dropbear: test/test_dropbearconvert.py annotate

annotate test/test_dropbearconvert.py @ 1930:299f4f19ba19

Add /usr/sbin and /sbin to default root PATH When dropbear is used in a very restricted environment (such as in a initrd), the default user shell is often also very restricted and doesn't take care of setting the PATH so the user ends up with the PATH set by dropbear. Unfortunately, dropbear always sets "/usr/bin:/bin" as default PATH even for the root user which should have /usr/sbin and /sbin too. For a concrete instance of this problem, see the "Remote Unlocking" section in this tutorial: https://paxswill.com/blog/2013/11/04/encrypted-raspberry-pi/ It speaks of a bug in the initramfs script because it's written "blkid" instead of "/sbin/blkid"... this is just because the scripts from the initramfs do not expect to have a PATH without the sbin directories and because dropbear is not setting the PATH appropriately for the root user. I'm thus suggesting to use the attached patch to fix this misbehaviour (I did not test it, but it's easy enough). It might seem anecdotic but multiple Kali users have been bitten by this. From https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903403

author	Raphael Hertzog <hertzog@debian.org>
date	Mon, 09 Jul 2018 16:27:53 +0200
parents	ced53051e200
children

rev	line source
1909 43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	1 import subprocess
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	2 import tempfile
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	3
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	4 import pytest
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	5
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	6 keytypes = [
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	7 "rsa", "rsa-4096",
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	8 "ed25519",
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	9 "ecdsa", "ecdsa-256", "ecdsa-384", "ecdsa-521",
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	10 "dss",
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	11 ]
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	12
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	13 def parse_keytype(kt):
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	14 if '-' in kt:
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	15 return kt.split('-')
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	16 else:
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	17 return (kt, None)
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	18
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	19 @pytest.mark.parametrize("keytype", keytypes)
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	20 @pytest.mark.parametrize("keyformat", [None, "PEM"])
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	21 def test_from_openssh(request, tmp_path, keytype, keyformat):
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	22 """
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	23 Convert OpenSSH to Dropbear format,
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	24 PEM and OpenSSH internal
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	25 """
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	26 opt = request.config.option
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	27 kt, keybits = parse_keytype(keytype)
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	28
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	29 if kt == 'dss' and keyformat is None:
1911 ced53051e200 Add ecdsa OpenSSH format for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: 1909 diff changeset	30 pytest.skip("dss doesn't support openssh format")
1909 43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	31
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	32 os_kt = kt
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	33 if os_kt == 'dss':
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	34 # OpenSSH calls it 'dsa', Dropbear calls it 'dss'
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	35 os_kt = 'dsa'
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	36
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	37 os_key = tmp_path / 'oskey1'
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	38 db_key = tmp_path / 'dbkey1'
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	39
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	40 # Generate an OpenSSH key
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	41 args = [
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	42 opt.ssh_keygen,
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	43 '-f', os_key,
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	44 '-t', os_kt,
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	45 '-N', '', # no password
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	46 ]
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	47 if keybits is not None:
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	48 args += ['-b', keybits]
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	49 if keyformat:
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	50 args += ['-m', keyformat]
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	51 p = subprocess.run(args, check=True)
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	52
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	53 # Convert to dropbear format
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	54 args = [
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	55 opt.dropbearconvert,
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	56 'openssh', 'dropbear',
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	57 os_key, db_key,
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	58 ]
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	59 p = subprocess.run(args, check=True)
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	60
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	61 # Compare pubkeys
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	62 args = [
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	63 opt.dropbearkey,
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	64 '-f', db_key,
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	65 '-y'
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	66 ]
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	67 p = subprocess.run(args, check=True, stdout=subprocess.PIPE, text=True)
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	68 db_pubkey = p.stdout.splitlines()[1].strip()
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	69 os_pubkey = os_key.with_suffix('.pub').open().read().strip()
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	70 # we compare the whole key including comment since it currently matches
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	71 assert db_pubkey == os_pubkey
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	72
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	73 @pytest.mark.parametrize("keytype", keytypes)
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	74 def test_roundtrip(request, tmp_path, keytype):
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	75 """
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	76 Dropbear's private key format is deterministic so
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	77 we can compare round trip conversion. (OpenSSH's
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	78 format has more variable comments and other fields).
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	79 """
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	80 opt = request.config.option
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	81 kt, keybits = parse_keytype(keytype)
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	82
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	83 os_key = tmp_path / 'oskey1'
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	84 db_key1 = tmp_path / 'dbkey1'
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	85 db_key2 = tmp_path / 'dbkey2'
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	86
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	87 # generate a key
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	88 args = [
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	89 opt.dropbearkey,
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	90 '-t', kt,
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	91 '-f', db_key1,
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	92 ]
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	93 if keybits is not None:
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	94 args += ['-s', keybits]
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	95 p = subprocess.run(args, check=True)
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	96
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	97 # convert to openssh
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	98 args = [
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	99 opt.dropbearconvert,
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	100 'dropbear', 'openssh',
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	101 db_key1, os_key,
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	102 ]
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	103 p = subprocess.run(args, check=True)
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	104
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	105 # Check ssh-keygen can read it
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	106 args = [
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	107 opt.ssh_keygen,
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	108 '-f', os_key,
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	109 '-y',
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	110 ]
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	111 p = subprocess.run(args, check=True, text=True, stdout=subprocess.PIPE)
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	112 os_pubkey = p.stdout.strip()
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	113
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	114 # Compare public keys
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	115 args = [
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	116 opt.dropbearkey,
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	117 '-f', db_key1,
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	118 '-y',
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	119 ]
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	120 p = subprocess.run(args, check=True, text=True, stdout=subprocess.PIPE)
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	121 db_pubkey = p.stdout.splitlines()[1].strip()
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	122 # comment may differ
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	123 db_pubkey = db_pubkey.split(' ')[:2]
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	124 os_pubkey = os_pubkey.split(' ')[:2]
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	125 assert db_pubkey == os_pubkey
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	126
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	127 # convert back to dropbear
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	128 args = [
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	129 opt.dropbearconvert,
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	130 'openssh', 'dropbear',
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	131 os_key, db_key2,
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	132 ]
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	133 p = subprocess.run(args, check=True)
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	134 # check the round trip is identical
43ebe0028187 Add tests for dropbearconvert Matt Johnston <matt@ucc.asn.au> parents: diff changeset	135 assert db_key1.open('rb').read() == db_key2.open('rb').read()

Mercurial > dropbear

annotate test/test_dropbearconvert.py @ 1930:299f4f19ba19