tests: rm /intg/test_ssh_pubkey.py #7608
Conversation
danlavu
commented
Sep 19, 2024
danlavu
commented
- multihost/ipa/test_misc.py functionally covers this scenario
- test_ssh_sighup offers minimal value and should be dropped now
|
Multihosts tests aren't run in upstream PR CI |
|
ACK, I extended the framework to provide user SSH key functionality. I need to test it, and I can then write a quick test to cover this. |
danlavu
force-pushed
the
tests-rm-intg-ssh_pubkey
branch
from
2e7f2cf to
62111d9
Compare
|
depends on SSSD/sssd-test-framework#131 , tests are going to fail. |
|
Though... sss_ssh_authorizedkeys is no longer providing output. Need to figure out why. |
danlavu
force-pushed
the
tests-rm-intg-ssh_pubkey
branch
2 times, most recently
from
2033e67 to
9907312
Compare
danlavu
force-pushed
the
tests-rm-intg-ssh_pubkey
branch
3 times, most recently
from
1e3e7c9 to
c2070e1
Compare
danlavu
force-pushed
the
tests-rm-intg-ssh_pubkey
branch
2 times, most recently
from
7745a1d to
eda1acb
Compare
* multihost/ipa/test_misc.py functionally covers this scenario
danlavu
force-pushed
the
tests-rm-intg-ssh_pubkey
branch
from
eda1acb to
52e7a05
Compare
|
The failure is not related to the patch. |
| def test_ssh_pubkey_retrieve_cert(add_user_with_ssh_cert): | ||
| """ | ||
| Test that we can retrieve an SSH public key derived from a cert in ldap. | ||
| Compare with the sshpubkey derived via ssh-keygen, they should match. |
There was a problem hiding this comment.
Looks like we are removing test coverage for public key derived from certificate, is it okay? ldap_user_certificate = userCertificate;binary in format_basic_conf method above.
There was a problem hiding this comment.
I think it's okay, because most users would use ssh-keygen, but I maybe overlooking something because I'm not all that familiar with smartcards. Is it a common scenario to take a certificate from a smartcard and convert it to an SSH key? Is it even important? Maybe it's already covered, @spoore1 ?
There was a problem hiding this comment.
The certificate has to be converted into a public key for use with SSH. We have some coverage downstream but, it's going to be a while still before that can be ported.
There was a problem hiding this comment.
@spoore1 Can we plan it for a smartcard test, and push this forward?
There was a problem hiding this comment.
Hi,
test_ssh_pubkey_retrieve_cert tests the feature to generate an ssh-key from the public-key of the Smartcart so that the Smartcard can be used for ssh pubkey authentication. Wouldn't it be possible to check this feature in a similar way as the integration test, i.e. use the certificates generated by the SSSD test CA and compare the output of sss_ssh_authorized_keys with the corresponding ssh-keys also generated by the SSSD test CA?
bye,
Sumit
| keys = client.tools.sshkey.generate(result.name, result.home) | ||
| user.modify(sshpubkey=keys[0]) | ||
|
|
||
| # sss_ssh_authorizedkeys command does not contain any output if a key is found |
There was a problem hiding this comment.
Hi,
I think this comment is wrong, if a key is found the
key is returned and I think it should be checked in the test is the
returned key is the expected one.
For the negative test, it looks like 'user2' is not created and hence
the error return code is expected because the user is missing. If there
is not ssh key assigned I would expect that sss_ssh_authorized_keys
returns '0' and just no key.
bye,
Sumit
There was a problem hiding this comment.
So the test isn't working correctly. Looking into further, it looks like the public key is not the same after adding it to IPA, maybe an encoding thing?
print("IPA_KEY::", user.get(attrs=["ipaSshPubKey"]))
IPA_KEY:: {'ipaSshPubKey':['c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCZ1FDK2x1MGZYZ3dYR3VWY096NDFiT0tQdG44T21uMDVlQ21UTXIzQzZDOUNZUVdZUVlSS2xDdlRxcTVpN2xqbWNXRUZrL2RrTlFZZkwycFdMMnE1ejl3TzJKSkhMQTFicERIdTJFSk9henF1Y2FXV3Q0bk9BZFNNRkNLYjdEbGUva0RZODRxSE40Z0ZEVUdpR1h3NHpOTzN1c1hHcWRyM2NzeDlPa2JYSTJsQUNhdU5tMVFNZzZFYnBtK3ZpajlZVXRmMUJPS3V3OGtHY3VTaEllZXJXdXRoNURJalZrM2pBYk5tSWRaNTFOd1ZndjhRcUR6SjVZLzZIdjZrR2FWelpyS3ZZSTJMcXNHdFdEQ0RUby8yc0VYTDU2WU9LOXhKVktvZy91NC9iU2dya29XWDRCK2FjTThtT1NCQmtMQ2RPaGxlbHYzYjRuT0hCOHZ1QWMwbEd3dUFhckR6aTFJRWxEdHdQNVBZMUZ1RDVoZkN6QkZ1bCt3ckdPOElnV3crWjlhWU9YRHRFY0xreG5kc3pQU25jTlFBTWIrM0FnVUhXbm13MSt4dE16MjdGUXFxamRHOWlhTExuZk1zK3E3c0hXTmMwY2xYNm9LYnJJaWU1T1hmTktJTjRMeTR2N1FmZng2VnlzQW1nUlJWMmpzQkQxM1JqaUR1a0hScWFQallCUlU9IHJvb3RAY2xpZW50LnRlc3Q=']}
print("PUBLIC KEY::", client.host.conn.run("cat /home/user1/.ssh/id_rsa.pub").stdout)
PUBLIC KEY:: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC+lu0fXgwXGuVcOz41bOKPtn8Omn05eCmTMr3C6C9CYQWYQYRKlCvTqq5i7ljmcWEFk/dkNQYfL2pWL2q5z9wO2JJHLA1bpDHu2EJOazqucaWWt4nOAdSMFCKb7Dle/kDY84qHN4gFDUGiGXw4zNO3usXGqdr3csx9OkbXI2lACauNm1QMg6Ebpm+vij9YUtf1BOKuw8kGcuShIeerWuth5DIjVk3jAbNmIdZ51NwVgv8QqDzJ5Y/6Hv6kGaVzZrKvYI2LqsGtWDCDTo/2sEXL56YOK9xJVKog/u4/bSgrkoWX4B+acM8mOSBBkLCdOhlelv3b4nOHB8vuAc0lGwuAarDzi1IElDtwP5PY1FuD5hfCzBFul+wrGO8IgWw+Z9aYOXDtEcLkxndszPSncNQAMb+3AgUHWnmw1+xtMz27FQqqjdG9iaLLnfMs+q7sHWNc0clX6oKbrIie5OXfNKIN4Ly4v7Qffx6VysAmgRRV2jsBD13RjiDukHRqaPjYBRU= [email protected]
LS:: total 8.0K
-rw-r--r--. 1 user1 user1 570 Dec 12 23:45 id_rsa.pub
-rw-------. 1 user1 user1 2.6K Dec 12 23:45 id_rsa
Checking the generation of the keys
keys = client.tools.sshkey.generate(result.name, result.home)
print(keys)
PASSED [100%]('ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCo4qTwgYptXapqwg9Hq7/eGqO0ohsZjTXlmCFOQJ8l1kQYuFxJbHkDlIP9rzA5XWVcxi0DaciZQ0H4YpBVg4cprmdW7bhRbr7kZyuAKuGE9ZxhjK1VhC3oHsxT2gm2ez8r+ApbQsOcfE9dNUCtlH0vs37vFfku6/8d8ZhRbXiTJtp0SP3HDcYzisEqasqAOy31NvlxPaRX4V/+AcSJV7+FDIasoePSyt73GDgiuymIddKZMIJopYj9COTTFkzboKet7XzHSe49FdIwQBHHcooqVl2MLz6k5m4dq4SNcAU/IhKSO5iBCy4oOES0H2VXVZPRWVtRzhcAqrGltTuQA0H6Q0B9IyZlIyP7i/eMrd+NrojDRCL5tv2ZJHfhc5x0DY9AsEWzM7psP1YS7FgDWOjKoqSFhVpjkWkpzNS3DMpM/g/4jdQ9H5ydv7lVuZvgQj2oiQoAZCY5uHvgKXimOl1i/rzVZCqFnilFDUNLCys6VDf1q+0Qgv3n2ZUzA0VjQc0= [email protected]', '
----SNIP----
In regards to the return code, 0 if the user is found, and doesn't care if the key is found or not, just that the user exists. So for this test to work, we have to assert the output.
There was a problem hiding this comment.
Debugging this, I found a bug, the key that is being added is not using the correct key.
FAILED [100%]
# generated key
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDM3IauD6ziCTiZneS5xxdmiYHQxBHnZRn0JaP8+ELbgCfXx1yjzM5QwlWRhZErh84CzI+cc6wlTfRQzMVCgMWWwRQ8yHTd69Qj5O3cTvjpOcgT2Po5dppPNAM4Ydz6JWAPKC0IF7y0aMrDO0rGmiMFrAf2r0c3nysc7G6sMPNgs2Z9u+JpoTA5xtcv88YPl85bj14l/VFrNm4nXGn+8TwyoTdHx2Dvnyfqxs4x/2lOUqV0Hd1RSMzzESFLRlbt2yfcf9U8+kAq2SbeHwikXYhFdRhdoDupDbv4i/1dTUkelLJSAXcX+/KCo1TiyXk1snmp16RfjbPG/8bsWm11Is/+edvnMzO7WBlfqGm1NlpkR16W1Xq1B6cBcCMNNFpHs0gPfqTQl4QJTpLjiLFvBtU09PnS9J/uxw3gjnVu4D8VDxE0BpKScSpKsu0zMfQDCaNobPljVlIh21Rnswj8c8fjpykX0gawfFKS7JiiMfiZHAa6hvLl3gEgFOER6Foyvr0= user1
# checking value in the variable
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDM3IauD6ziCTiZneS5xxdmiYHQxBHnZRn0JaP8+ELbgCfXx1yjzM5QwlWRhZErh84CzI+cc6wlTfRQzMVCgMWWwRQ8yHTd69Qj5O3cTvjpOcgT2Po5dppPNAM4Ydz6JWAPKC0IF7y0aMrDO0rGmiMFrAf2r0c3nysc7G6sMPNgs2Z9u+JpoTA5xtcv88YPl85bj14l/VFrNm4nXGn+8TwyoTdHx2Dvnyfqxs4x/2lOUqV0Hd1RSMzzESFLRlbt2yfcf9U8+kAq2SbeHwikXYhFdRhdoDupDbv4i/1dTUkelLJSAXcX+/KCo1TiyXk1snmp16RfjbPG/8bsWm11Is/+edvnMzO7WBlfqGm1NlpkR16W1Xq1B6cBcCMNNFpHs0gPfqTQl4QJTpLjiLFvBtU09PnS9J/uxw3gjnVu4D8VDxE0BpKScSpKsu0zMfQDCaNobPljVlIh21Rnswj8c8fjpykX0gawfFKS7JiiMfiZHAa6hvLl3gEgFOER6Foyvr0= user1
# after adding the key to the ipa user, via the ipa command, different key, this key is from /root/.ssh
{'ipaSshPubKey': ['c3NoLXJzYSBBQUFBQjNOemFDMXljMkVBQUFBREFRQUJBQUFCZ1FETTNJYXVENnppQ1RpWm5lUzV4eGRtaVlIUXhCSG5aUm4wSmFQOCtFTGJnQ2ZYeDF5anpNNVF3bFdSaFpFcmg4NEN6SStjYzZ3bFRmUlF6TVZDZ01XV3dSUTh5SFRkNjlRajVPM2NUdmpwT2NnVDJQbzVkcHBQTkFNNFlkejZKV0FQS0MwSUY3eTBhTXJETzByR21pTUZyQWYycjBjM255c2M3RzZzTVBOZ3MyWjl1K0pwb1RBNXh0Y3Y4OFlQbDg1YmoxNGwvVkZyTm00blhHbis4VHd5b1RkSHgyRHZueWZxeHM0eC8ybE9VcVYwSGQxUlNNenpFU0ZMUmxidDJ5ZmNmOVU4K2tBcTJTYmVId2lrWFloRmRSaGRvRHVwRGJ2NGkvMWRUVWtlbExKU0FYY1grL0tDbzFUaXlYazFzbm1wMTZSZmpiUEcvOGJzV20xMUlzLytlZHZuTXpPN1dCbGZxR20xTmxwa1IxNlcxWHExQjZjQmNDTU5ORnBIczBnUGZxVFFsNFFKVHBMamlMRnZCdFUwOVBuUzlKL3V4dzNnam5WdTREOFZEeEUwQnBLU2NTcEtzdTB6TWZRRENhTm9iUGxqVmxJaDIxUm5zd2o4YzhmanB5a1gwZ2F3ZkZLUzdKaWlNZmlaSEFhNmh2TGwzZ0VnRk9FUjZGb3l2cjA9IHVzZXIx']}
[root@client .ssh]# pwd
/root/.ssh
[root@client .ssh]# cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDA8BCrpvOJul9N8rOW4y4wIHia9nUjJremdDkIG3f7ZZwcATZXNJCW8+6/PUtFW7WPpP3s3Razxg8rJf3kjqGzm7BbO/6WhZsxVQQpc99W4NDXOYFzROsmy+PTCJ/57yMuUX6+x1LYt36giWUNQlovcLIibvJD89MoGa1xEf7T07ZcS7ERcZWH+Sitx/sMowz1rrJO+i0rkV0zv98brjsjM0RUSCmy1rzjLYfhaMseiKgFGdTXCE0puNN/NeFe9LXGK/A+wYh1yUywiaBBGd1Nah/GVs+uVch6Igkl/2e4qS83BfQ+dNYjHXAu4LG4UKkVxRSHgVGtLHzzh5E2pH5oDVMQJHX9XV/1+lyMfIZPU3xai18hlUqyTgP6aJEoajtxyIVpm+d2LAmQywhS1emc2C02I8erbr/D4PQPcDgjxr7aDMaXiD6Sa9gLH4JhYsUo4Rk6KY4WDv0qfUlqp4xPPi5fRnONRlv3mvz1gJspqPqB/MBwGHDUWfIChN/joUn4rIHzjJ1zX2ars6aeuAAwF1akmVD3kvYPdxda7dCooxTROmEYtNlTp2z/krdeeOAic46dGVCdE5dnb5wj8Q6VNyqEwKCa/lG+ShEL1F9gSOdNb/H3/g+RegGi9nuGeqqVbkicor0eTsQd1XjZoShEBdc9H6mL1Kdyoj7u0OReWQ== Well known key for sssd-ci root user.
[root@client .ssh]#
@spoore1 is going to help me look at it later today.
|
Back from vacation, will look at this, this week. |
