Skip to content

G
git2
Commit 383e5ed5 by Edward Thomson
Options

ci: use ecdsa keys for ssh 

Using modern rsa (sha2-256 or sha2-512) with libssh2 is complicated and
depends on numerous factors for support. Just use ecdsa, which is
supported by both libssh2 v1.11.0 and modern OpenSSH (which we use for
our server in CI).
parent 8329f7ac
Showing with 12 additions and 10 deletions
ci/test.sh
...@@ -25,6 +25,8 @@ CTEST=$(which ctest) ...@@ -25,6 +25,8 @@ CTEST=$(which ctest)
TMPDIR=${TMPDIR:-/tmp} TMPDIR=${TMPDIR:-/tmp}
USER=${USER:-$(whoami)} USER=${USER:-$(whoami)}
GITTEST_SSH_KEYTYPE=${GITTEST_SSH_KEYTYPE:="ecdsa"}
HOME=`mktemp -d ${TMPDIR}/home.XXXXXXXX` HOME=`mktemp -d ${TMPDIR}/home.XXXXXXXX`
export CLAR_HOMEDIR=${HOME} export CLAR_HOMEDIR=${HOME}
...@@ -207,7 +209,7 @@ if should_run "SSH_TESTS"; then ...@@ -207,7 +209,7 @@ if should_run "SSH_TESTS"; then
Port 2222 Port 2222
ListenAddress 0.0.0.0 ListenAddress 0.0.0.0
Protocol 2 Protocol 2
HostKey ${SSHD_DIR}/id_rsa HostKey ${SSHD_DIR}/id_${GITTEST_SSH_KEYTYPE}
PidFile ${SSHD_DIR}/pid PidFile ${SSHD_DIR}/pid
AuthorizedKeysFile ${HOME}/.ssh/authorized_keys AuthorizedKeysFile ${HOME}/.ssh/authorized_keys
LogLevel DEBUG LogLevel DEBUG
...@@ -216,21 +218,21 @@ if should_run "SSH_TESTS"; then ...@@ -216,21 +218,21 @@ if should_run "SSH_TESTS"; then
PubkeyAuthentication yes PubkeyAuthentication yes
ChallengeResponseAuthentication no ChallengeResponseAuthentication no
StrictModes no StrictModes no
HostCertificate ${SSHD_DIR}/id_rsa.pub HostCertificate ${SSHD_DIR}/id_${GITTEST_SSH_KEYTYPE}.pub
HostKey ${SSHD_DIR}/id_rsa HostKey ${SSHD_DIR}/id_${GITTEST_SSH_KEYTYPE}
# Required here as sshd will simply close connection otherwise # Required here as sshd will simply close connection otherwise
UsePAM no UsePAM no
EOF EOF
ssh-keygen -t rsa -f "${SSHD_DIR}/id_rsa" -N "" -q ssh-keygen -t "${GITTEST_SSH_KEYTYPE}" -f "${SSHD_DIR}/id_${GITTEST_SSH_KEYTYPE}" -N "" -q
/usr/sbin/sshd -f "${SSHD_DIR}/sshd_config" -E "${SSHD_DIR}/log" /usr/sbin/sshd -f "${SSHD_DIR}/sshd_config" -E "${SSHD_DIR}/log"
# Set up keys # Set up keys
mkdir "${HOME}/.ssh" mkdir "${HOME}/.ssh"
ssh-keygen -t rsa -f "${HOME}/.ssh/id_rsa" -N "" -q ssh-keygen -t "${GITTEST_SSH_KEYTYPE}" -f "${HOME}/.ssh/id_${GITTEST_SSH_KEYTYPE}" -N "" -q
cat "${HOME}/.ssh/id_rsa.pub" >>"${HOME}/.ssh/authorized_keys" cat "${HOME}/.ssh/id_${GITTEST_SSH_KEYTYPE}.pub" >>"${HOME}/.ssh/authorized_keys"
while read algorithm key comment; do while read algorithm key comment; do
echo "[localhost]:2222 $algorithm $key" >>"${HOME}/.ssh/known_hosts" echo "[localhost]:2222 $algorithm $key" >>"${HOME}/.ssh/known_hosts"
done <"${SSHD_DIR}/id_rsa.pub" done <"${SSHD_DIR}/id_${GITTEST_SSH_KEYTYPE}.pub"
# Append the github.com keys for the tests that don't override checks. # Append the github.com keys for the tests that don't override checks.
# We ask for ssh-rsa to test that the selection based off of known_hosts # We ask for ssh-rsa to test that the selection based off of known_hosts
...@@ -428,12 +430,12 @@ fi ...@@ -428,12 +430,12 @@ fi
if should_run "SSH_TESTS"; then if should_run "SSH_TESTS"; then
export GITTEST_REMOTE_USER=$USER export GITTEST_REMOTE_USER=$USER
export GITTEST_REMOTE_SSH_KEY="${HOME}/.ssh/id_rsa" export GITTEST_REMOTE_SSH_KEY="${HOME}/.ssh/id_${GITTEST_SSH_KEYTYPE}"
export GITTEST_REMOTE_SSH_PUBKEY="${HOME}/.ssh/id_rsa.pub" export GITTEST_REMOTE_SSH_PUBKEY="${HOME}/.ssh/id_${GITTEST_SSH_KEYTYPE}.pub"
export GITTEST_REMOTE_SSH_PASSPHRASE="" export GITTEST_REMOTE_SSH_PASSPHRASE=""
export GITTEST_REMOTE_SSH_FINGERPRINT="${SSH_FINGERPRINT}" export GITTEST_REMOTE_SSH_FINGERPRINT="${SSH_FINGERPRINT}"
export GITTEST_SSH_CMD="ssh -i ${HOME}/.ssh/id_rsa -o UserKnownHostsFile=${HOME}/.ssh/known_hosts" export GITTEST_SSH_CMD="ssh -i ${HOME}/.ssh/id_${GITTEST_SSH_KEYTYPE} -o UserKnownHostsFile=${HOME}/.ssh/known_hosts"
echo "" echo ""
echo "Running ssh tests" echo "Running ssh tests"
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment