Automated OpenSSH Configuration Tests

When developing or fine-tuning OpenSSH configurations the testing can be quite tiresome: Change configuration, restart server, run manual tests, repeat. Not to forget the many times when restarting the SSH server does not work and you lock yourself out of your test server.

When writing a Linux Magazin article about SSH key management I wanted to show how to use OpenSSH PKI in a repeatable way. The result is an automated test suite for OpenSSH configuration:
$ ./   ... lots of info output running through ... 
SSH PKI Demo Test Results:

Succeeded create-ca-key
Succeeded create-host-key
Succeeded sign-host-key
Succeeded create-user-root-key
Succeeded sign-user-root-key
Succeeded create-user-unpriv-key
Succeeded sign-user-unpriv-key
Succeeded test-trusting-known-hosts-via-cert-and-login-with-password
Succeeded test-that-hostname-in-cert-must-match-target-host
Succeeded test-login-with-root-key-trusted-by-cert
Succeeded test-that-username-in-cert-must-match-target-user
Succeeded test-revoked-ca-key-prevents-login
Succeeded test-revoked-user-key-prevents-login
Succeeded test-revoked-host-key-prevents-connection
Succeeded in running all tests, congratulations!
It does not require root permissions and creates a fake environment where it can start an SSH server and connect a client to it. The test also creates the required SSH CA Certificate, host and users keys to serve as a practical example of how to use OpenSSH PKI.

Based on this script it is very easy to write your own tests that verify other aspects of OpenSSH configuration as part of your Test Driven Infrastructure.

The code is available on my GitHub repository:


Like this content? You could send me something from my Amazon Wishlist. Need commercial support? Contact me for Consulting Services.

Popular posts from this blog

Overriding / Patching Linux System Serial Number

A Login Security Architecture Without Passwords

The Demise of KaiOS - Alcatel 3088X