Previously sk-dummy.so used libc's (or compat's) SHA256 since it may be
built without OpenSSL. In many cases, however, including both libc's
and OpenSSL's headers together caused conflicting definitions.
We tried working around this (on OpenSSL <1.1 you could define
OPENSSL_NO_SHA, NetBSD had USE_LIBC_SHA2, various #define hacks) with
varying levels of success. Since OpenSSL >=1.1 removed OPENSSL_NO_SHA
and including most OpenSSL headers would bring sha.h in, even if it
wasn't used directly this was a constant hassle.
Admit defeat and use OpenSSL's SHA256 unless we aren't using OpenSSL at
all. ok djm@
Overview.
$ ./configure && make tests
You'll see some progress info. A failure will cause either the make to
abort or the driver script to report a "FATAL" failure.
The test consists of 2 parts. The first is the file-based tests which is
driven by the Makefile, and the second is a set of network or proxycommand
based tests, which are driven by a driver script (test-exec.sh) which is
called multiple times by the Makefile.
Failures in the first part will cause the Makefile to return an error.
Failures in the second part will print a "FATAL" message for the failed
test and continue.
OpenBSD has a system-wide regression test suite. OpenSSH Portable's test
suite is based on OpenBSD's with modifications.
Environment variables.
SKIP_UNIT: Skip unit tests.
SUDO: path to sudo/doas command, if desired. Note that some systems
(notably systems using PAM) require sudo to execute some tests.
LTESTS: Whitespace separated list of tests (filenames without the .sh
extension) to run.
SKIP_LTESTS: Whitespace separated list of tests to skip.
OBJ: used by test scripts to access build dir.
TEST_SHELL: shell used for running the test scripts.
TEST_SSH_FAIL_FATAL: set to "yes" to make any failure abort the test
currently in progress.
TEST_SSH_PORT: TCP port to be used for the listening tests.
TEST_SSH_QUIET: set to "yes" to suppress non-fatal output.
TEST_SSH_SSHD_CONFOPTS: Configuration directives to be added to sshd_config
before running each test.
TEST_SSH_SSH_CONFOPTS: Configuration directives to be added to
ssh_config before running each test.
TEST_SSH_TRACE: set to "yes" for verbose output from tests
TEST_SSH_x: path to "ssh" command under test, where x is one of
SSH, SSHD, SSHAGENT, SSHADD, SSHKEYGEN, SSHKEYSCAN, SFTP or
SFTPSERVER
USE_VALGRIND: Run the tests under valgrind memory checker.
Individual tests.
You can run an individual test from the top-level Makefile, eg:
$ make tests LTESTS=agent-timeout
If you need to manipulate the environment more you can invoke test-exec.sh
directly if you set up the path to find the binaries under test and the
test scripts themselves, for example:
$ cd regress
$ PATH=`pwd`/..:$PATH:. TEST_SHELL=/bin/sh sh test-exec.sh `pwd` \
agent-timeout.sh
ok agent timeout test
Files.
test-exec.sh: the main test driver. Sets environment, creates config files
and keys and runs the specified test.
At the time of writing, the individual tests are:
connect.sh: simple connect
proxy-connect.sh: proxy connect
connect-privsep.sh: proxy connect with privsep
connect-uri.sh: uri connect
proto-version.sh: sshd version with different protocol combinations
proto-mismatch.sh: protocol version mismatch
exit-status.sh: remote exit status
envpass.sh: environment passing
transfer.sh: transfer data
banner.sh: banner
rekey.sh: rekey
stderr-data.sh: stderr data transfer
stderr-after-eof.sh: stderr data after eof
broken-pipe.sh: broken pipe test
try-ciphers.sh: try ciphers
yes-head.sh: yes pipe head
login-timeout.sh: connect after login grace timeout
agent.sh: simple connect via agent
agent-getpeereid.sh: disallow agent attach from other uid
agent-timeout.sh: agent timeout test
agent-ptrace.sh: disallow agent ptrace attach
keyscan.sh: keyscan
keygen-change.sh: change passphrase for key
keygen-convert.sh: convert keys
keygen-moduli.sh: keygen moduli
key-options.sh: key options
scp.sh: scp
scp-uri.sh: scp-uri
sftp.sh: basic sftp put/get
sftp-chroot.sh: sftp in chroot
sftp-cmds.sh: sftp command
sftp-badcmds.sh: sftp invalid commands
sftp-batch.sh: sftp batchfile
sftp-glob.sh: sftp glob
sftp-perm.sh: sftp permissions
sftp-uri.sh: sftp-uri
ssh-com-client.sh: connect with ssh.com client
ssh-com-keygen.sh: ssh.com key import
ssh-com-sftp.sh: basic sftp put/get with ssh.com server
ssh-com.sh: connect to ssh.com server
reconfigure.sh: simple connect after reconfigure
dynamic-forward.sh: dynamic forwarding
forwarding.sh: local and remote forwarding
multiplex.sh: connection multiplexing
reexec.sh: reexec tests
brokenkeys.sh: broken keys
sshcfgparse.sh: ssh config parse
cfgparse.sh: sshd config parse
cfgmatch.sh: sshd_config match
cfgmatchlisten.sh: sshd_config matchlisten
addrmatch.sh: address match
localcommand.sh: localcommand
forcecommand.sh: forced command
portnum.sh: port number parsing
keytype.sh: login with different key types
kextype.sh: login with different key exchange algorithms
cert-hostkey.sh certified host keys
cert-userkey.sh: certified user keys
host-expand.sh: expand %h and %n
keys-command.sh: authorized keys from command
forward-control.sh: sshd control of local and remote forwarding
integrity.sh: integrity
krl.sh: key revocation lists
multipubkey.sh: multiple pubkey
limit-keytype.sh: restrict pubkey type
hostkey-agent.sh: hostkey agent
keygen-knownhosts.sh: ssh-keygen known_hosts
hostkey-rotate.sh: hostkey rotate
principals-command.sh: authorized principals command
cert-file.sh: ssh with certificates
cfginclude.sh: config include
allow-deny-users.sh: AllowUsers/DenyUsers
authinfo.sh: authinfo
Problems?
Run the failing test with shell tracing (-x) turned on:
$ PATH=`pwd`/..:$PATH:. sh -x test-exec.sh `pwd` agent-timeout.sh
Failed tests can be difficult to diagnose. Suggestions:
- run the individual test via ./test-exec.sh `pwd` [testname]
- set LogLevel to VERBOSE in test-exec.sh and enable syslogging of
auth.debug (eg to /var/log/authlog).
Known Issues.
- Similarly, if you do not have "scp" in your system's $PATH then the
multiplex scp tests will fail (since the system's shell startup scripts
will determine where the shell started by sshd will look for scp).
- Recent GNU coreutils deprecate "head -[n]": this will cause the yes-head
test to fail. The old behaviour can be restored by setting (and
exporting) _POSIX2_VERSION=199209 before running the tests.
0fa803a1dd