URL: https://github.com/freeipa/freeipa/pull/4937 Author: fcami Title: #4937: ipatests.test_commands.test_ssh_key_connection: paramiko=>ssh2 Action: opened
PR body: """ Paramiko is not compatible with FIPS. Migrate test_ssh_key_connection to ssh2. Fixes: https://pagure.io/freeipa/issue/8129 Signed-off-by: François Cami <fc...@redhat.com> """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/4937/head:pr4937 git checkout pr4937
From bab739306ee0c092b1b659cafcf7e910f27a3602 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fc...@redhat.com> Date: Thu, 23 Jul 2020 18:11:28 +0200 Subject: [PATCH] ipatests.test_commands.test_ssh_key_connection: paramiko=>ssh2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Paramiko is not compatible with FIPS. Migrate test_ssh_key_connection to ssh2. Fixes: https://pagure.io/freeipa/issue/8129 Signed-off-by: François Cami <fc...@redhat.com> --- ipatests/test_integration/test_commands.py | 46 ++++++++++++++++------ 1 file changed, 33 insertions(+), 13 deletions(-) diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py index bacde50416..4544de0d25 100644 --- a/ipatests/test_integration/test_commands.py +++ b/ipatests/test_integration/test_commands.py @@ -14,8 +14,13 @@ from itertools import chain, repeat import textwrap import time + import paramiko import pytest +import socket + +from ssh2 import exceptions as ssh2exceptions +from ssh2 import session as ssh2session from subprocess import CalledProcessError from cryptography.hazmat.backends import default_backend @@ -609,9 +614,9 @@ def test_ssh_key_connection(self, tmpdir): """ Integration test for https://pagure.io/SSSD/sssd/issue/3747 """ - if self.master.is_fips_mode: # pylint: disable=no-member - pytest.skip("paramiko is not compatible with FIPS mode") + failed_first = False + ssh_port = 22 test_user = 'test-ssh' external_master_hostname = \ self.master.external_hostname @@ -635,27 +640,42 @@ def test_ssh_key_connection(self, tmpdir): # connect with first SSH key first_priv_key_path = os.path.join(tmpdir, 'ssh_priv_1') - # change private key permission to comply with SS rules os.chmod(first_priv_key_path, 0o600) - sshcon = paramiko.SSHClient() - sshcon.set_missing_host_key_policy(paramiko.AutoAddPolicy()) + _sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + _sock.connect((external_master_hostname, ssh_port)) + s = ssh2session.Session() + s.set_timeout(1000) + s.handshake(_sock) # first connection attempt is a workaround for # https://pagure.io/SSSD/sssd/issue/3669 try: - sshcon.connect(external_master_hostname, username=test_user, - key_filename=first_priv_key_path, timeout=1) - except (paramiko.AuthenticationException, paramiko.SSHException): - pass + s.userauth_publickey_fromfile(test_user, first_priv_key_path) + except ssh2exceptions.AuthenticationError: + failed_first = True try: - sshcon.connect(external_master_hostname, username=test_user, - key_filename=first_priv_key_path, timeout=1) - except (paramiko.AuthenticationException, - paramiko.SSHException) as e: + if failed_first: + s.userauth_publickey_fromfile(test_user, first_priv_key_path) + else: + pass + except ssh2exceptions.AuthenticationError as e: pytest.fail('Authentication using SSH key not successful', e) + try: + channel = s.open_session() + channel.execute("ls /root") + channel.close() + except Exception as e: + pytest.fail("Unable to launch remote commands!", e) + + try: + del s + _sock.close() + except Exception as e: + pass + journal_cmd = ['journalctl', '--since=today', '-u', 'sshd'] result = self.master.run_command(journal_cmd) output = result.stdout_text
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
