(t *testing.T)
| 300 | } |
| 301 | |
| 302 | func TestSSHAgentForwarding(t *testing.T) { |
| 303 | // Create a client SSH key |
| 304 | tmpDir, err := os.MkdirTemp("", "") |
| 305 | if err != nil { |
| 306 | t.Fatal(err) |
| 307 | } |
| 308 | t.Cleanup(func() { |
| 309 | _ = os.RemoveAll(tmpDir) |
| 310 | }) |
| 311 | pkFile := filepath.Join(tmpDir, "pk") |
| 312 | clientKey, clientKeyRSA := generateClientKey(t, pkFile) |
| 313 | |
| 314 | // Start upstream SSH server |
| 315 | l, err := net.Listen("tcp", "127.0.0.1:") |
| 316 | if err != nil { |
| 317 | t.Fatalf("unable to listen for SSH: %s", err) |
| 318 | } |
| 319 | t.Cleanup(func() { |
| 320 | _ = l.Close() |
| 321 | }) |
| 322 | |
| 323 | // Run an SSH server that accepts connections from that client SSH key. |
| 324 | gs := gliderssh.Server{ |
| 325 | Handler: func(s gliderssh.Session) { |
| 326 | io.WriteString(s, "Hello world\n") |
| 327 | }, |
| 328 | PublicKeyHandler: func(ctx gliderssh.Context, key gliderssh.PublicKey) error { |
| 329 | // Note - this is not meant to be cryptographically secure, it's |
| 330 | // just checking that SSH agent forwarding is forwarding the right |
| 331 | // key. |
| 332 | a := key.Marshal() |
| 333 | b := clientKey.PublicKey().Marshal() |
| 334 | if !bytes.Equal(a, b) { |
| 335 | return errors.New("key mismatch") |
| 336 | } |
| 337 | return nil |
| 338 | }, |
| 339 | } |
| 340 | go gs.Serve(l) |
| 341 | |
| 342 | // Run tailscale SSH server and connect to it |
| 343 | username := "testuser" |
| 344 | tailscaleAddr := testServer(t, username, false, false) |
| 345 | tcl, err := ssh.Dial("tcp", tailscaleAddr, &ssh.ClientConfig{ |
| 346 | HostKeyCallback: ssh.InsecureIgnoreHostKey(), |
| 347 | }) |
| 348 | if err != nil { |
| 349 | t.Fatal(err) |
| 350 | } |
| 351 | t.Cleanup(func() { tcl.Close() }) |
| 352 | |
| 353 | s, err := tcl.NewSession() |
| 354 | if err != nil { |
| 355 | t.Fatal(err) |
| 356 | } |
| 357 | |
| 358 | // Set up SSH agent forwarding on the client |
| 359 | err = agent.RequestAgentForwarding(s) |
nothing calls this directly
no test coverage detected
searching dependent graphs…