-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(pam/integration-tests): Add SSH authentication tests #583
Commits on Nov 14, 2024
-
pam/tools/pam-client: Remove leftover
This was meant to be removed by commit ab6e2e6, but it was actually duplicated :(
Configuration menu - View commit details
-
Copy full SHA for f1d5791 - Browse repository at this point
Copy the full SHA f1d5791View commit details -
Configuration menu - View commit details
-
Copy full SHA for 42de3d1 - Browse repository at this point
Copy the full SHA 42de3d1View commit details -
pam/integration-tests/helpers: Use unique folder for each test artifacts
We used to share the tests artifact folder for each run, but better to split it for each test run so that's easier to inspect
Configuration menu - View commit details
-
Copy full SHA for 8ba7d4a - Browse repository at this point
Copy the full SHA 8ba7d4aView commit details -
Configuration menu - View commit details
-
Copy full SHA for 1077592 - Browse repository at this point
Copy the full SHA 1077592View commit details -
pam/integration-tests: Make tapes commands to be controllable from go…
… side We may want to replicate some tapes for multiple tests but with different commands, so we need to define the command in a generic way instead of repeating it in each single tape. The variables are evaluated before running the tape, so no changes in the golden files are needed.
Configuration menu - View commit details
-
Copy full SHA for 4a2c3b3 - Browse repository at this point
Copy the full SHA 4a2c3b3View commit details -
pam/integration-tests: Use unique users for password reset
So that we can avoid troubles when running the tests in parallel
Configuration menu - View commit details
-
Copy full SHA for 30d6346 - Browse repository at this point
Copy the full SHA 30d6346View commit details -
Configuration menu - View commit details
-
Copy full SHA for 5c6b9bc - Browse repository at this point
Copy the full SHA 5c6b9bcView commit details -
pam/integration-tests: Use the same authd instance when possible
We were running multiple instances of authd daemon for each test that in order to make some specific cases to be tested. However this is unneeded for the great majority of the test cases and it doesn't allow us to test the daemon concurrency properly. So, just run a specific daemon if the test case requires it, and so in just in case we need to do root-checks or to ensure that the local groups are updated. The only downside of this is that if a test generates a gpasswd file we are going to fail also in other tests that are not affected by the issue but that's still something that can be easily debugged checking the logs or temporary enabling the single-authd instance to be used all the times
Configuration menu - View commit details
-
Copy full SHA for 196f24e - Browse repository at this point
Copy the full SHA 196f24eView commit details -
pam/integration-tests/native: Check if sigint is actually working by …
…using the shell We relied on vhs's prompt (">") being written to ensure we exited authd but it's better to actually ensure that the terminal is still responsive
Configuration menu - View commit details
-
Copy full SHA for d545797 - Browse repository at this point
Copy the full SHA d545797View commit details -
Configuration menu - View commit details
-
Copy full SHA for b8b6c31 - Browse repository at this point
Copy the full SHA b8b6c31View commit details -
pam/integration-tests: Generalize C module builder for wider scopes
We can use the same code to build any C module, not just the PAM ones
Configuration menu - View commit details
-
Copy full SHA for bfc6f90 - Browse repository at this point
Copy the full SHA bfc6f90View commit details -
examplebroker: Add user-needs-reset2
So we can use it for multiple needs-reset tests
Configuration menu - View commit details
-
Copy full SHA for ac84d80 - Browse repository at this point
Copy the full SHA ac84d80View commit details -
pam/nativemodel: Use consistent layout for new password mode
As per commit 79f21be we've a new layout on the native model but this is not applied to the new password view, so follow the same rules here.
Configuration menu - View commit details
-
Copy full SHA for 2f36e2f - Browse repository at this point
Copy the full SHA 2f36e2fView commit details -
pam/integration-tests: Add PAM tests using SSHd
We have tests simulating SSH behavior, but it's definitely better to ensure that SSH works as expected using the actual server and client when used with authd. In order to get sshd to be fully usable for this simulation, however, we need to "mock" it by using a LD_PRELOAD'ed library that has to be in C (as the cgo version I initially done would trigger the well known issues we have with go libraries and threads) and that we use it for mocking the sshd requests on getpwnam and to make sshd to open our pam file (that is hardcoded in sshd). To handle the getpwnam we could even have used __nss_configure_lookup() with a fake module or our own, but this is just a simpler solution for now, while in future we may want to add full integration tests where also our own NSS library is used instead, but this was outside the scope of this change, that is mainly focused on the behavior of the PAM module only. As for the rest, just repeat all the native tests that make sense using SSH instead, by de facto re-using the same tape files, minus the removal of the user selection.
Configuration menu - View commit details
-
Copy full SHA for dce36c8 - Browse repository at this point
Copy the full SHA dce36c8View commit details -
pam/integration-tests/ssh: Reuse native data tapes when possible
SSH and native tests are basically using the same UI, so let's share the same tape files when possible. We can't do it for all since most of native ones rely on the user being selected during the interaction but we can change that at later point
Configuration menu - View commit details
-
Copy full SHA for 88ef5b2 - Browse repository at this point
Copy the full SHA 88ef5b2View commit details -
pam/integration-tests/ssh: Disable coverage and asan for preloaded li…
…braries Sadly we can't cover the preloaded library, otherwise it will cause signals being emitted which break SSHd behavior. At the same time, using a library with ASAN support when prelaoding is too complex for being implemented here. We can avoid this though since the code paths are already covered in other tests.
Configuration menu - View commit details
-
Copy full SHA for 3eda8dc - Browse repository at this point
Copy the full SHA 3eda8dcView commit details -
pam/integration-tests/ssh: Add support for running sshd as daemon
In some tests we may want to re-connect to it multiple times so make this possible. This commit also opens the gates to potentially running all the tests in a single SSHd session, to test the ability of our library to run when loaded in a concurrent way.
Configuration menu - View commit details
-
Copy full SHA for 2674647 - Browse repository at this point
Copy the full SHA 2674647View commit details -
pam/integration-tests/ssh: Add test checking that user selections are…
… remembered Thanks to the previous commit we can handle the test by just launching ssh as a demon, that will accept multiple connections.
Configuration menu - View commit details
-
Copy full SHA for b420f68 - Browse repository at this point
Copy the full SHA b420f68View commit details -
pam/utils: Check if we're in a session just once
We do this request multiple times, but it's not something that can change, so perform it just once
Configuration menu - View commit details
-
Copy full SHA for 23bce66 - Browse repository at this point
Copy the full SHA 23bce66View commit details -
Configuration menu - View commit details
-
Copy full SHA for cca9b3a - Browse repository at this point
Copy the full SHA cca9b3aView commit details -
pam/integration-tests: Add tests using a single SSH server for all th…
…e requests We may want to be sure that a single instance of SSH with multiple requests coming in parallel is properly handled by our stack. This is something we didn't test before but having sshd as a daemon allows us to do it properly, simulating a more real scenario. However, we only perform such tests in race mode not to increase the testing time too much
Configuration menu - View commit details
-
Copy full SHA for 570016a - Browse repository at this point
Copy the full SHA 570016aView commit details -
pam/integration-tests/native: Use PAM-preset user by default in tests
This is what the great majority of PAM-based tools do, so also with the experience of CVE-2024-9313 it's just better to test this case by default while keeping the cases where the user selection is happening as the special ones. Doing this for the native model authentication only for now, since this allows to share most of the tapes with SSH test cases, but that's something we should do also for CLI tests and passwd cases
Configuration menu - View commit details
-
Copy full SHA for 8c51be0 - Browse repository at this point
Copy the full SHA 8c51be0View commit details -
Configuration menu - View commit details
-
Copy full SHA for 5a74862 - Browse repository at this point
Copy the full SHA 5a74862View commit details -
pam/integration-tests: Remove unused tapes for mismatching user
This is something that we don't support anymore as per commit e91ab76 and if we'd do it, it wouldn't work well anyways since it would imply changing the PAM user, which as we know may lead to logging-in wrongly as CVE-2024-9313 taught us
Configuration menu - View commit details
-
Copy full SHA for 439868d - Browse repository at this point
Copy the full SHA 439868dView commit details -
pam/integration-tests: Do not use utf-8 ellipses in broker messages
These are not supported by some SSH clients, so better to be reliable and support characters that are visible the same ways in all the known cases
Configuration menu - View commit details
-
Copy full SHA for a51f412 - Browse repository at this point
Copy the full SHA a51f412View commit details -
pam/integration-tests/ssh: Ignore SSH tests when running on unsupport…
…ed OS SSH output changes from old jammy (where CI is) to noble and greater versions (as per the OpenSSH server changes we carry on), so to be able to run the tests in a reliable way we need to be on such context. While we target noble, we didn't force our CI to be updated, so for now let's just enable the tests in older ubuntu versions where CI resides skipping it otherwise. Added also a further check so that when CI changes we get an error about
Configuration menu - View commit details
-
Copy full SHA for 00f1a92 - Browse repository at this point
Copy the full SHA 00f1a92View commit details