#8129 Tests: Replace paramiko with OpenSSH
Closed: fixed a year ago by frenaud. Opened 2 years ago by cheimes.

Issue

Paramiko is not compatible with FIPS mode or system with strict crypto policies. Therefore we should not use Paramiko in tests. All tests should be rewritten to use OpenSSH client.

Affected Tests

  • test_ssh_key_connection in test_integration.test_commands
  • test_selinux_user_optimized in test_integration.test_user_permissions
  • ssh_2f users in test_integration.test_otp
  • keytab tests in test_webui

Suggested Solution

Since multiple tests use SSH it makes sense to create a simple API for the problem. The interface should support private key and password based logins. For password based logins we can use sshpass helper. To isolate from the testing environment, the API should use its own config file and directory for pubkey, privkey, known hosts file, and settings.


Metadata Update from @cheimes:
- Issue tagged with: fips, testblocker

2 years ago

master:

  • 20ef79c Remove FIPS noise from SSHd
  • d153957 FIPS: server key has different name in FIPS mode
  • 6a17a91 Skip paramiko tests in FIPS mode

ipa-4-8:

  • 6ce6b53 Remove FIPS noise from SSHd
  • 9091290 FIPS: server key has different name in FIPS mode
  • 82a4fae Skip paramiko tests in FIPS mode

Metadata Update from @fcami:
- Issue assigned to fcami

a year ago

Metadata Update from @fcami:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/4938
- Issue set to the milestone: None (was: FreeIPA 4.8.3)

a year ago

Metadata Update from @fcami:
- Custom field changelog adjusted to Paramiko is not compatible with FIPS mode, therefore convert most tests to using ssh directly. The only non-converted test is the 2-prompt OTP test because sshpass does not support 2-prompt password authentication.

a year ago

master:

  • d5148c6 tasks: add run_ssh_cmd
  • 73ae4c7 ipatests: test_commands: test_ssh_key_connection: Paramiko=>OpenSSH
  • 5cc7a2b ipatests: test_user_permissions: test_selinux_user_optimized Paramiko=>OpenSSH
  • 27ed826 ipatests: test_commands: test_ssh_from_controller: refactor
  • 112386f ipatests: test_commands: test_ssh_from_controller: Paramiko=>OpenSSH
  • 326e133 ipatests: test_commands: test_login_wrong_password: Paramiko=>OpenSSH
  • a9f0557 ipatests: ui_driver: convert run_cmd_on_ui_host to tasks.py::run_ssh_cmd
  • 763d3b0 ipatests: test_otp: convert test_2fa_enable_single_prompt to run_ssh_cmd

ipa-4-8:

  • 034526a tasks: add run_ssh_cmd
  • 326ddff ipatests: test_commands: test_ssh_key_connection: Paramiko=>OpenSSH
  • 26e5803 ipatests: test_user_permissions: test_selinux_user_optimized Paramiko=>OpenSSH
  • 262a712 ipatests: test_commands: test_ssh_from_controller: refactor
  • ee57dd2 ipatests: test_commands: test_ssh_from_controller: Paramiko=>OpenSSH
  • 17759ec ipatests: test_commands: test_login_wrong_password: Paramiko=>OpenSSH
  • 027d0bb ipatests: ui_driver: convert run_cmd_on_ui_host to tasks.py::run_ssh_cmd
  • b0d4db5 ipatests: test_otp: convert test_2fa_enable_single_prompt to run_ssh_cmd

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

a year ago

Metadata Update from @fcami:
- Custom field changelog adjusted to Paramiko is not compatible with FIPS mode, therefore convert most tests to using ssh directly. The only non-converted test is the 2-prompt OTP test because sshpass does not support 2-prompt password authentication ( https://pagure.io/freeipa/issue/8431 ). (was: Paramiko is not compatible with FIPS mode, therefore convert most tests to using ssh directly. The only non-converted test is the 2-prompt OTP test because sshpass does not support 2-prompt password authentication.)

a year ago

Login to comment on this ticket.

Metadata