|
@@ -207,27 +207,28 @@ def test_backup_ssh_service_connectivity(host):
|
|
|
|
|
|
|
|
|
@pytest.mark.usefixtures("prepare_ssh_client_private_key_permissions")
|
|
|
def test_backup_ssh_service_key_fingerprints(host):
|
|
|
@pytest.mark.parametrize('key_algorithm', [
|
|
|
'rsa-sha2-512',
|
|
|
'ssh-ed25519',
|
|
|
'ecdsa-sha2-nistp256',
|
|
|
])
|
|
|
def test_backup_ssh_service_key_fingerprints(host, key_algorithm):
|
|
|
"""
|
|
|
Tests fingerprints of backup SSH server in order to ensure correct keys are
|
|
|
in use.
|
|
|
"""
|
|
|
|
|
|
key_types = ['ssh-rsa', 'ssh-ed25519', 'ecdsa-sha2-nistp256']
|
|
|
|
|
|
# Extract first non-IPv6 IP. Crude test, but it should work.
|
|
|
remote_ip = next(a for a in host.interface("eth1").addresses if ":" not in a)
|
|
|
|
|
|
local = host.get_host("local://")
|
|
|
|
|
|
for key_type in key_types:
|
|
|
|
|
|
login_attempt = local.run("ssh -p 2222 "
|
|
|
"-o PasswordAuthentication=no "
|
|
|
"-o StrictHostKeyChecking=yes "
|
|
|
"-o UserKnownHostsFile=tests/data/ssh/known_hosts "
|
|
|
"-i tests/data/ssh/client1 "
|
|
|
"-o HostKeyAlgorithms=%s "
|
|
|
"bak-client1_backup@%s /bin/echo sshtest" % (key_type, remote_ip))
|
|
|
assert login_attempt.rc == 1
|
|
|
assert "This service allows sftp connections only." in login_attempt.stdout
|
|
|
login_attempt = local.run("ssh -p 2222 "
|
|
|
"-o PasswordAuthentication=no "
|
|
|
"-o StrictHostKeyChecking=yes "
|
|
|
"-o UserKnownHostsFile=tests/data/ssh/known_hosts "
|
|
|
"-i tests/data/ssh/client1 "
|
|
|
"-o HostKeyAlgorithms=%s "
|
|
|
"bak-client1_backup@%s /bin/echo sshtest" % (key_algorithm, remote_ip))
|
|
|
assert login_attempt.rc == 1
|
|
|
assert "This service allows sftp connections only." in login_attempt.stdout
|