1 ;;; GNU Guix --- Functional package management for GNU
2 ;;; Copyright © 2016, 2017, 2018, 2019 Ludovic Courtès <ludo@gnu.org>
3 ;;; Copyright © 2017, 2018 Clément Lassieur <clement@lassieur.org>
4 ;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
6 ;;; This file is part of GNU Guix.
8 ;;; GNU Guix is free software; you can redistribute it and/or modify it
9 ;;; under the terms of the GNU General Public License as published by
10 ;;; the Free Software Foundation; either version 3 of the License, or (at
11 ;;; your option) any later version.
13 ;;; GNU Guix is distributed in the hope that it will be useful, but
14 ;;; WITHOUT ANY WARRANTY; without even the implied warranty of
15 ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 ;;; GNU General Public License for more details.
18 ;;; You should have received a copy of the GNU General Public License
19 ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
21 (define-module (gnu tests ssh)
22 #:use-module (gnu tests)
23 #:use-module (gnu system)
24 #:use-module (gnu system vm)
25 #:use-module (gnu services)
26 #:use-module (gnu services ssh)
27 #:use-module (gnu services networking)
28 #:use-module (gnu packages ssh)
29 #:use-module (guix gexp)
30 #:use-module (guix store)
31 #:export (%test-openssh
34 (define* (run-ssh-test name ssh-service pid-file
35 #:key (sftp? #f) (test-getlogin? #t))
36 "Run a test of an OS running SSH-SERVICE, which writes its PID to PID-FILE.
37 SSH-SERVICE must be configured to listen on port 22 and to allow for root and
38 empty-password logins.
40 When SFTP? is true, run an SFTP server test."
42 (marionette-operating-system
43 (simple-operating-system (service dhcp-client-service-type) ssh-service)
44 #:imported-modules '((gnu services herd)
49 (port-forwardings '((2222 . 22)))))
52 (with-imported-modules '((gnu build marionette))
53 (with-extensions (list guile-ssh)
55 (use-modules (gnu build marionette)
67 ;; Enable TCP forwarding of the guest's port 22.
68 (make-marionette (list #$vm)))
70 (define (make-session-for-test)
71 "Make a session with predefined parameters for a test."
72 (make-session #:user "root"
75 #:log-verbosity 'protocol))
77 (define (call-with-connected-session proc)
78 "Call the one-argument procedure PROC with a freshly created and
79 connected SSH session object, return the result of the procedure call. The
80 session is disconnected when the PROC is finished."
81 (let ((session (make-session-for-test)))
84 (let ((result (connect! session)))
85 (unless (equal? result 'ok)
86 (error "Could not connect to a server"
88 (lambda () (proc session))
89 (lambda () (disconnect! session)))))
91 (define (call-with-connected-session/auth proc)
92 "Make an authenticated session. We should be able to connect as
93 root with an empty password."
94 (call-with-connected-session
96 ;; Try the simple authentication methods. Dropbear requires
97 ;; 'none' when there are no passwords, whereas OpenSSH accepts
98 ;; 'password' with an empty password.
99 (let loop ((methods (list (cut userauth-password! <> "")
100 (cut userauth-none! <>))))
103 (error "all the authentication methods failed"))
105 (match (pk 'auth (auth session))
114 (test-begin "ssh-daemon")
116 ;; Wait for sshd to be up and running.
117 (test-assert "service running"
120 (use-modules (gnu services herd))
121 (start-service 'ssh-daemon))
124 ;; Check sshd's PID file.
125 (test-equal "sshd PID"
126 (wait-for-file #$pid-file marionette)
129 (use-modules (gnu services herd)
132 (live-service-running
135 (live-service-provision live)))
136 (current-services))))
139 ;; Connect to the guest over SSH. Make sure we can run a shell
141 (test-equal "shell command"
143 (call-with-connected-session/auth
145 ;; FIXME: 'get-server-public-key' segfaults.
146 ;; (get-server-public-key session)
147 (let ((channel (make-channel session)))
148 (channel-open-session channel)
149 (channel-request-exec channel "echo hello > /root/witness")
150 (and (zero? (channel-get-exit-status channel))
151 (wait-for-file "/root/witness" marionette))))))
153 ;; Check whether the 'getlogin' procedure returns the right thing.
154 (unless #$test-getlogin?
156 (test-equal "getlogin"
158 (call-with-connected-session/auth
160 (let* ((pipe (open-remote-input-pipe
162 "guile -c '(display (getlogin))'"))
163 (output (get-string-all pipe))
164 (status (channel-get-exit-status pipe)))
165 (list status output)))))
167 ;; Connect to the guest over SFTP. Make sure we can write and
168 ;; read a file there.
171 (test-equal "SFTP file writing and reading"
173 (call-with-connected-session/auth
175 (let ((sftp-session (make-sftp-session session))
176 (witness "/root/sftp-witness"))
177 (call-with-remote-output-file sftp-session witness
178 (cut display "hello" <>))
179 (call-with-remote-input-file sftp-session witness
182 ;; Connect to the guest over SSH. Make sure we can run commands
183 ;; from the system profile.
184 (test-equal "run executables from system profile"
186 (call-with-connected-session/auth
188 (let ((channel (make-channel session)))
189 (channel-open-session channel)
190 (channel-request-exec
193 "mkdir -p /root/.guix-profile/bin && "
194 "touch /root/.guix-profile/bin/path-witness && "
195 "chmod 755 /root/.guix-profile/bin/path-witness"))
196 (zero? (channel-get-exit-status channel))))))
198 ;; Connect to the guest over SSH. Make sure we can run commands
199 ;; from the user profile.
200 (test-equal "run executable from user profile"
202 (call-with-connected-session/auth
204 (let ((channel (make-channel session)))
205 (channel-open-session channel)
206 (channel-request-exec channel "path-witness")
207 (zero? (channel-get-exit-status channel))))))
210 (exit (= (test-runner-fail-count (test-runner-current)) 0))))))
212 (gexp->derivation name test))
214 (define %test-openssh
217 (description "Connect to a running OpenSSH daemon.")
218 (value (run-ssh-test name
219 ;; Allow root logins with an empty password to
221 (service openssh-service-type
222 (openssh-configuration
223 (permit-root-login #t)
224 (allow-empty-passwords? #t)))
228 (define %test-dropbear
231 (description "Connect to a running Dropbear SSH daemon.")
232 (value (run-ssh-test name
233 (service dropbear-service-type
234 (dropbear-configuration
236 (allow-empty-passwords? #t)))
237 "/var/run/dropbear.pid"
239 ;; XXX: Our Dropbear is not built with PAM support.
240 ;; Even when it is, it seems to ignore the PAM
241 ;; 'session' requirements.
242 #:test-getlogin? #f))))