP Connection" -skip:$skip { - - Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-ddd -f $sshdConfigPath -E $sshdlog" -Port $port - - sftp -P $port -i $NonadminKeyFilePath -b $batchFilePath $nonadminusername@$server - - Stop-SSHDTestDaemon -Port $port - - #Copy sftp-log files into test directory - $sftplog = Join-Path $testDir "$tC.$tI.sftp-server.log" - Copy-Item "$env:ProgramData\ssh\logs\sftp-server.log" $sftplog -Force -ErrorAction SilentlyContinue - - # clear logs so that next testcase will get fresh logs. - Clear-Content "$env:ProgramData\ssh\logs\sftp-server.log" -Force -ErrorAction SilentlyContinue - - $sshdlog | Should Contain "Accepted publickey for $nonadminusername" - $sshdlog | Should Contain "KEX done \[preauth\]" - $sshdlog | Should Contain "debug2: subsystem request for sftp by user $nonadminusername" - $sftplog | Should Contain "session opened for local user $nonadminusername" - $sftplog | Should Contain "debug3: request 3: opendir" - $sftplog | Should Contain "session closed for local user $nonadminusername" - } - - It "$tC.$tI-Admin SFTP Connection" -skip:$skip { - - Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-ddd -f $sshdConfigPath -E $sshdlog" -Port $port - - sftp -P $port -i $AdminKeyFilePath -b $batchFilePath $adminusername@$server - - Stop-SSHDTestDaemon -Port $port - - #Copy sftp-log files into test directory - $sftplog = Join-Path $testDir "$tC.$tI.sftp-server.log" - Copy-Item "$env:ProgramData\ssh\logs\sftp-server.log" $sftplog -Force -ErrorAction SilentlyContinue - - # clear logs so that next testcase will get fresh logs. - Clear-Content "$env:ProgramData\ssh\logs\sftp-server.log" -Force -ErrorAction SilentlyContinue - - $sshdlog | Should Contain "Accepted publickey for $adminusername" - $sshdlog | Should Contain "KEX done \[preauth\]" - $sshdlog | Should Contain "debug2: subsystem request for sftp by user $adminusername" - $sftplog | Should Contain "session opened for local user $adminusername" - $sftplog | Should Contain "debug3: request 3: opendir" - $sftplog | Should Contain "session closed for local user $adminusername" - } - } -} From 7030ad500e77400180190b7b5030bf89b77b8023 Mon Sep 17 00:00:00 2001 From: Vivian Thiebaut Date: Thu, 10 Jun 2021 15:00:49 -0400 Subject: [PATCH 31/37] Revert "Revert "Testing logs for admin and non admin users"" This reverts commit f673003b61d99fc07015d5da36ab84c9fb39c419. --- contrib/win32/openssh/OpenSSHTestHelper.psm1 | 29 ++- .../pesterTests/FileBasedLogging.tests.ps1 | 245 ++++++++++++++++++ 2 files changed, 269 insertions(+), 5 deletions(-) create mode 100644 regress/pesterTests/FileBasedLogging.tests.ps1 diff --git a/contrib/win32/openssh/OpenSSHTestHelper.psm1 b/contrib/win32/openssh/OpenSSHTestHelper.psm1 index b6009cdf7e66..43f02b6b1e46 100644 --- a/contrib/win32/openssh/OpenSSHTestHelper.psm1 +++ b/contrib/win32/openssh/OpenSSHTestHelper.psm1 @@ -13,8 +13,10 @@ $TestSetupLogFileName = "TestSetupLog.txt" $SSOUser = "sshtest_ssouser" $PubKeyUser = "sshtest_pubkeyuser" $PasswdUser = "sshtest_passwduser" +$AdminUser = "sshtest_adminuser" +$NonAdminUser = "sshtest_nonadminuser" $OpenSSHTestAccountsPassword = "P@ssw0rd_1" -$OpenSSHTestAccounts = $Script:SSOUser, $Script:PubKeyUser, $Script:PasswdUser +$OpenSSHTestAccounts = $Script:SSOUser, $Script:PubKeyUser, $Script:PasswdUser, $Script:AdminUser, $Script:NonAdminUser $SSHDTestSvcName = "sshdTestSvc" $Script:TestDataPath = "$env:SystemDrive\OpenSSHTests" @@ -65,6 +67,8 @@ function Set-OpenSSHTestEnvironment $Global:OpenSSHTestInfo.Add("SSOUser", $SSOUser) # test user with single sign on capability $Global:OpenSSHTestInfo.Add("PubKeyUser", $PubKeyUser) # test user to be used with explicit key for key auth $Global:OpenSSHTestInfo.Add("PasswdUser", $PasswdUser) # test user to be used for password auth + $Global:OpenSSHTestInfo.Add("AdminUser", $AdminUser) # test user to be used for admin logging tests + $Global:OpenSSHTestInfo.Add("NonAdminUser", $NonAdminUser) # test user to be used for non-admin logging tests $Global:OpenSSHTestInfo.Add("TestAccountPW", $OpenSSHTestAccountsPassword) # common password for all test accounts $Global:OpenSSHTestInfo.Add("DebugMode", $DebugMode.IsPresent) # run openssh E2E in debug mode @@ -205,11 +209,26 @@ WARNING: Following changes will be made to OpenSSH configuration net user $user $Script:OpenSSHTestAccountsPassword /ADD 2>&1 >> $Script:TestSetupLogFile } } - - #setup single sign on for ssouser + + #setup single sign on for ssouser $ssouserProfile = Get-LocalUserProfile -User $SSOUser + Write-Host $ssouserProfile $Global:OpenSSHTestInfo.Add("SSOUserProfile", $ssouserProfile) - $Global:OpenSSHTestInfo.Add("PubKeyUserProfile", (Get-LocalUserProfile -User $PubKeyUser)) + + $PubKeyUserProfile = Get-LocalUserProfile -User $PubKeyUser + Write-Host $PubKeyUserProfile + $Global:OpenSSHTestInfo.Add("PubKeyUserProfile", $PubKeyUserProfile) + + $AdminUserProfile = Get-LocalUserProfile -User $AdminUser + Write-Host $AdminUserProfile + $Global:OpenSSHTestInfo.Add("AdminUserProfile", $AdminUserProfile) + + $NonAdminUserProfile = Get-LocalUserProfile -User $NonAdminUser + Write-Host $NonAdminUserProfile + $Global:OpenSSHTestInfo.Add("NonAdminUserProfile", $NonAdminUserProfile) + + #make $AdminUser admin + net localgroup Administrators $AdminUser /add New-Item -ItemType Directory -Path (Join-Path $ssouserProfile .ssh) -Force -ErrorAction SilentlyContinue | out-null $authorizedKeyPath = Join-Path $ssouserProfile .ssh\authorized_keys @@ -338,7 +357,7 @@ function Get-LocalUserProfile param([string]$User) $sid = Get-UserSID -User $User $userProfileRegistry = Join-Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" $sid - if (-not (Test-Path $userProfileRegistry) ) { + if (-not (Test-Path $userProfileRegistry) ) { #create profile if (-not($env:DISPLAY)) { $env:DISPLAY = 1 } $askpass_util = Join-Path $Script:E2ETestDirectory "utilities\askpass_util\askpass_util.exe" diff --git a/regress/pesterTests/FileBasedLogging.tests.ps1 b/regress/pesterTests/FileBasedLogging.tests.ps1 new file mode 100644 index 000000000000..65bbc8ca45ab --- /dev/null +++ b/regress/pesterTests/FileBasedLogging.tests.ps1 @@ -0,0 +1,245 @@ +If ($PSVersiontable.PSVersion.Major -le 2) {$PSScriptRoot = Split-Path -Parent $MyInvocation.MyCommand.Path} +Import-Module $PSScriptRoot\CommonUtils.psm1 -Force +Import-Module OpenSSHUtils -Force +$tC = 1 +$tI = 0 +$suite = "FileBasedLogging" +Describe "Tests for admin and non-admin file based logs" -Tags "CI" { + BeforeAll { + if($OpenSSHTestInfo -eq $null) + { + Throw "`$OpenSSHTestInfo is null. Please run Set-OpenSSHTestEnvironment to set test environments." + } + + $testDir = "$($OpenSSHTestInfo["TestDataPath"])\$suite" + if( -not (Test-path $testDir -PathType Container)) + { + $null = New-Item $testDir -ItemType directory -Force -ErrorAction SilentlyContinue + } + + $sshLogName = "test.txt" + $sshdLogName = "sshdlog.txt" + $server = $OpenSSHTestInfo["Target"] + $opensshbinpath = $OpenSSHTestInfo['OpenSSHBinPath'] + $nonadminusername = $OpenSSHTestInfo['NonAdminUser'] + $adminusername = $OpenSSHTestInfo['AdminUser'] + $password = $OpenSSHTestInfo['TestAccountPW'] + $port = 47002 + Remove-Item -Path (Join-Path $testDir "*$sshLogName") -Force -ErrorAction SilentlyContinue + + <# Setup sshd_config file#> + + $sshdconfig_ori = Join-Path $Global:OpenSSHTestInfo["ServiceConfigDir"] sshd_config + Write-Host $sshdconfig_ori + $sshdconfig_custom = Join-Path $Global:OpenSSHTestInfo["ServiceConfigDir"] sshd_config_custom + if (Test-Path $sshdconfig_custom) { + Remove-Item $sshdconfig_custom -Force + } + Copy-Item $sshdconfig_ori $sshdconfig_custom + get-acl $sshdconfig_ori | set-acl $sshdconfig_custom + $content = Get-Content -Path $sshdconfig_custom + $newContent = $content -replace "Subsystem sftp sftp-server.exe -l DEBUG3", "Subsystem sftp sftp-server.exe -l DEBUG3 -f LOCAL0" + $newContent | Set-Content -Path $sshdconfig_custom + + #skip when the task schedular (*-ScheduledTask) cmdlets does not exist + $ts = (get-command get-ScheduledTask -ErrorAction SilentlyContinue) + $skip = $ts -eq $null + if(-not $skip) + { + Stop-SSHDTestDaemon -Port $port + } + if(($platform -eq [PlatformType]::Windows) -and ([Environment]::OSVersion.Version.Major -le 6)) + { + #suppress the firewall blocking dialogue on win7 + netsh advfirewall firewall add rule name="sshd" program="$($OpenSSHTestInfo['OpenSSHBinPath'])\sshd.exe" protocol=any action=allow dir=in + } + } + + AfterEach { $tI++ } + + AfterAll { + if(($platform -eq [PlatformType]::Windows) -and ($psversiontable.BuildVersion.Major -le 6)) + { + netsh advfirewall firewall delete rule name="sshd" program="$($OpenSSHTestInfo['OpenSSHBinPath'])\sshd.exe" protocol=any dir=in + } + } + + + Context "Tests Logs for SSH connections" { + BeforeAll { + $sshdConfigPath = $sshdconfig_custom + + Add-PasswordSetting -Pass $password + + $tI=1 + } + + BeforeEach { + $sshlog = Join-Path $testDir "$tC.$tI.$sshLogName" + $sshdlog = Join-Path $testDir "$tC.$tI.$sshdLogName" + + if (Test-Path $sshdlog -PathType Leaf) { + Clear-Content $sshdlog + } + + if(-not $skip) + { + Stop-SSHDTestDaemon -Port $port + } + } + + AfterAll { + Remove-PasswordSetting + $tC++ + } + + It "$tC.$tI-Nonadmin SSH Connection" -skip:$skip { + Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-ddd -f $sshdConfigPath -E $sshdlog" -Port $port + $o = ssh -vvv -p $port -E $sshlog $nonadminusername@$server echo 1234 + $o | Should Be 1234 + Stop-SSHDTestDaemon -Port $port + $sshdlog | Should Contain "KEX done \[preauth\]" + $sshdlog | Should Contain "exec_command: echo 1234" + } + + It "$tC.$tI-Admin SSH Connection" -skip:$skip { + Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-ddd -f $sshdConfigPath -E $sshdlog" -Port $port + $o = ssh -vvv -p $port -E $sshlog $adminusername@$server echo 1234 + $o | Should Be 1234 + Stop-SSHDTestDaemon -Port $port + $sshdlog | Should Contain "KEX done \[preauth\]" + $sshdlog | Should Contain "exec_command: echo 1234" + } + + } + + Context "Tests Logs for SFTP connections" { + + BeforeAll { + + $sshdConfigPath = $sshdconfig_custom + + function Setup-KeyBasedAuth + { + param([string] $Username, [string] $KeyFilePath, [string] $UserProfile) + + + $userSSHProfilePath = Join-Path $UserProfile .ssh + Write-Host "SSH Profile Path: $userSSHProfilePath" + + if (-not (Test-Path $userSSHProfilePath -PathType Container)) { + New-Item $userSSHProfilePath -ItemType directory -Force -ErrorAction Stop | Out-Null + } + + $authorizedkeyPath = Join-Path $userSSHProfilePath authorized_keys + + if($OpenSSHTestInfo["NoLibreSSL"]) + { + ssh-keygen.exe -t ed25519 -f $KeyFilePath -Z -P `"`" aes128-ctr + } + else + { + ssh-keygen.exe -t ed25519 -f $KeyFilePath -P `"`" + } + + + Copy-Item "$keyFilePath.pub" $authorizedkeyPath -Force -ErrorAction SilentlyContinue + + Repair-AuthorizedKeyPermission -Filepath $authorizedkeyPath -confirm:$false + } + + $AdminUserProfile = $OpenSSHTestInfo['AdminUserProfile'] + $NonAdminUserProfile = $OpenSSHTestInfo['NonAdminUserProfile'] + + $KeyFileName = $nonadminusername + "_sshtest_fileBasedLog_ed25519" + $NonadminKeyFilePath = Join-Path $testDir $keyFileName + Remove-Item -path "$NonadminKeyFilePath*" -Force -ErrorAction SilentlyContinue + Setup-KeyBasedAuth -Username $nonadminusername -KeyFilePath $NonadminKeyFilePath -UserProfile $NonAdminUserProfile + + $KeyFileName = $adminusername + "_sshtest_fileBasedLog_ed25519" + $AdminKeyFilePath = Join-Path $testDir $keyFileName + Remove-Item -path "$AdminKeyFilePath*" -Force -ErrorAction SilentlyContinue + Setup-KeyBasedAuth -Username $adminusername -KeyFilePath $AdminKeyFilePath -UserProfile $AdminUserProfile + + + #create batch file + $commands = +"ls +exit" + + $batchFilePath = Join-Path $testDir "$tC.$tI.commands.txt" + Set-Content $batchFilePath -Encoding UTF8 -value $commands + + # clear logs so that next testcase will get fresh logs. + Clear-Content "$env:ProgramData\ssh\logs\sftp-server.log" -Force -ErrorAction SilentlyContinue + + + $tI = 1 + } + + BeforeEach { + #clean sftp log file + $sshlog = Join-Path $testDir "$tC.$tI.$sshLogName" + $sshdlog = Join-Path $testDir "$tC.$tI.$sshdLogName" + if(-not $skip) + { + Stop-SSHDTestDaemon -Port $port + } + } + + AfterAll { + Remove-Item -path "$NonadminKeyFilePath*" -Force -ErrorAction SilentlyContinue + Remove-Item -path "$AdminKeyFilePath*" -Force -ErrorAction SilentlyContinue + + $tC++ + } + + It "$tC.$tI-Nonadmin SFTP Connection" -skip:$skip { + + Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-ddd -f $sshdConfigPath -E $sshdlog" -Port $port + + sftp -P $port -i $NonadminKeyFilePath -b $batchFilePath $nonadminusername@$server + + Stop-SSHDTestDaemon -Port $port + + #Copy sftp-log files into test directory + $sftplog = Join-Path $testDir "$tC.$tI.sftp-server.log" + Copy-Item "$env:ProgramData\ssh\logs\sftp-server.log" $sftplog -Force -ErrorAction SilentlyContinue + + # clear logs so that next testcase will get fresh logs. + Clear-Content "$env:ProgramData\ssh\logs\sftp-server.log" -Force -ErrorAction SilentlyContinue + + #checks + $sshdlog | Should Contain "Accepted publickey for $nonadminusername" + $sshdlog | Should Contain "KEX done \[preauth\]" + $sshdlog | Should Contain "debug2: subsystem request for sftp by user $nonadminusername" + $sftplog | Should Contain "session opened for local user $nonadminusername" + $sftplog | Should Contain "debug3: request 3: opendir" + $sftplog | Should Contain "session closed for local user $nonadminusername" + } + + It "$tC.$tI-Admin SFTP Connection" -skip:$skip { + + Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-ddd -f $sshdConfigPath -E $sshdlog" -Port $port + + sftp -P $port -i $AdminKeyFilePath -b $batchFilePath $adminusername@$server + + Stop-SSHDTestDaemon -Port $port + + #Copy sftp-log files into test directory + $sftplog = Join-Path $testDir "$tC.$tI.sftp-server.log" + Copy-Item "$env:ProgramData\ssh\logs\sftp-server.log" $sftplog -Force -ErrorAction SilentlyContinue + + # clear logs so that next testcase will get fresh logs. + Clear-Content "$env:ProgramData\ssh\logs\sftp-server.log" -Force -ErrorAction SilentlyContinue + + #checks + $sshdlog | Should Contain "Accepted publickey for $adminusername" + $sshdlog | Should Contain "KEX done \[preauth\]" + $sshdlog | Should Contain "debug2: subsystem request for sftp by user $adminusername" + $sftplog | Should Contain "session opened for local user $adminusername" + $sftplog | Should Contain "debug3: request 3: opendir" + $sftplog | Should Contain "session closed for local user $adminusername" + } + } +} From 664567d679f4ced0ffa893d086419abccc668d43 Mon Sep 17 00:00:00 2001 From: Vivian Thiebaut Date: Thu, 10 Jun 2021 15:01:07 -0400 Subject: [PATCH 32/37] Revert "Revert "Changed tabs into spaces in test scripts for consistency"" This reverts commit 0d4b90d9824bd002d7ddd2d8de52ca94e8a44040. --- contrib/win32/openssh/OpenSSHTestHelper.psm1 | 36 +-- .../pesterTests/FileBasedLogging.tests.ps1 | 276 +++++++++--------- 2 files changed, 151 insertions(+), 161 deletions(-) diff --git a/contrib/win32/openssh/OpenSSHTestHelper.psm1 b/contrib/win32/openssh/OpenSSHTestHelper.psm1 index 43f02b6b1e46..9f5da6eaacd5 100644 --- a/contrib/win32/openssh/OpenSSHTestHelper.psm1 +++ b/contrib/win32/openssh/OpenSSHTestHelper.psm1 @@ -67,8 +67,8 @@ function Set-OpenSSHTestEnvironment $Global:OpenSSHTestInfo.Add("SSOUser", $SSOUser) # test user with single sign on capability $Global:OpenSSHTestInfo.Add("PubKeyUser", $PubKeyUser) # test user to be used with explicit key for key auth $Global:OpenSSHTestInfo.Add("PasswdUser", $PasswdUser) # test user to be used for password auth - $Global:OpenSSHTestInfo.Add("AdminUser", $AdminUser) # test user to be used for admin logging tests - $Global:OpenSSHTestInfo.Add("NonAdminUser", $NonAdminUser) # test user to be used for non-admin logging tests + $Global:OpenSSHTestInfo.Add("AdminUser", $AdminUser) # test user to be used for admin logging tests + $Global:OpenSSHTestInfo.Add("NonAdminUser", $NonAdminUser) # test user to be used for non-admin logging tests $Global:OpenSSHTestInfo.Add("TestAccountPW", $OpenSSHTestAccountsPassword) # common password for all test accounts $Global:OpenSSHTestInfo.Add("DebugMode", $DebugMode.IsPresent) # run openssh E2E in debug mode @@ -209,26 +209,22 @@ WARNING: Following changes will be made to OpenSSH configuration net user $user $Script:OpenSSHTestAccountsPassword /ADD 2>&1 >> $Script:TestSetupLogFile } } - - #setup single sign on for ssouser + + #setup single sign on for ssouser $ssouserProfile = Get-LocalUserProfile -User $SSOUser - Write-Host $ssouserProfile $Global:OpenSSHTestInfo.Add("SSOUserProfile", $ssouserProfile) - - $PubKeyUserProfile = Get-LocalUserProfile -User $PubKeyUser - Write-Host $PubKeyUserProfile + + $PubKeyUserProfile = Get-LocalUserProfile -User $PubKeyUser $Global:OpenSSHTestInfo.Add("PubKeyUserProfile", $PubKeyUserProfile) - - $AdminUserProfile = Get-LocalUserProfile -User $AdminUser - Write-Host $AdminUserProfile - $Global:OpenSSHTestInfo.Add("AdminUserProfile", $AdminUserProfile) - - $NonAdminUserProfile = Get-LocalUserProfile -User $NonAdminUser - Write-Host $NonAdminUserProfile - $Global:OpenSSHTestInfo.Add("NonAdminUserProfile", $NonAdminUserProfile) - - #make $AdminUser admin - net localgroup Administrators $AdminUser /add + + $AdminUserProfile = Get-LocalUserProfile -User $AdminUser + $Global:OpenSSHTestInfo.Add("AdminUserProfile", $AdminUserProfile) + + $NonAdminUserProfile = Get-LocalUserProfile -User $NonAdminUser + $Global:OpenSSHTestInfo.Add("NonAdminUserProfile", $NonAdminUserProfile) + + #make $AdminUser admin + net localgroup Administrators $AdminUser /add New-Item -ItemType Directory -Path (Join-Path $ssouserProfile .ssh) -Force -ErrorAction SilentlyContinue | out-null $authorizedKeyPath = Join-Path $ssouserProfile .ssh\authorized_keys @@ -357,7 +353,7 @@ function Get-LocalUserProfile param([string]$User) $sid = Get-UserSID -User $User $userProfileRegistry = Join-Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" $sid - if (-not (Test-Path $userProfileRegistry) ) { + if (-not (Test-Path $userProfileRegistry) ) { #create profile if (-not($env:DISPLAY)) { $env:DISPLAY = 1 } $askpass_util = Join-Path $Script:E2ETestDirectory "utilities\askpass_util\askpass_util.exe" diff --git a/regress/pesterTests/FileBasedLogging.tests.ps1 b/regress/pesterTests/FileBasedLogging.tests.ps1 index 65bbc8ca45ab..e86d7cb8d1a5 100644 --- a/regress/pesterTests/FileBasedLogging.tests.ps1 +++ b/regress/pesterTests/FileBasedLogging.tests.ps1 @@ -21,25 +21,25 @@ Describe "Tests for admin and non-admin file based logs" -Tags "CI" { $sshdLogName = "sshdlog.txt" $server = $OpenSSHTestInfo["Target"] $opensshbinpath = $OpenSSHTestInfo['OpenSSHBinPath'] - $nonadminusername = $OpenSSHTestInfo['NonAdminUser'] - $adminusername = $OpenSSHTestInfo['AdminUser'] - $password = $OpenSSHTestInfo['TestAccountPW'] + $nonadminusername = $OpenSSHTestInfo['NonAdminUser'] + $adminusername = $OpenSSHTestInfo['AdminUser'] + $password = $OpenSSHTestInfo['TestAccountPW'] $port = 47002 - Remove-Item -Path (Join-Path $testDir "*$sshLogName") -Force -ErrorAction SilentlyContinue + Remove-Item -Path (Join-Path $testDir "*$sshLogName") -Force -ErrorAction SilentlyContinue - <# Setup sshd_config file#> + <# Setup sshd_config file#> - $sshdconfig_ori = Join-Path $Global:OpenSSHTestInfo["ServiceConfigDir"] sshd_config - Write-Host $sshdconfig_ori + $sshdconfig_ori = Join-Path $Global:OpenSSHTestInfo["ServiceConfigDir"] sshd_config + Write-Host $sshdconfig_ori $sshdconfig_custom = Join-Path $Global:OpenSSHTestInfo["ServiceConfigDir"] sshd_config_custom if (Test-Path $sshdconfig_custom) { Remove-Item $sshdconfig_custom -Force } Copy-Item $sshdconfig_ori $sshdconfig_custom get-acl $sshdconfig_ori | set-acl $sshdconfig_custom - $content = Get-Content -Path $sshdconfig_custom - $newContent = $content -replace "Subsystem sftp sftp-server.exe -l DEBUG3", "Subsystem sftp sftp-server.exe -l DEBUG3 -f LOCAL0" - $newContent | Set-Content -Path $sshdconfig_custom + $content = Get-Content -Path $sshdconfig_custom + $newContent = $content -replace "Subsystem sftp sftp-server.exe -l DEBUG3", "Subsystem sftp sftp-server.exe -l DEBUG3 -f LOCAL0" + $newContent | Set-Content -Path $sshdconfig_custom #skip when the task schedular (*-ScheduledTask) cmdlets does not exist $ts = (get-command get-ScheduledTask -ErrorAction SilentlyContinue) @@ -67,21 +67,21 @@ Describe "Tests for admin and non-admin file based logs" -Tags "CI" { Context "Tests Logs for SSH connections" { BeforeAll { - $sshdConfigPath = $sshdconfig_custom - - Add-PasswordSetting -Pass $password - + $sshdConfigPath = $sshdconfig_custom + + Add-PasswordSetting -Pass $password + $tI=1 } BeforeEach { $sshlog = Join-Path $testDir "$tC.$tI.$sshLogName" $sshdlog = Join-Path $testDir "$tC.$tI.$sshdLogName" - - if (Test-Path $sshdlog -PathType Leaf) { - Clear-Content $sshdlog - } - + + if (Test-Path $sshdlog -PathType Leaf) { + Clear-Content $sshdlog + } + if(-not $skip) { Stop-SSHDTestDaemon -Port $port @@ -94,152 +94,146 @@ Describe "Tests for admin and non-admin file based logs" -Tags "CI" { } It "$tC.$tI-Nonadmin SSH Connection" -skip:$skip { - Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-ddd -f $sshdConfigPath -E $sshdlog" -Port $port - $o = ssh -vvv -p $port -E $sshlog $nonadminusername@$server echo 1234 - $o | Should Be 1234 - Stop-SSHDTestDaemon -Port $port - $sshdlog | Should Contain "KEX done \[preauth\]" - $sshdlog | Should Contain "exec_command: echo 1234" + Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-ddd -f $sshdConfigPath -E $sshdlog" -Port $port + $o = ssh -vvv -p $port -E $sshlog $nonadminusername@$server echo 1234 + $o | Should Be 1234 + Stop-SSHDTestDaemon -Port $port + $sshdlog | Should Contain "KEX done \[preauth\]" + $sshdlog | Should Contain "exec_command: echo 1234" } - - It "$tC.$tI-Admin SSH Connection" -skip:$skip { - Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-ddd -f $sshdConfigPath -E $sshdlog" -Port $port - $o = ssh -vvv -p $port -E $sshlog $adminusername@$server echo 1234 - $o | Should Be 1234 - Stop-SSHDTestDaemon -Port $port - $sshdlog | Should Contain "KEX done \[preauth\]" - $sshdlog | Should Contain "exec_command: echo 1234" + + It "$tC.$tI-Admin SSH Connection" -skip:$skip { + Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-ddd -f $sshdConfigPath -E $sshdlog" -Port $port + $o = ssh -vvv -p $port -E $sshlog $adminusername@$server echo 1234 + $o | Should Be 1234 + Stop-SSHDTestDaemon -Port $port + $sshdlog | Should Contain "KEX done \[preauth\]" + $sshdlog | Should Contain "exec_command: echo 1234" } } - Context "Tests Logs for SFTP connections" { + Context "Tests Logs for SFTP connections" { - BeforeAll { - - $sshdConfigPath = $sshdconfig_custom - - function Setup-KeyBasedAuth - { - param([string] $Username, [string] $KeyFilePath, [string] $UserProfile) - - - $userSSHProfilePath = Join-Path $UserProfile .ssh - Write-Host "SSH Profile Path: $userSSHProfilePath" - - if (-not (Test-Path $userSSHProfilePath -PathType Container)) { - New-Item $userSSHProfilePath -ItemType directory -Force -ErrorAction Stop | Out-Null - } - - $authorizedkeyPath = Join-Path $userSSHProfilePath authorized_keys - - if($OpenSSHTestInfo["NoLibreSSL"]) - { - ssh-keygen.exe -t ed25519 -f $KeyFilePath -Z -P `"`" aes128-ctr - } - else - { - ssh-keygen.exe -t ed25519 -f $KeyFilePath -P `"`" - } - - - Copy-Item "$keyFilePath.pub" $authorizedkeyPath -Force -ErrorAction SilentlyContinue - - Repair-AuthorizedKeyPermission -Filepath $authorizedkeyPath -confirm:$false - } - - $AdminUserProfile = $OpenSSHTestInfo['AdminUserProfile'] - $NonAdminUserProfile = $OpenSSHTestInfo['NonAdminUserProfile'] - - $KeyFileName = $nonadminusername + "_sshtest_fileBasedLog_ed25519" - $NonadminKeyFilePath = Join-Path $testDir $keyFileName - Remove-Item -path "$NonadminKeyFilePath*" -Force -ErrorAction SilentlyContinue - Setup-KeyBasedAuth -Username $nonadminusername -KeyFilePath $NonadminKeyFilePath -UserProfile $NonAdminUserProfile - - $KeyFileName = $adminusername + "_sshtest_fileBasedLog_ed25519" - $AdminKeyFilePath = Join-Path $testDir $keyFileName - Remove-Item -path "$AdminKeyFilePath*" -Force -ErrorAction SilentlyContinue - Setup-KeyBasedAuth -Username $adminusername -KeyFilePath $AdminKeyFilePath -UserProfile $AdminUserProfile - + BeforeAll { + + $sshdConfigPath = $sshdconfig_custom - #create batch file - $commands = + function Setup-KeyBasedAuth + { + param([string] $Username, [string] $KeyFilePath, [string] $UserProfile) + + $userSSHProfilePath = Join-Path $UserProfile .ssh + Write-Host "SSH Profile Path: $userSSHProfilePath" + + if (-not (Test-Path $userSSHProfilePath -PathType Container)) { + New-Item $userSSHProfilePath -ItemType directory -Force -ErrorAction Stop | Out-Null + } + + $authorizedkeyPath = Join-Path $userSSHProfilePath authorized_keys + + if($OpenSSHTestInfo["NoLibreSSL"]) + { + ssh-keygen.exe -t ed25519 -f $KeyFilePath -Z -P `"`" aes128-ctr + } + else + { + ssh-keygen.exe -t ed25519 -f $KeyFilePath -P `"`" + } + + Copy-Item "$keyFilePath.pub" $authorizedkeyPath -Force -ErrorAction SilentlyContinue + + Repair-AuthorizedKeyPermission -Filepath $authorizedkeyPath -confirm:$false + } + + $AdminUserProfile = $OpenSSHTestInfo['AdminUserProfile'] + $NonAdminUserProfile = $OpenSSHTestInfo['NonAdminUserProfile'] + + $KeyFileName = $nonadminusername + "_sshtest_fileBasedLog_ed25519" + $NonadminKeyFilePath = Join-Path $testDir $keyFileName + Remove-Item -path "$NonadminKeyFilePath*" -Force -ErrorAction SilentlyContinue + Setup-KeyBasedAuth -Username $nonadminusername -KeyFilePath $NonadminKeyFilePath -UserProfile $NonAdminUserProfile + + $KeyFileName = $adminusername + "_sshtest_fileBasedLog_ed25519" + $AdminKeyFilePath = Join-Path $testDir $keyFileName + Remove-Item -path "$AdminKeyFilePath*" -Force -ErrorAction SilentlyContinue + Setup-KeyBasedAuth -Username $adminusername -KeyFilePath $AdminKeyFilePath -UserProfile $AdminUserProfile + + #create batch file + $commands = "ls exit" - - $batchFilePath = Join-Path $testDir "$tC.$tI.commands.txt" - Set-Content $batchFilePath -Encoding UTF8 -value $commands - - # clear logs so that next testcase will get fresh logs. + + $batchFilePath = Join-Path $testDir "$tC.$tI.commands.txt" + Set-Content $batchFilePath -Encoding UTF8 -value $commands + + # clear logs so that next testcase will get fresh logs. Clear-Content "$env:ProgramData\ssh\logs\sftp-server.log" -Force -ErrorAction SilentlyContinue - - - $tI = 1 + + $tI = 1 } - BeforeEach { - #clean sftp log file - $sshlog = Join-Path $testDir "$tC.$tI.$sshLogName" + BeforeEach { + #clean sftp log file + $sshlog = Join-Path $testDir "$tC.$tI.$sshLogName" $sshdlog = Join-Path $testDir "$tC.$tI.$sshdLogName" - if(-not $skip) + if(-not $skip) { Stop-SSHDTestDaemon -Port $port } - } - - AfterAll { - Remove-Item -path "$NonadminKeyFilePath*" -Force -ErrorAction SilentlyContinue - Remove-Item -path "$AdminKeyFilePath*" -Force -ErrorAction SilentlyContinue - - $tC++ - } - - It "$tC.$tI-Nonadmin SFTP Connection" -skip:$skip { - - Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-ddd -f $sshdConfigPath -E $sshdlog" -Port $port + } - sftp -P $port -i $NonadminKeyFilePath -b $batchFilePath $nonadminusername@$server + AfterAll { + Remove-Item -path "$NonadminKeyFilePath*" -Force -ErrorAction SilentlyContinue + Remove-Item -path "$AdminKeyFilePath*" -Force -ErrorAction SilentlyContinue - Stop-SSHDTestDaemon -Port $port - - #Copy sftp-log files into test directory - $sftplog = Join-Path $testDir "$tC.$tI.sftp-server.log" - Copy-Item "$env:ProgramData\ssh\logs\sftp-server.log" $sftplog -Force -ErrorAction SilentlyContinue - + $tC++ + } + + It "$tC.$tI-Nonadmin SFTP Connection" -skip:$skip { + + Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-ddd -f $sshdConfigPath -E $sshdlog" -Port $port + + sftp -P $port -i $NonadminKeyFilePath -b $batchFilePath $nonadminusername@$server + + Stop-SSHDTestDaemon -Port $port + + #Copy sftp-log files into test directory + $sftplog = Join-Path $testDir "$tC.$tI.sftp-server.log" + Copy-Item "$env:ProgramData\ssh\logs\sftp-server.log" $sftplog -Force -ErrorAction SilentlyContinue + # clear logs so that next testcase will get fresh logs. Clear-Content "$env:ProgramData\ssh\logs\sftp-server.log" -Force -ErrorAction SilentlyContinue - - #checks - $sshdlog | Should Contain "Accepted publickey for $nonadminusername" - $sshdlog | Should Contain "KEX done \[preauth\]" - $sshdlog | Should Contain "debug2: subsystem request for sftp by user $nonadminusername" - $sftplog | Should Contain "session opened for local user $nonadminusername" - $sftplog | Should Contain "debug3: request 3: opendir" - $sftplog | Should Contain "session closed for local user $nonadminusername" + + $sshdlog | Should Contain "Accepted publickey for $nonadminusername" + $sshdlog | Should Contain "KEX done \[preauth\]" + $sshdlog | Should Contain "debug2: subsystem request for sftp by user $nonadminusername" + $sftplog | Should Contain "session opened for local user $nonadminusername" + $sftplog | Should Contain "debug3: request 3: opendir" + $sftplog | Should Contain "session closed for local user $nonadminusername" } - - It "$tC.$tI-Admin SFTP Connection" -skip:$skip { - - Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-ddd -f $sshdConfigPath -E $sshdlog" -Port $port - sftp -P $port -i $AdminKeyFilePath -b $batchFilePath $adminusername@$server + It "$tC.$tI-Admin SFTP Connection" -skip:$skip { + + Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-ddd -f $sshdConfigPath -E $sshdlog" -Port $port - Stop-SSHDTestDaemon -Port $port - - #Copy sftp-log files into test directory - $sftplog = Join-Path $testDir "$tC.$tI.sftp-server.log" - Copy-Item "$env:ProgramData\ssh\logs\sftp-server.log" $sftplog -Force -ErrorAction SilentlyContinue - + sftp -P $port -i $AdminKeyFilePath -b $batchFilePath $adminusername@$server + + Stop-SSHDTestDaemon -Port $port + + #Copy sftp-log files into test directory + $sftplog = Join-Path $testDir "$tC.$tI.sftp-server.log" + Copy-Item "$env:ProgramData\ssh\logs\sftp-server.log" $sftplog -Force -ErrorAction SilentlyContinue + # clear logs so that next testcase will get fresh logs. Clear-Content "$env:ProgramData\ssh\logs\sftp-server.log" -Force -ErrorAction SilentlyContinue - - #checks - $sshdlog | Should Contain "Accepted publickey for $adminusername" - $sshdlog | Should Contain "KEX done \[preauth\]" - $sshdlog | Should Contain "debug2: subsystem request for sftp by user $adminusername" - $sftplog | Should Contain "session opened for local user $adminusername" - $sftplog | Should Contain "debug3: request 3: opendir" - $sftplog | Should Contain "session closed for local user $adminusername" + + $sshdlog | Should Contain "Accepted publickey for $adminusername" + $sshdlog | Should Contain "KEX done \[preauth\]" + $sshdlog | Should Contain "debug2: subsystem request for sftp by user $adminusername" + $sftplog | Should Contain "session opened for local user $adminusername" + $sftplog | Should Contain "debug3: request 3: opendir" + $sftplog | Should Contain "session closed for local user $adminusername" } - } + } } From 2526d3c0bfb232cb11b7e330a0908e850f4d9fc9 Mon Sep 17 00:00:00 2001 From: Vivian Thiebaut Date: Thu, 10 Jun 2021 15:02:08 -0400 Subject: [PATCH 33/37] Fixed the port for file logging --- regress/pesterTests/FileBasedLogging.tests.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/regress/pesterTests/FileBasedLogging.tests.ps1 b/regress/pesterTests/FileBasedLogging.tests.ps1 index e86d7cb8d1a5..d47b6ce1df6d 100644 --- a/regress/pesterTests/FileBasedLogging.tests.ps1 +++ b/regress/pesterTests/FileBasedLogging.tests.ps1 @@ -24,7 +24,7 @@ Describe "Tests for admin and non-admin file based logs" -Tags "CI" { $nonadminusername = $OpenSSHTestInfo['NonAdminUser'] $adminusername = $OpenSSHTestInfo['AdminUser'] $password = $OpenSSHTestInfo['TestAccountPW'] - $port = 47002 + $port = 47003 Remove-Item -Path (Join-Path $testDir "*$sshLogName") -Force -ErrorAction SilentlyContinue <# Setup sshd_config file#> From 4365bdb7f4373d10c8453442c6fd40ca0562d8df Mon Sep 17 00:00:00 2001 From: Vivian Thiebaut Date: Fri, 11 Jun 2021 10:16:34 -0400 Subject: [PATCH 34/37] Removed some debug print statements from test file --- regress/pesterTests/FileBasedLogging.tests.ps1 | 2 -- 1 file changed, 2 deletions(-) diff --git a/regress/pesterTests/FileBasedLogging.tests.ps1 b/regress/pesterTests/FileBasedLogging.tests.ps1 index d47b6ce1df6d..70044724a509 100644 --- a/regress/pesterTests/FileBasedLogging.tests.ps1 +++ b/regress/pesterTests/FileBasedLogging.tests.ps1 @@ -30,7 +30,6 @@ Describe "Tests for admin and non-admin file based logs" -Tags "CI" { <# Setup sshd_config file#> $sshdconfig_ori = Join-Path $Global:OpenSSHTestInfo["ServiceConfigDir"] sshd_config - Write-Host $sshdconfig_ori $sshdconfig_custom = Join-Path $Global:OpenSSHTestInfo["ServiceConfigDir"] sshd_config_custom if (Test-Path $sshdconfig_custom) { Remove-Item $sshdconfig_custom -Force @@ -124,7 +123,6 @@ Describe "Tests for admin and non-admin file based logs" -Tags "CI" { param([string] $Username, [string] $KeyFilePath, [string] $UserProfile) $userSSHProfilePath = Join-Path $UserProfile .ssh - Write-Host "SSH Profile Path: $userSSHProfilePath" if (-not (Test-Path $userSSHProfilePath -PathType Container)) { New-Item $userSSHProfilePath -ItemType directory -Force -ErrorAction Stop | Out-Null From fda2291aef6fcebb3cd8a4e869ef1802049be1bd Mon Sep 17 00:00:00 2001 From: Vivian Thiebaut Date: Fri, 11 Jun 2021 16:09:40 -0400 Subject: [PATCH 35/37] Changes on test files post review --- .../AuthorizedKeysCommand.Tests.ps1 | 2 + .../Authorized_keys_fileperm.Tests.ps1 | 12 +++- regress/pesterTests/CertAuth.Tests.ps1 | 1 + .../pesterTests/FileBasedLogging.tests.ps1 | 58 ++++++++----------- regress/pesterTests/SSHDConfig.tests.ps1 | 12 ++++ 5 files changed, 50 insertions(+), 35 deletions(-) diff --git a/regress/pesterTests/AuthorizedKeysCommand.Tests.ps1 b/regress/pesterTests/AuthorizedKeysCommand.Tests.ps1 index fb58b113bf30..6d4492913970 100644 --- a/regress/pesterTests/AuthorizedKeysCommand.Tests.ps1 +++ b/regress/pesterTests/AuthorizedKeysCommand.Tests.ps1 @@ -48,6 +48,7 @@ Describe "E2E scenarios for AuthorizedKeysCommand" -Tags "CI" { Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments $sshdArgs -Port $port $o = ssh -p $port test_target echo 1234 Stop-SSHDTestDaemon -Port $port + sleep 3 $o | Should Be "1234" #check the command is run as AuthorizedKeysCommandUser (gc $kcOutFile).Contains($ssouser) | Should Be $true @@ -64,6 +65,7 @@ Describe "E2E scenarios for AuthorizedKeysCommand" -Tags "CI" { Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments $sshdArgs -Port $port $o = ssh -p $port test_target echo 12345 Stop-SSHDTestDaemon -Port $port + sleep 3 $o | Should Be "12345" #check the command is run as AuthorizedKeysCommandUser (gc $kcOutFile).Contains("nt authority\system") | Should Be $true diff --git a/regress/pesterTests/Authorized_keys_fileperm.Tests.ps1 b/regress/pesterTests/Authorized_keys_fileperm.Tests.ps1 index 76b5cb930a86..c0b1e073b10b 100644 --- a/regress/pesterTests/Authorized_keys_fileperm.Tests.ps1 +++ b/regress/pesterTests/Authorized_keys_fileperm.Tests.ps1 @@ -67,6 +67,7 @@ Describe "Tests for authorized_keys file permission" -Tags "CI" { if(-not $skip) { Stop-SSHDTestDaemon -Port $port + sleep 3 } #add wrong password so ssh does not prompt password if failed with authorized keys @@ -93,6 +94,7 @@ Describe "Tests for authorized_keys file permission" -Tags "CI" { if(-not $skip) { Stop-SSHDTestDaemon -Port $port + sleep 3 } } @@ -104,6 +106,7 @@ Describe "Tests for authorized_keys file permission" -Tags "CI" { Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-d -f $sshdconfig -o `"AuthorizedKeysFile .testssh/authorized_keys`" -E $sshdlog" -Port $port $o = ssh -p $port $ssouser@$server echo 1234 Stop-SSHDTestDaemon -Port $port + sleep 3 $o | Should Be "1234" } @@ -116,6 +119,7 @@ Describe "Tests for authorized_keys file permission" -Tags "CI" { $o = ssh -p $port $ssouser@$server echo 1234 Stop-SSHDTestDaemon -Port $port + sleep 3 $o | Should Be "1234" } @@ -127,6 +131,7 @@ Describe "Tests for authorized_keys file permission" -Tags "CI" { Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-d -f $sshdconfig -o `"AuthorizedKeysFile .testssh/authorized_keys`" -E $sshdlog" -Port $port $o = ssh -p $port $ssouser@$server echo 1234 Stop-SSHDTestDaemon -Port $port + sleep 3 $o | Should Be "1234" } @@ -138,6 +143,7 @@ Describe "Tests for authorized_keys file permission" -Tags "CI" { Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-d -f $sshdconfig -o `"AuthorizedKeysFile .testssh/authorized_keys`" -E $sshdlog" -Port $port $o = ssh -p $port $ssouser@$server echo 1234 Stop-SSHDTestDaemon -Port $port + sleep 3 $o | Should Be "1234" } @@ -153,6 +159,7 @@ Describe "Tests for authorized_keys file permission" -Tags "CI" { Start-SSHDTestDaemon -workDir $opensshbinpath -Arguments "-d -f $sshdconfig -o `"AuthorizedKeysFile .testssh/authorized_keys`" -E $sshdlog" -Port $port $o = ssh -p $port -E $sshlog $ssouser@$server echo 1234 Stop-SSHDTestDaemon -Port $port + sleep 3 $o | Should Be "1234" } @@ -164,7 +171,8 @@ Describe "Tests for authorized_keys file permission" -Tags "CI" { Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-d -f $sshdconfig -o `"AuthorizedKeysFile .testssh/authorized_keys`" -E $sshdlog" -Port $port ssh -p $port -E $sshlog $ssouser@$server echo 1234 $LASTEXITCODE | Should Not Be 0 - Stop-SSHDTestDaemon -Port $port + Stop-SSHDTestDaemon -Port $port + sleep 3 $sshlog | Should Contain "Permission denied" $sshdlog | Should Contain "Authentication refused." } @@ -182,6 +190,7 @@ Describe "Tests for authorized_keys file permission" -Tags "CI" { ssh -p $port -E $sshlog $ssouser@$server echo 1234 $LASTEXITCODE | Should Not Be 0 Stop-SSHDTestDaemon -Port $port + sleep 3 $sshlog | Should Contain "Permission denied" $sshdlog | Should Contain "Authentication refused." } @@ -196,6 +205,7 @@ Describe "Tests for authorized_keys file permission" -Tags "CI" { ssh -p $port -E $sshlog $ssouser@$server echo 1234 $LASTEXITCODE | Should Not Be 0 Stop-SSHDTestDaemon -Port $port + sleep 3 $sshlog | Should Contain "Permission denied" $sshdlog | Should Contain "Authentication refused." } diff --git a/regress/pesterTests/CertAuth.Tests.ps1 b/regress/pesterTests/CertAuth.Tests.ps1 index f1bf9c570bad..f17183d7925f 100644 --- a/regress/pesterTests/CertAuth.Tests.ps1 +++ b/regress/pesterTests/CertAuth.Tests.ps1 @@ -82,6 +82,7 @@ Describe "E2E scenarios for certificate authentication" -Tags "CI" { Remove-PasswordSetting Stop-SSHDTestDaemon -Port 47004 + sleep 3 $o | Should Be "2345" #check the command is run as AuthorizedPrincipalsCommandUser (gc $pcOutFile).Contains($ssouser) | Should Be $true diff --git a/regress/pesterTests/FileBasedLogging.tests.ps1 b/regress/pesterTests/FileBasedLogging.tests.ps1 index 70044724a509..6b4d80bea100 100644 --- a/regress/pesterTests/FileBasedLogging.tests.ps1 +++ b/regress/pesterTests/FileBasedLogging.tests.ps1 @@ -39,13 +39,14 @@ Describe "Tests for admin and non-admin file based logs" -Tags "CI" { $content = Get-Content -Path $sshdconfig_custom $newContent = $content -replace "Subsystem sftp sftp-server.exe -l DEBUG3", "Subsystem sftp sftp-server.exe -l DEBUG3 -f LOCAL0" $newContent | Set-Content -Path $sshdconfig_custom - + #skip when the task schedular (*-ScheduledTask) cmdlets does not exist $ts = (get-command get-ScheduledTask -ErrorAction SilentlyContinue) $skip = $ts -eq $null if(-not $skip) { Stop-SSHDTestDaemon -Port $port + sleep 3 } if(($platform -eq [PlatformType]::Windows) -and ([Environment]::OSVersion.Version.Major -le 6)) { @@ -67,9 +68,7 @@ Describe "Tests for admin and non-admin file based logs" -Tags "CI" { Context "Tests Logs for SSH connections" { BeforeAll { $sshdConfigPath = $sshdconfig_custom - Add-PasswordSetting -Pass $password - $tI=1 } @@ -84,6 +83,7 @@ Describe "Tests for admin and non-admin file based logs" -Tags "CI" { if(-not $skip) { Stop-SSHDTestDaemon -Port $port + sleep 3 } } @@ -97,6 +97,7 @@ Describe "Tests for admin and non-admin file based logs" -Tags "CI" { $o = ssh -vvv -p $port -E $sshlog $nonadminusername@$server echo 1234 $o | Should Be 1234 Stop-SSHDTestDaemon -Port $port + sleep 3 $sshdlog | Should Contain "KEX done \[preauth\]" $sshdlog | Should Contain "exec_command: echo 1234" } @@ -106,18 +107,17 @@ Describe "Tests for admin and non-admin file based logs" -Tags "CI" { $o = ssh -vvv -p $port -E $sshlog $adminusername@$server echo 1234 $o | Should Be 1234 Stop-SSHDTestDaemon -Port $port + sleep 3 $sshdlog | Should Contain "KEX done \[preauth\]" $sshdlog | Should Contain "exec_command: echo 1234" } - } - + Context "Tests Logs for SFTP connections" { - - BeforeAll { + BeforeAll { $sshdConfigPath = $sshdconfig_custom - + function Setup-KeyBasedAuth { param([string] $Username, [string] $KeyFilePath, [string] $UserProfile) @@ -138,9 +138,7 @@ Describe "Tests for admin and non-admin file based logs" -Tags "CI" { { ssh-keygen.exe -t ed25519 -f $KeyFilePath -P `"`" } - Copy-Item "$keyFilePath.pub" $authorizedkeyPath -Force -ErrorAction SilentlyContinue - Repair-AuthorizedKeyPermission -Filepath $authorizedkeyPath -confirm:$false } @@ -161,23 +159,23 @@ Describe "Tests for admin and non-admin file based logs" -Tags "CI" { $commands = "ls exit" - $batchFilePath = Join-Path $testDir "$tC.$tI.commands.txt" Set-Content $batchFilePath -Encoding UTF8 -value $commands - # clear logs so that next testcase will get fresh logs. - Clear-Content "$env:ProgramData\ssh\logs\sftp-server.log" -Force -ErrorAction SilentlyContinue - $tI = 1 - } - + } + BeforeEach { - #clean sftp log file + Clear-Content "$env:ProgramData\ssh\logs\sftp-server.log" -Force -ErrorAction SilentlyContinue $sshlog = Join-Path $testDir "$tC.$tI.$sshLogName" $sshdlog = Join-Path $testDir "$tC.$tI.$sshdLogName" + if (Test-Path $sshdlog -PathType Leaf) { + Clear-Content $sshdlog + } if(-not $skip) { Stop-SSHDTestDaemon -Port $port + sleep 3 } } @@ -185,23 +183,22 @@ exit" Remove-Item -path "$NonadminKeyFilePath*" -Force -ErrorAction SilentlyContinue Remove-Item -path "$AdminKeyFilePath*" -Force -ErrorAction SilentlyContinue + $authorized_key = Join-Path .ssh authorized_keys + $AdminAuthKeysPath = Join-Path $AdminUserProfile $authorized_key + $NonAdminAuthKeysPath = Join-Path $NonAdminUserProfile $authorized_key + Remove-Item -path "$AdminAuthKeysPath*" -Force -ErrorAction SilentlyContinue + Remove-Item -path "$NonAdminAuthKeysPath*" -Force -ErrorAction SilentlyContinue + $tC++ } It "$tC.$tI-Nonadmin SFTP Connection" -skip:$skip { - Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-ddd -f $sshdConfigPath -E $sshdlog" -Port $port - sftp -P $port -i $NonadminKeyFilePath -b $batchFilePath $nonadminusername@$server - Stop-SSHDTestDaemon -Port $port - - #Copy sftp-log files into test directory + sleep 3 $sftplog = Join-Path $testDir "$tC.$tI.sftp-server.log" Copy-Item "$env:ProgramData\ssh\logs\sftp-server.log" $sftplog -Force -ErrorAction SilentlyContinue - - # clear logs so that next testcase will get fresh logs. - Clear-Content "$env:ProgramData\ssh\logs\sftp-server.log" -Force -ErrorAction SilentlyContinue $sshdlog | Should Contain "Accepted publickey for $nonadminusername" $sshdlog | Should Contain "KEX done \[preauth\]" @@ -211,21 +208,14 @@ exit" $sftplog | Should Contain "session closed for local user $nonadminusername" } - It "$tC.$tI-Admin SFTP Connection" -skip:$skip { - + It "$tC.$tI-Admin SFTP Connection" -skip:$skip { Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-ddd -f $sshdConfigPath -E $sshdlog" -Port $port - sftp -P $port -i $AdminKeyFilePath -b $batchFilePath $adminusername@$server - Stop-SSHDTestDaemon -Port $port - - #Copy sftp-log files into test directory + sleep 3 $sftplog = Join-Path $testDir "$tC.$tI.sftp-server.log" Copy-Item "$env:ProgramData\ssh\logs\sftp-server.log" $sftplog -Force -ErrorAction SilentlyContinue - # clear logs so that next testcase will get fresh logs. - Clear-Content "$env:ProgramData\ssh\logs\sftp-server.log" -Force -ErrorAction SilentlyContinue - $sshdlog | Should Contain "Accepted publickey for $adminusername" $sshdlog | Should Contain "KEX done \[preauth\]" $sshdlog | Should Contain "debug2: subsystem request for sftp by user $adminusername" diff --git a/regress/pesterTests/SSHDConfig.tests.ps1 b/regress/pesterTests/SSHDConfig.tests.ps1 index 761b52003729..e93724bbb6b5 100644 --- a/regress/pesterTests/SSHDConfig.tests.ps1 +++ b/regress/pesterTests/SSHDConfig.tests.ps1 @@ -140,6 +140,7 @@ Match User matchuser if(-not $skip) { Stop-SSHDTestDaemon -Port $port + sleep 3 } if(($platform -eq [PlatformType]::Windows) -and ([Environment]::OSVersion.Version.Major -le 6)) { @@ -202,6 +203,7 @@ Match User matchuser if(-not $skip) { Stop-SSHDTestDaemon -Port $port + sleep 3 } } @@ -218,6 +220,7 @@ Match User matchuser $o = ssh -p $port $allowUser1@$server echo 1234 Stop-SSHDTestDaemon -Port $port + sleep 3 $o | Should Be "1234" Remove-UserFromLocalGroup -UserName $allowUser1 -GroupName $allowGroup1 @@ -231,6 +234,7 @@ Match User matchuser $o = ssh -p $port $allowUser2@$server echo 1234 Stop-SSHDTestDaemon -Port $port + sleep 3 $o | Should Be "1234" Remove-UserFromLocalGroup -UserName $allowUser2 -GroupName $allowGroup1 @@ -243,6 +247,7 @@ Match User matchuser $o = ssh -p $port $allowUser3@$server echo 1234 Stop-SSHDTestDaemon -Port $port + sleep 3 $o | Should Be "1234" Remove-UserFromLocalGroup -UserName $allowUser3 -GroupName $allowGroup1 @@ -257,6 +262,7 @@ Match User matchuser ssh -p $port -E $sshlog $denyUser1@$server echo 1234 $LASTEXITCODE | Should Not Be 0 Stop-SSHDTestDaemon -Port $port + sleep 3 $sshdlog | Should Contain "not allowed because listed in DenyUsers" Remove-UserFromLocalGroup -UserName $denyUser1 -GroupName $allowGroup1 @@ -272,6 +278,7 @@ Match User matchuser ssh -p $port -E $sshlog $denyUser2@$server echo 1234 $LASTEXITCODE | Should Not Be 0 Stop-SSHDTestDaemon -Port $port + sleep 3 $sshdlog | Should Contain "not allowed because listed in DenyUsers" Remove-UserFromLocalGroup -UserName $denyUser2 -GroupName $allowGroup1 @@ -287,6 +294,7 @@ Match User matchuser ssh -p $port -E $sshlog $denyUser3@$server echo 1234 $LASTEXITCODE | Should Not Be 0 Stop-SSHDTestDaemon -Port $port + sleep 3 $sshdlog | Should Contain "not allowed because not listed in AllowUsers" Remove-UserFromLocalGroup -UserName $denyUser3 -GroupName $allowGroup1 @@ -303,6 +311,7 @@ Match User matchuser ssh -p $port -E $sshlog $localuser1@$server echo 1234 $LASTEXITCODE | Should Not Be 0 Stop-SSHDTestDaemon -Port $port + sleep 3 $sshdlog | Should Contain "not allowed because a group is listed in DenyGroups" Remove-UserFromLocalGroup -UserName $localuser1 -GroupName $allowGroup1 @@ -319,6 +328,7 @@ Match User matchuser ssh -p $port -E $sshlog $localuser2@$server echo 1234 $LASTEXITCODE | Should Not Be 0 Stop-SSHDTestDaemon -Port $port + sleep 3 $sshdlog | Should Contain "not allowed because a group is listed in DenyGroups" Remove-UserFromLocalGroup -UserName $localuser2 -GroupName $denyGroup2 @@ -334,6 +344,7 @@ Match User matchuser ssh -p $port -E $sshlog $localuser3@$server echo 1234 $LASTEXITCODE | Should Not Be 0 Stop-SSHDTestDaemon -Port $port + sleep 3 $sshdlog | Should Contain "not allowed because a group is listed in DenyGroups" Remove-UserFromLocalGroup -UserName $localuser3 -GroupName $denyGroup3 @@ -351,6 +362,7 @@ Match User matchuser $o[1].Contains("randomcommand") | Should Be $true Stop-SSHDTestDaemon -Port $port + sleep 3 Remove-UserFromLocalGroup -UserName $matchuser -GroupName $allowGroup1 } } From d56219e64bcd26245f797088565f1f9fe1883c6b Mon Sep 17 00:00:00 2001 From: Vivian Thiebaut Date: Fri, 11 Jun 2021 18:44:42 -0400 Subject: [PATCH 36/37] Global variable for determining delay --- contrib/win32/openssh/OpenSSHTestHelper.psm1 | 1 + .../AuthorizedKeysCommand.Tests.ps1 | 5 ++-- .../Authorized_keys_fileperm.Tests.ps1 | 19 +++++++------- regress/pesterTests/CertAuth.Tests.ps1 | 3 ++- .../pesterTests/FileBasedLogging.tests.ps1 | 16 ++++++------ regress/pesterTests/SSHDConfig.tests.ps1 | 25 +++++++++---------- 6 files changed, 34 insertions(+), 35 deletions(-) diff --git a/contrib/win32/openssh/OpenSSHTestHelper.psm1 b/contrib/win32/openssh/OpenSSHTestHelper.psm1 index 9f5da6eaacd5..6687e7f88fcc 100644 --- a/contrib/win32/openssh/OpenSSHTestHelper.psm1 +++ b/contrib/win32/openssh/OpenSSHTestHelper.psm1 @@ -71,6 +71,7 @@ function Set-OpenSSHTestEnvironment $Global:OpenSSHTestInfo.Add("NonAdminUser", $NonAdminUser) # test user to be used for non-admin logging tests $Global:OpenSSHTestInfo.Add("TestAccountPW", $OpenSSHTestAccountsPassword) # common password for all test accounts $Global:OpenSSHTestInfo.Add("DebugMode", $DebugMode.IsPresent) # run openssh E2E in debug mode + $Global:OpenSSHTestInfo.Add("DelayTime", 3) # delay between stoppig sshd service and trying to access log files $Script:EnableAppVerifier = -not ($NoAppVerifier.IsPresent) if($Script:WindowsInBox = $true) diff --git a/regress/pesterTests/AuthorizedKeysCommand.Tests.ps1 b/regress/pesterTests/AuthorizedKeysCommand.Tests.ps1 index 6d4492913970..07278d3349fb 100644 --- a/regress/pesterTests/AuthorizedKeysCommand.Tests.ps1 +++ b/regress/pesterTests/AuthorizedKeysCommand.Tests.ps1 @@ -16,6 +16,7 @@ Describe "E2E scenarios for AuthorizedKeysCommand" -Tags "CI" { $opensshbinpath = $OpenSSHTestInfo['OpenSSHBinPath'] $ssouser = $OpenSSHTestInfo["SSOUser"] $sshdconfig = Join-Path $Global:OpenSSHTestInfo["ServiceConfigDir"] sshd_config + $sshdDelay = $OpenSSHTestInfo["DelayTime"] $testDir = Join-Path $OpenSSHTestInfo["TestDataPath"] $suite if(-not (Test-Path $testDir)) @@ -48,7 +49,7 @@ Describe "E2E scenarios for AuthorizedKeysCommand" -Tags "CI" { Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments $sshdArgs -Port $port $o = ssh -p $port test_target echo 1234 Stop-SSHDTestDaemon -Port $port - sleep 3 + sleep $sshdDelay $o | Should Be "1234" #check the command is run as AuthorizedKeysCommandUser (gc $kcOutFile).Contains($ssouser) | Should Be $true @@ -65,7 +66,7 @@ Describe "E2E scenarios for AuthorizedKeysCommand" -Tags "CI" { Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments $sshdArgs -Port $port $o = ssh -p $port test_target echo 12345 Stop-SSHDTestDaemon -Port $port - sleep 3 + sleep $sshdDelay $o | Should Be "12345" #check the command is run as AuthorizedKeysCommandUser (gc $kcOutFile).Contains("nt authority\system") | Should Be $true diff --git a/regress/pesterTests/Authorized_keys_fileperm.Tests.ps1 b/regress/pesterTests/Authorized_keys_fileperm.Tests.ps1 index c0b1e073b10b..9496e5cd442e 100644 --- a/regress/pesterTests/Authorized_keys_fileperm.Tests.ps1 +++ b/regress/pesterTests/Authorized_keys_fileperm.Tests.ps1 @@ -26,6 +26,7 @@ Describe "Tests for authorized_keys file permission" -Tags "CI" { $ssouserProfile = $OpenSSHTestInfo["SSOUserProfile"] $opensshbinpath = $OpenSSHTestInfo['OpenSSHBinPath'] $sshdconfig = Join-Path $Global:OpenSSHTestInfo["ServiceConfigDir"] sshd_config + $sshdDelay = $OpenSSHTestInfo["DelayTime"] Remove-Item -Path (Join-Path $testDir "*$sshLogName") -Force -ErrorAction SilentlyContinue #skip when the task schedular (*-ScheduledTask) cmdlets does not exist @@ -67,7 +68,6 @@ Describe "Tests for authorized_keys file permission" -Tags "CI" { if(-not $skip) { Stop-SSHDTestDaemon -Port $port - sleep 3 } #add wrong password so ssh does not prompt password if failed with authorized keys @@ -94,7 +94,6 @@ Describe "Tests for authorized_keys file permission" -Tags "CI" { if(-not $skip) { Stop-SSHDTestDaemon -Port $port - sleep 3 } } @@ -106,7 +105,7 @@ Describe "Tests for authorized_keys file permission" -Tags "CI" { Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-d -f $sshdconfig -o `"AuthorizedKeysFile .testssh/authorized_keys`" -E $sshdlog" -Port $port $o = ssh -p $port $ssouser@$server echo 1234 Stop-SSHDTestDaemon -Port $port - sleep 3 + sleep $sshdDelay $o | Should Be "1234" } @@ -119,7 +118,7 @@ Describe "Tests for authorized_keys file permission" -Tags "CI" { $o = ssh -p $port $ssouser@$server echo 1234 Stop-SSHDTestDaemon -Port $port - sleep 3 + sleep $sshdDelay $o | Should Be "1234" } @@ -131,7 +130,7 @@ Describe "Tests for authorized_keys file permission" -Tags "CI" { Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-d -f $sshdconfig -o `"AuthorizedKeysFile .testssh/authorized_keys`" -E $sshdlog" -Port $port $o = ssh -p $port $ssouser@$server echo 1234 Stop-SSHDTestDaemon -Port $port - sleep 3 + sleep $sshdDelay $o | Should Be "1234" } @@ -143,7 +142,7 @@ Describe "Tests for authorized_keys file permission" -Tags "CI" { Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-d -f $sshdconfig -o `"AuthorizedKeysFile .testssh/authorized_keys`" -E $sshdlog" -Port $port $o = ssh -p $port $ssouser@$server echo 1234 Stop-SSHDTestDaemon -Port $port - sleep 3 + sleep $sshdDelay $o | Should Be "1234" } @@ -159,7 +158,7 @@ Describe "Tests for authorized_keys file permission" -Tags "CI" { Start-SSHDTestDaemon -workDir $opensshbinpath -Arguments "-d -f $sshdconfig -o `"AuthorizedKeysFile .testssh/authorized_keys`" -E $sshdlog" -Port $port $o = ssh -p $port -E $sshlog $ssouser@$server echo 1234 Stop-SSHDTestDaemon -Port $port - sleep 3 + sleep $sshdDelay $o | Should Be "1234" } @@ -172,7 +171,7 @@ Describe "Tests for authorized_keys file permission" -Tags "CI" { ssh -p $port -E $sshlog $ssouser@$server echo 1234 $LASTEXITCODE | Should Not Be 0 Stop-SSHDTestDaemon -Port $port - sleep 3 + sleep $sshdDelay $sshlog | Should Contain "Permission denied" $sshdlog | Should Contain "Authentication refused." } @@ -190,7 +189,7 @@ Describe "Tests for authorized_keys file permission" -Tags "CI" { ssh -p $port -E $sshlog $ssouser@$server echo 1234 $LASTEXITCODE | Should Not Be 0 Stop-SSHDTestDaemon -Port $port - sleep 3 + sleep $sshdDelay $sshlog | Should Contain "Permission denied" $sshdlog | Should Contain "Authentication refused." } @@ -205,7 +204,7 @@ Describe "Tests for authorized_keys file permission" -Tags "CI" { ssh -p $port -E $sshlog $ssouser@$server echo 1234 $LASTEXITCODE | Should Not Be 0 Stop-SSHDTestDaemon -Port $port - sleep 3 + sleep $sshdDelay $sshlog | Should Contain "Permission denied" $sshdlog | Should Contain "Authentication refused." } diff --git a/regress/pesterTests/CertAuth.Tests.ps1 b/regress/pesterTests/CertAuth.Tests.ps1 index f17183d7925f..2e6a8e2160f5 100644 --- a/regress/pesterTests/CertAuth.Tests.ps1 +++ b/regress/pesterTests/CertAuth.Tests.ps1 @@ -18,6 +18,7 @@ Describe "E2E scenarios for certificate authentication" -Tags "CI" { $opensshbinpath = $OpenSSHTestInfo['OpenSSHBinPath'] $ssouser = $OpenSSHTestInfo["SSOUser"] $sshdconfig = Join-Path $Global:OpenSSHTestInfo["ServiceConfigDir"] sshd_config + $sshdDelay = $OpenSSHTestInfo["DelayTime"] $testDir = Join-Path $OpenSSHTestInfo["TestDataPath"] $suite if(-not (Test-Path $testDir)) @@ -82,7 +83,7 @@ Describe "E2E scenarios for certificate authentication" -Tags "CI" { Remove-PasswordSetting Stop-SSHDTestDaemon -Port 47004 - sleep 3 + sleep $sshdDelay $o | Should Be "2345" #check the command is run as AuthorizedPrincipalsCommandUser (gc $pcOutFile).Contains($ssouser) | Should Be $true diff --git a/regress/pesterTests/FileBasedLogging.tests.ps1 b/regress/pesterTests/FileBasedLogging.tests.ps1 index 6b4d80bea100..dd065af07e12 100644 --- a/regress/pesterTests/FileBasedLogging.tests.ps1 +++ b/regress/pesterTests/FileBasedLogging.tests.ps1 @@ -24,7 +24,8 @@ Describe "Tests for admin and non-admin file based logs" -Tags "CI" { $nonadminusername = $OpenSSHTestInfo['NonAdminUser'] $adminusername = $OpenSSHTestInfo['AdminUser'] $password = $OpenSSHTestInfo['TestAccountPW'] - $port = 47003 + $port = 47003 + $sshdDelay = $OpenSSHTestInfo["DelayTime"] Remove-Item -Path (Join-Path $testDir "*$sshLogName") -Force -ErrorAction SilentlyContinue <# Setup sshd_config file#> @@ -46,7 +47,6 @@ Describe "Tests for admin and non-admin file based logs" -Tags "CI" { if(-not $skip) { Stop-SSHDTestDaemon -Port $port - sleep 3 } if(($platform -eq [PlatformType]::Windows) -and ([Environment]::OSVersion.Version.Major -le 6)) { @@ -83,7 +83,6 @@ Describe "Tests for admin and non-admin file based logs" -Tags "CI" { if(-not $skip) { Stop-SSHDTestDaemon -Port $port - sleep 3 } } @@ -97,7 +96,7 @@ Describe "Tests for admin and non-admin file based logs" -Tags "CI" { $o = ssh -vvv -p $port -E $sshlog $nonadminusername@$server echo 1234 $o | Should Be 1234 Stop-SSHDTestDaemon -Port $port - sleep 3 + sleep $sshdDelay $sshdlog | Should Contain "KEX done \[preauth\]" $sshdlog | Should Contain "exec_command: echo 1234" } @@ -107,7 +106,7 @@ Describe "Tests for admin and non-admin file based logs" -Tags "CI" { $o = ssh -vvv -p $port -E $sshlog $adminusername@$server echo 1234 $o | Should Be 1234 Stop-SSHDTestDaemon -Port $port - sleep 3 + sleep $sshdDelay $sshdlog | Should Contain "KEX done \[preauth\]" $sshdlog | Should Contain "exec_command: echo 1234" } @@ -175,7 +174,6 @@ exit" if(-not $skip) { Stop-SSHDTestDaemon -Port $port - sleep 3 } } @@ -188,7 +186,7 @@ exit" $NonAdminAuthKeysPath = Join-Path $NonAdminUserProfile $authorized_key Remove-Item -path "$AdminAuthKeysPath*" -Force -ErrorAction SilentlyContinue Remove-Item -path "$NonAdminAuthKeysPath*" -Force -ErrorAction SilentlyContinue - + $tC++ } @@ -196,7 +194,7 @@ exit" Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-ddd -f $sshdConfigPath -E $sshdlog" -Port $port sftp -P $port -i $NonadminKeyFilePath -b $batchFilePath $nonadminusername@$server Stop-SSHDTestDaemon -Port $port - sleep 3 + sleep $sshdDelay $sftplog = Join-Path $testDir "$tC.$tI.sftp-server.log" Copy-Item "$env:ProgramData\ssh\logs\sftp-server.log" $sftplog -Force -ErrorAction SilentlyContinue @@ -212,7 +210,7 @@ exit" Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-ddd -f $sshdConfigPath -E $sshdlog" -Port $port sftp -P $port -i $AdminKeyFilePath -b $batchFilePath $adminusername@$server Stop-SSHDTestDaemon -Port $port - sleep 3 + sleep $sshdDelay $sftplog = Join-Path $testDir "$tC.$tI.sftp-server.log" Copy-Item "$env:ProgramData\ssh\logs\sftp-server.log" $sftplog -Force -ErrorAction SilentlyContinue diff --git a/regress/pesterTests/SSHDConfig.tests.ps1 b/regress/pesterTests/SSHDConfig.tests.ps1 index e93724bbb6b5..af7cf92e1a29 100644 --- a/regress/pesterTests/SSHDConfig.tests.ps1 +++ b/regress/pesterTests/SSHDConfig.tests.ps1 @@ -20,7 +20,8 @@ Describe "Tests of sshd_config" -Tags "CI" { $sshdLogName = "sshdlog.txt" $server = $OpenSSHTestInfo["Target"] $opensshbinpath = $OpenSSHTestInfo['OpenSSHBinPath'] - $port = 47003 + $port = 47003 + $sshdDelay = $OpenSSHTestInfo["DelayTime"] Remove-Item -Path (Join-Path $testDir "*$sshLogName") -Force -ErrorAction SilentlyContinue Add-Type -AssemblyName System.DirectoryServices.AccountManagement @@ -140,7 +141,6 @@ Match User matchuser if(-not $skip) { Stop-SSHDTestDaemon -Port $port - sleep 3 } if(($platform -eq [PlatformType]::Windows) -and ([Environment]::OSVersion.Version.Major -le 6)) { @@ -203,7 +203,6 @@ Match User matchuser if(-not $skip) { Stop-SSHDTestDaemon -Port $port - sleep 3 } } @@ -220,7 +219,7 @@ Match User matchuser $o = ssh -p $port $allowUser1@$server echo 1234 Stop-SSHDTestDaemon -Port $port - sleep 3 + sleep $sshdDelay $o | Should Be "1234" Remove-UserFromLocalGroup -UserName $allowUser1 -GroupName $allowGroup1 @@ -234,7 +233,7 @@ Match User matchuser $o = ssh -p $port $allowUser2@$server echo 1234 Stop-SSHDTestDaemon -Port $port - sleep 3 + sleep $sshdDelay $o | Should Be "1234" Remove-UserFromLocalGroup -UserName $allowUser2 -GroupName $allowGroup1 @@ -247,7 +246,7 @@ Match User matchuser $o = ssh -p $port $allowUser3@$server echo 1234 Stop-SSHDTestDaemon -Port $port - sleep 3 + sleep $sshdDelay $o | Should Be "1234" Remove-UserFromLocalGroup -UserName $allowUser3 -GroupName $allowGroup1 @@ -262,7 +261,7 @@ Match User matchuser ssh -p $port -E $sshlog $denyUser1@$server echo 1234 $LASTEXITCODE | Should Not Be 0 Stop-SSHDTestDaemon -Port $port - sleep 3 + sleep $sshdDelay $sshdlog | Should Contain "not allowed because listed in DenyUsers" Remove-UserFromLocalGroup -UserName $denyUser1 -GroupName $allowGroup1 @@ -278,7 +277,7 @@ Match User matchuser ssh -p $port -E $sshlog $denyUser2@$server echo 1234 $LASTEXITCODE | Should Not Be 0 Stop-SSHDTestDaemon -Port $port - sleep 3 + sleep $sshdDelay $sshdlog | Should Contain "not allowed because listed in DenyUsers" Remove-UserFromLocalGroup -UserName $denyUser2 -GroupName $allowGroup1 @@ -294,7 +293,7 @@ Match User matchuser ssh -p $port -E $sshlog $denyUser3@$server echo 1234 $LASTEXITCODE | Should Not Be 0 Stop-SSHDTestDaemon -Port $port - sleep 3 + sleep $sshdDelay $sshdlog | Should Contain "not allowed because not listed in AllowUsers" Remove-UserFromLocalGroup -UserName $denyUser3 -GroupName $allowGroup1 @@ -311,7 +310,7 @@ Match User matchuser ssh -p $port -E $sshlog $localuser1@$server echo 1234 $LASTEXITCODE | Should Not Be 0 Stop-SSHDTestDaemon -Port $port - sleep 3 + sleep $sshdDelay $sshdlog | Should Contain "not allowed because a group is listed in DenyGroups" Remove-UserFromLocalGroup -UserName $localuser1 -GroupName $allowGroup1 @@ -328,7 +327,7 @@ Match User matchuser ssh -p $port -E $sshlog $localuser2@$server echo 1234 $LASTEXITCODE | Should Not Be 0 Stop-SSHDTestDaemon -Port $port - sleep 3 + sleep $sshdDelay $sshdlog | Should Contain "not allowed because a group is listed in DenyGroups" Remove-UserFromLocalGroup -UserName $localuser2 -GroupName $denyGroup2 @@ -344,7 +343,7 @@ Match User matchuser ssh -p $port -E $sshlog $localuser3@$server echo 1234 $LASTEXITCODE | Should Not Be 0 Stop-SSHDTestDaemon -Port $port - sleep 3 + sleep $sshdDelay $sshdlog | Should Contain "not allowed because a group is listed in DenyGroups" Remove-UserFromLocalGroup -UserName $localuser3 -GroupName $denyGroup3 @@ -362,7 +361,7 @@ Match User matchuser $o[1].Contains("randomcommand") | Should Be $true Stop-SSHDTestDaemon -Port $port - sleep 3 + sleep $sshdDelay Remove-UserFromLocalGroup -UserName $matchuser -GroupName $allowGroup1 } } From 6f700e1e33ebc4b02012b44ae514ac608e4d98c2 Mon Sep 17 00:00:00 2001 From: Vivian Thiebaut Date: Fri, 11 Jun 2021 18:50:19 -0400 Subject: [PATCH 37/37] mising changes --- regress/pesterTests/Authorized_keys_fileperm.Tests.ps1 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/regress/pesterTests/Authorized_keys_fileperm.Tests.ps1 b/regress/pesterTests/Authorized_keys_fileperm.Tests.ps1 index 9496e5cd442e..f129d3516792 100644 --- a/regress/pesterTests/Authorized_keys_fileperm.Tests.ps1 +++ b/regress/pesterTests/Authorized_keys_fileperm.Tests.ps1 @@ -170,7 +170,7 @@ Describe "Tests for authorized_keys file permission" -Tags "CI" { Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-d -f $sshdconfig -o `"AuthorizedKeysFile .testssh/authorized_keys`" -E $sshdlog" -Port $port ssh -p $port -E $sshlog $ssouser@$server echo 1234 $LASTEXITCODE | Should Not Be 0 - Stop-SSHDTestDaemon -Port $port + Stop-SSHDTestDaemon -Port $port sleep $sshdDelay $sshlog | Should Contain "Permission denied" $sshdlog | Should Contain "Authentication refused."