1 ;;; GNU Guix --- Functional package management for GNU
2 ;;; Copyright © 2016-2022 Ludovic Courtès <ludo@gnu.org>
3 ;;; Copyright © 2017, 2018 Clément Lassieur <clement@lassieur.org>
4 ;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
6 ;;; This file is part of GNU Guix.
8 ;;; GNU Guix is free software; you can redistribute it and/or modify it
9 ;;; under the terms of the GNU General Public License as published by
10 ;;; the Free Software Foundation; either version 3 of the License, or (at
11 ;;; your option) any later version.
13 ;;; GNU Guix is distributed in the hope that it will be useful, but
14 ;;; WITHOUT ANY WARRANTY; without even the implied warranty of
15 ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 ;;; GNU General Public License for more details.
18 ;;; You should have received a copy of the GNU General Public License
19 ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
21 (define-module (gnu tests ssh)
22 #:use-module (gnu tests)
23 #:use-module (gnu system)
24 #:use-module (gnu system vm)
25 #:use-module (gnu services)
26 #:use-module (gnu services ssh)
27 #:use-module (gnu services networking)
28 #:use-module (gnu packages ssh)
29 #:use-module (guix gexp)
30 #:use-module (guix store)
31 #:export (%test-openssh
34 (define* (run-ssh-test name ssh-service pid-file
35 #:key (sftp? #f) (test-getlogin? #t))
36 "Run a test of an OS running SSH-SERVICE, which writes its PID to PID-FILE.
37 SSH-SERVICE must be configured to listen on port 22 and to allow for root and
38 empty-password logins.
40 When SFTP? is true, run an SFTP server test."
42 (marionette-operating-system
43 (simple-operating-system (service dhcp-client-service-type) ssh-service)
44 #:imported-modules '((gnu services herd)
49 (port-forwardings '((2222 . 22)))))
52 (with-imported-modules '((gnu build marionette))
53 (with-extensions (list guile-ssh)
55 (use-modules (gnu build marionette)
67 ;; Enable TCP forwarding of the guest's port 22.
68 (make-marionette (list #$vm)))
70 (define (make-session-for-test)
71 "Make a session with predefined parameters for a test."
72 (make-session #:user "root"
75 #:log-verbosity 'protocol))
77 (define (call-with-connected-session proc)
78 "Call the one-argument procedure PROC with a freshly created and
79 connected SSH session object, return the result of the procedure call. The
80 session is disconnected when the PROC is finished."
81 (let ((session (make-session-for-test)))
84 (let ((result (connect! session)))
85 (unless (equal? result 'ok)
86 (error "Could not connect to a server"
88 (lambda () (proc session))
89 (lambda () (disconnect! session)))))
91 (define (call-with-connected-session/auth proc)
92 "Make an authenticated session. We should be able to connect as
93 root with an empty password."
94 (call-with-connected-session
96 ;; Try the simple authentication methods. Dropbear requires
97 ;; 'none' when there are no passwords, whereas OpenSSH accepts
98 ;; 'password' with an empty password.
99 (let loop ((methods (list (cut userauth-password! <> "")
100 (cut userauth-none! <>))))
103 (error "all the authentication methods failed"))
105 (match (pk 'auth (auth session))
111 (test-runner-current (system-test-runner #$output))
112 (test-begin "ssh-daemon")
114 ;; Wait for sshd to be up and running.
115 (test-assert "service running"
118 (use-modules (gnu services herd))
119 (start-service 'ssh-daemon))
122 ;; Check sshd's PID file.
123 (test-assert "sshd PID"
124 (let ((pid (marionette-eval
126 (use-modules (gnu services herd)
129 (live-service-running
132 (live-service-provision live)))
133 (current-services))))
136 (= pid (wait-for-file #$pid-file marionette))
139 (test-assert "wait for port 22, IPv4"
140 (wait-for-tcp-port 22 marionette))
142 (test-assert "wait for port 22, IPv6"
143 ;; Make sure it's also available as IPv6.
144 ;; See <https://issues.guix.gnu.org/55335>.
145 (wait-for-tcp-port 22 marionette
147 `(make-socket-address
149 (inet-pton AF_INET6 "::1")
152 ;; Connect to the guest over SSH. Make sure we can run a shell
154 (test-equal "shell command"
156 (call-with-connected-session/auth
158 ;; FIXME: 'get-server-public-key' segfaults.
159 ;; (get-server-public-key session)
160 (let ((channel (make-channel session)))
161 (channel-open-session channel)
162 (channel-request-exec channel "echo hello > /root/witness")
163 (and (zero? (channel-get-exit-status channel))
164 (wait-for-file "/root/witness" marionette))))))
166 ;; Check whether the 'getlogin' procedure returns the right thing.
167 (unless #$test-getlogin?
169 (test-equal "getlogin"
171 (call-with-connected-session/auth
173 (let* ((pipe (open-remote-input-pipe
175 "guile -c '(display (getlogin))'"))
176 (output (get-string-all pipe))
177 (status (channel-get-exit-status pipe)))
178 (list status output)))))
180 ;; Connect to the guest over SFTP. Make sure we can write and
181 ;; read a file there.
184 (test-equal "SFTP file writing and reading"
186 (call-with-connected-session/auth
188 (let ((sftp-session (make-sftp-session session))
189 (witness "/root/sftp-witness"))
190 (call-with-remote-output-file sftp-session witness
191 (cut display "hello" <>))
192 (call-with-remote-input-file sftp-session witness
195 ;; Connect to the guest over SSH. Make sure we can run commands
196 ;; from the system profile.
197 (test-equal "run executables from system profile"
199 (call-with-connected-session/auth
201 (let ((channel (make-channel session)))
202 (channel-open-session channel)
203 (channel-request-exec
206 "mkdir -p /root/.guix-profile/bin && "
207 "touch /root/.guix-profile/bin/path-witness && "
208 "chmod 755 /root/.guix-profile/bin/path-witness"))
209 (zero? (channel-get-exit-status channel))))))
211 ;; Connect to the guest over SSH. Make sure we can run commands
212 ;; from the user profile.
213 (test-equal "run executable from user profile"
215 (call-with-connected-session/auth
217 (let ((channel (make-channel session)))
218 (channel-open-session channel)
219 (channel-request-exec channel "path-witness")
220 (zero? (channel-get-exit-status channel))))))
224 (gexp->derivation name test))
226 (define %test-openssh
229 (description "Connect to a running OpenSSH daemon.")
230 (value (run-ssh-test name
231 ;; Allow root logins with an empty password to
233 (service openssh-service-type
234 (openssh-configuration
235 (permit-root-login #t)
236 (allow-empty-passwords? #t)))
237 #f ;inetd-style, no PID file
240 (define %test-dropbear
243 (description "Connect to a running Dropbear SSH daemon.")
244 (value (run-ssh-test name
245 (service dropbear-service-type
246 (dropbear-configuration
248 (allow-empty-passwords? #t)))
249 "/var/run/dropbear.pid"
251 ;; XXX: Our Dropbear is not built with PAM support.
252 ;; Even when it is, it seems to ignore the PAM
253 ;; 'session' requirements.
254 #:test-getlogin? #f))))