Test GSS KEX/GEX methods for GSI-OpenSSH

test-gss-kex-for-gsi-openssh.bash

#!/bin/bash

# Test GSS KEX/GEX for GSI-OpenSSH

# Requirements
# ############
#
# * Needs to be run as root (e.g. with `sudo`)
# * Needs preconfigured and working GSI authentication (certs, keys,
#   grid-mapfile, etc. in `/etc/grid-security` and valid GSI proxy certificate)
#   and gsisshd config file (uses `/etc/gsissh/sshd_config`)

################################################################################
# CONFIGURATION
################################################################################

_prefix="/usr"

if [[ "$3" != "" ]]; then

        _prefix="$3"
fi

_serverCommand=$( cat <<EOF
${_prefix}/sbin/gsisshd -De \
-f /etc/gsissh/sshd_config \
-oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc \
-oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 \
-oGSSAPIKexAlgorithms=gss-gex-sha1-,gss-group1-sha1-,gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,gss-curve25519-sha256- \
-oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 \
-oHostKeyAlgorithms=rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com \
-oPubkeyAcceptedKeyTypes=rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oCASignatureAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,rsa-sha2-512,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa
EOF
)

_clientCommandStub="${_prefix}/bin/gsissh -vvv"

_serverPort="2222"

_gexMethodsSha1=(
gss-gex-sha1-
)

_kexMethodsSha1=(
gss-group1-sha1-
)

_kexMethodsSha256=(
gss-group14-sha256-
gss-nistp256-sha256-
gss-curve25519-sha256-
)

_kexMethodsSha512=(
gss-group16-sha512-
)

################################################################################

################################################################################
# ARGUMENTS
################################################################################

if [[ "$1" == "" ]]; then

	echo "Usage: $0 HOST_FQDN REMOTE_USER [PREFIX]"
	# see /usr/include/sysexits.h
	exit 64
fi

# This is the FQDN of the host that runs the gsisshd. Must be resolvable in DNS!
_host="$1"

# This is the remote user name that will be used upon successful connection
# (configured in grid-mapfile)
_remoteUser="$2"

################################################################################

_exitCode=0

_localUser=$( getent passwd $SUDO_UID | cut -d ':' -f1 )

# check for existence of GSI proxy
if ! sudo -u ${_localUser} ${_prefix}/bin/grid-proxy-info -e; then

	echo "Suggestion: Run ${_prefix}/bin/grid-proxy-init first!" 1>&2
	exit 1
fi

_serverVersionString=$( ${_prefix}/sbin/gsisshd -V 2>&1 | head -n2 | tail -n1 )
_clientVersionString=$( ${_prefix}/bin/gsissh -V 2>&1 )

echo "gsisshd: ${_serverVersionString}"
echo "gsissh: ${_clientVersionString}"
echo ""

# Start server in background
sudo ${_serverCommand} &>./gsisshd.log &

echo -n "Wait 3 seconds for startup of gsisshd "
sleep 1
echo -n "."
sleep 1
echo -n "."
sleep 1
echo "."
echo ""

for _kexMethod in ${_gexMethodsSha1[@]} ${_kexMethodsSha1[@]} ${_kexMethodsSha256[@]} ${_kexMethodsSha512[@]}; do

	echo -n "$_kexMethod "

	# Try client connection and save output of `whoami`
	_actualRemoteUser=$( sudo -u ${_localUser} ${_clientCommandStub} -oGSSAPIKexAlgorithms=${_kexMethod} -p ${_serverPort} ${_host} 'whoami; exit' 2>./gsissh-${_kexMethod}.log | tail -n1 )

	if [[ "${_remoteUser}" == "${_actualRemoteUser}" ]]; then

		echo "OK"
	else
		echo "Error"
		_exitCode=1
	fi
done

if hash killall &>/dev/null; then

	sudo killall gsisshd
else
	sudo pkill gsisshd
fi

exit ${_exitCode}

Worked for me in CentOS 8, Fedora 32 and Fedora 33.

Exemplary output

All GSS KEX/GEX methods working

[johndoe@host ~]$ sudo bin/test-gss-kex-for-gsi-openssh.bash host.domain.tld johndoe2
gsisshd: OpenSSH_8.0p1c-GSI GSI-hpn14v19, OpenSSL 1.1.1c FIPS  28 May 2019
gsissh: OpenSSH_8.0p1c-GSI GSI-hpn14v19, OpenSSL 1.1.1c FIPS  28 May 2019

Wait 3 seconds for startup of gsisshd ...

gss-gex-sha1- OK
gss-group1-sha1- OK
gss-group14-sha256- OK
gss-nistp256-sha256- OK
gss-curve25519-sha256- OK
gss-group16-sha512- OK

Only GSS GEX method working

[johndoe@host ~]$ sudo bin/test-gss-kex-for-gsi-openssh.bash host.domain.tld johndoe2
gsisshd: OpenSSH_8.0p1c-GSI GSI-hpn14v19, OpenSSL 1.1.1c FIPS  28 May 2019
gsissh: OpenSSH_8.0p1c-GSI GSI-hpn14v19, OpenSSL 1.1.1c FIPS  28 May 2019

Wait 3 seconds for startup of gsisshd ...

gss-gex-sha1- OK
gss-group1-sha1- Error
gss-group14-sha256- Error
gss-nistp256-sha256- Error
gss-curve25519-sha256- Error
gss-group16-sha512- Error

[johndoe@host ~]$ yum info gsi-openssh
[...]
Installed Packages
Name         : gsi-openssh
Version      : 8.0p1
Release      : 6.el8
Architecture : x86_64
Size         : 1.9 M
Source       : gsi-openssh-8.0p1-6.el8.src.rpm
[...]