Last active
July 21, 2023 07:06
-
-
Save fscheiner/92ea125c72cd70283a712585206c1015 to your computer and use it in GitHub Desktop.
Test GSS KEX/GEX methods for GSI-OpenSSH
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
# Test GSS KEX/GEX for GSI-OpenSSH | |
# Requirements | |
# ############ | |
# | |
# * Needs to be run as root (e.g. with `sudo`) | |
# * Needs preconfigured and working GSI authentication (certs, keys, | |
# grid-mapfile, etc. in `/etc/grid-security` and valid GSI proxy certificate) | |
# and gsisshd config file (uses `/etc/gsissh/sshd_config`) | |
################################################################################ | |
# CONFIGURATION | |
################################################################################ | |
_prefix="/usr" | |
if [[ "$3" != "" ]]; then | |
_prefix="$3" | |
fi | |
_serverCommand=$( cat <<EOF | |
${_prefix}/sbin/gsisshd -De \ | |
-f /etc/gsissh/sshd_config \ | |
-oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc \ | |
-oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 \ | |
-oGSSAPIKexAlgorithms=gss-gex-sha1-,gss-group1-sha1-,gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,gss-curve25519-sha256- \ | |
-oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 \ | |
-oHostKeyAlgorithms=rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com \ | |
-oPubkeyAcceptedKeyTypes=rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oCASignatureAlgorithms=rsa-sha2-256,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,rsa-sha2-512,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa | |
EOF | |
) | |
_clientCommandStub="${_prefix}/bin/gsissh -vvv" | |
_serverPort="2222" | |
_gexMethodsSha1=( | |
gss-gex-sha1- | |
) | |
_kexMethodsSha1=( | |
gss-group1-sha1- | |
) | |
_kexMethodsSha256=( | |
gss-group14-sha256- | |
gss-nistp256-sha256- | |
gss-curve25519-sha256- | |
) | |
_kexMethodsSha512=( | |
gss-group16-sha512- | |
) | |
################################################################################ | |
################################################################################ | |
# ARGUMENTS | |
################################################################################ | |
if [[ "$1" == "" ]]; then | |
echo "Usage: $0 HOST_FQDN REMOTE_USER [PREFIX]" | |
# see /usr/include/sysexits.h | |
exit 64 | |
fi | |
# This is the FQDN of the host that runs the gsisshd. Must be resolvable in DNS! | |
_host="$1" | |
# This is the remote user name that will be used upon successful connection | |
# (configured in grid-mapfile) | |
_remoteUser="$2" | |
################################################################################ | |
_exitCode=0 | |
_localUser=$( getent passwd $SUDO_UID | cut -d ':' -f1 ) | |
# check for existence of GSI proxy | |
if ! sudo -u ${_localUser} ${_prefix}/bin/grid-proxy-info -e; then | |
echo "Suggestion: Run ${_prefix}/bin/grid-proxy-init first!" 1>&2 | |
exit 1 | |
fi | |
_serverVersionString=$( ${_prefix}/sbin/gsisshd -V 2>&1 | head -n2 | tail -n1 ) | |
_clientVersionString=$( ${_prefix}/bin/gsissh -V 2>&1 ) | |
echo "gsisshd: ${_serverVersionString}" | |
echo "gsissh: ${_clientVersionString}" | |
echo "" | |
# Start server in background | |
sudo ${_serverCommand} &>./gsisshd.log & | |
echo -n "Wait 3 seconds for startup of gsisshd " | |
sleep 1 | |
echo -n "." | |
sleep 1 | |
echo -n "." | |
sleep 1 | |
echo "." | |
echo "" | |
for _kexMethod in ${_gexMethodsSha1[@]} ${_kexMethodsSha1[@]} ${_kexMethodsSha256[@]} ${_kexMethodsSha512[@]}; do | |
echo -n "$_kexMethod " | |
# Try client connection and save output of `whoami` | |
_actualRemoteUser=$( sudo -u ${_localUser} ${_clientCommandStub} -oGSSAPIKexAlgorithms=${_kexMethod} -p ${_serverPort} ${_host} 'whoami; exit' 2>./gsissh-${_kexMethod}.log | tail -n1 ) | |
if [[ "${_remoteUser}" == "${_actualRemoteUser}" ]]; then | |
echo "OK" | |
else | |
echo "Error" | |
_exitCode=1 | |
fi | |
done | |
if hash killall &>/dev/null; then | |
sudo killall gsisshd | |
else | |
sudo pkill gsisshd | |
fi | |
exit ${_exitCode} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Worked for me in CentOS 8, Fedora 32 and Fedora 33.
Exemplary output
All GSS KEX/GEX methods working
Only GSS GEX method working