vendor: glide update

Signed-off-by: Vincent Batts <vbatts@hashbangbash.com>

vendor/golang.org/x/crypto/ssh/test/agent_unix_test.go

@@ -21,7 +21,16 @@ func TestAgentForward(t *testing.T) {
 	defer conn.Close()
 
 	keyring := agent.NewKeyring()
-	keyring.Add(testPrivateKeys["dsa"], nil, "")
+	if err := keyring.Add(agent.AddedKey{PrivateKey: testPrivateKeys["dsa"]}); err != nil {
+		t.Fatalf("Error adding key: %s", err)
+	}
+	if err := keyring.Add(agent.AddedKey{
+		PrivateKey:       testPrivateKeys["dsa"],
+		ConfirmBeforeUse: true,
+		LifetimeSecs:     3600,
+	}); err != nil {
+		t.Fatalf("Error adding key with constraints: %s", err)
+	}
 	pub := testPublicKeys["dsa"]
 
 	sess, err := conn.NewSession()

vendor/golang.org/x/crypto/ssh/test/banner_test.go

@@ -0,0 +1,32 @@
+// Copyright 2014 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build darwin dragonfly freebsd linux netbsd openbsd
+
+package test
+
+import (
+	"testing"
+)
+
+func TestBannerCallbackAgainstOpenSSH(t *testing.T) {
+	server := newServer(t)
+	defer server.Shutdown()
+
+	clientConf := clientConfig()
+
+	var receivedBanner string
+	clientConf.BannerCallback = func(message string) error {
+		receivedBanner = message
+		return nil
+	}
+
+	conn := server.Dial(clientConf)
+	defer conn.Close()
+
+	expected := "Server Banner"
+	if receivedBanner != expected {
+		t.Fatalf("got %v; want %v", receivedBanner, expected)
+	}
+}

vendor/golang.org/x/crypto/ssh/test/cert_test.go

@@ -7,12 +7,14 @@
 package test
 
 import (
+	"bytes"
 	"crypto/rand"
 	"testing"
 
 	"golang.org/x/crypto/ssh"
 )
 
+// Test both logging in with a cert, and also that the certificate presented by an OpenSSH host can be validated correctly
 func TestCertLogin(t *testing.T) {
 	s := newServer(t)
 	defer s.Shutdown()
@@ -37,11 +39,39 @@ func TestCertLogin(t *testing.T) {
 
 	conf := &ssh.ClientConfig{
 		User: username(),
+		HostKeyCallback: (&ssh.CertChecker{
+			IsHostAuthority: func(pk ssh.PublicKey, addr string) bool {
+				return bytes.Equal(pk.Marshal(), testPublicKeys["ca"].Marshal())
+			},
+		}).CheckHostKey,
 	}
 	conf.Auth = append(conf.Auth, ssh.PublicKeys(certSigner))
-	client, err := s.TryDial(conf)
-	if err != nil {
-		t.Fatalf("TryDial: %v", err)
+
+	for _, test := range []struct {
+		addr    string
+		succeed bool
+	}{
+		{addr: "host.example.com:22", succeed: true},
+		{addr: "host.example.com:10000", succeed: true}, // non-standard port must be OK
+		{addr: "host.example.com", succeed: false},      // port must be specified
+		{addr: "host.ex4mple.com:22", succeed: false},   // wrong host
+	} {
+		client, err := s.TryDialWithAddr(conf, test.addr)
+
+		// Always close client if opened successfully
+		if err == nil {
+			client.Close()
+		}
+
+		// Now evaluate whether the test failed or passed
+		if test.succeed {
+			if err != nil {
+				t.Fatalf("TryDialWithAddr: %v", err)
+			}
+		} else {
+			if err == nil {
+				t.Fatalf("TryDialWithAddr, unexpected success")
+			}
+		}
 	}
-	client.Close()
 }

vendor/golang.org/x/crypto/ssh/test/dial_unix_test.go

@@ -0,0 +1,128 @@
+// Copyright 2012 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// +build !windows
+
+package test
+
+// direct-tcpip and direct-streamlocal functional tests
+
+import (
+	"fmt"
+	"io"
+	"io/ioutil"
+	"net"
+	"strings"
+	"testing"
+)
+
+type dialTester interface {
+	TestServerConn(t *testing.T, c net.Conn)
+	TestClientConn(t *testing.T, c net.Conn)
+}
+
+func testDial(t *testing.T, n, listenAddr string, x dialTester) {
+	server := newServer(t)
+	defer server.Shutdown()
+	sshConn := server.Dial(clientConfig())
+	defer sshConn.Close()
+
+	l, err := net.Listen(n, listenAddr)
+	if err != nil {
+		t.Fatalf("Listen: %v", err)
+	}
+	defer l.Close()
+
+	testData := fmt.Sprintf("hello from %s, %s", n, listenAddr)
+	go func() {
+		for {
+			c, err := l.Accept()
+			if err != nil {
+				break
+			}
+			x.TestServerConn(t, c)
+
+			io.WriteString(c, testData)
+			c.Close()
+		}
+	}()
+
+	conn, err := sshConn.Dial(n, l.Addr().String())
+	if err != nil {
+		t.Fatalf("Dial: %v", err)
+	}
+	x.TestClientConn(t, conn)
+	defer conn.Close()
+	b, err := ioutil.ReadAll(conn)
+	if err != nil {
+		t.Fatalf("ReadAll: %v", err)
+	}
+	t.Logf("got %q", string(b))
+	if string(b) != testData {
+		t.Fatalf("expected %q, got %q", testData, string(b))
+	}
+}
+
+type tcpDialTester struct {
+	listenAddr string
+}
+
+func (x *tcpDialTester) TestServerConn(t *testing.T, c net.Conn) {
+	host := strings.Split(x.listenAddr, ":")[0]
+	prefix := host + ":"
+	if !strings.HasPrefix(c.LocalAddr().String(), prefix) {
+		t.Fatalf("expected to start with %q, got %q", prefix, c.LocalAddr().String())
+	}
+	if !strings.HasPrefix(c.RemoteAddr().String(), prefix) {
+		t.Fatalf("expected to start with %q, got %q", prefix, c.RemoteAddr().String())
+	}
+}
+
+func (x *tcpDialTester) TestClientConn(t *testing.T, c net.Conn) {
+	// we use zero addresses. see *Client.Dial.
+	if c.LocalAddr().String() != "0.0.0.0:0" {
+		t.Fatalf("expected \"0.0.0.0:0\", got %q", c.LocalAddr().String())
+	}
+	if c.RemoteAddr().String() != "0.0.0.0:0" {
+		t.Fatalf("expected \"0.0.0.0:0\", got %q", c.RemoteAddr().String())
+	}
+}
+
+func TestDialTCP(t *testing.T) {
+	x := &tcpDialTester{
+		listenAddr: "127.0.0.1:0",
+	}
+	testDial(t, "tcp", x.listenAddr, x)
+}
+
+type unixDialTester struct {
+	listenAddr string
+}
+
+func (x *unixDialTester) TestServerConn(t *testing.T, c net.Conn) {
+	if c.LocalAddr().String() != x.listenAddr {
+		t.Fatalf("expected %q, got %q", x.listenAddr, c.LocalAddr().String())
+	}
+	if c.RemoteAddr().String() != "@" {
+		t.Fatalf("expected \"@\", got %q", c.RemoteAddr().String())
+	}
+}
+
+func (x *unixDialTester) TestClientConn(t *testing.T, c net.Conn) {
+	if c.RemoteAddr().String() != x.listenAddr {
+		t.Fatalf("expected %q, got %q", x.listenAddr, c.RemoteAddr().String())
+	}
+	if c.LocalAddr().String() != "@" {
+		t.Fatalf("expected \"@\", got %q", c.LocalAddr().String())
+	}
+}
+
+func TestDialUnix(t *testing.T) {
+	addr, cleanup := newTempSocket(t)
+	defer cleanup()
+	x := &unixDialTester{
+		listenAddr: addr,
+	}
+	testDial(t, "unix", x.listenAddr, x)
+}

vendor/golang.org/x/crypto/ssh/test/doc.go

@@ -2,6 +2,6 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// This package contains integration tests for the
-// code.google.com/p/go.crypto/ssh package.
+// Package test contains integration tests for the
+// golang.org/x/crypto/ssh package.
 package test // import "golang.org/x/crypto/ssh/test"

vendor/golang.org/x/crypto/ssh/test/forward_unix_test.go

@@ -16,13 +16,17 @@ import (
 	"time"
 )
 
-func TestPortForward(t *testing.T) {
+type closeWriter interface {
+	CloseWrite() error
+}
+
+func testPortForward(t *testing.T, n, listenAddr string) {
 	server := newServer(t)
 	defer server.Shutdown()
 	conn := server.Dial(clientConfig())
 	defer conn.Close()
 
-	sshListener, err := conn.Listen("tcp", "localhost:0")
+	sshListener, err := conn.Listen(n, listenAddr)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -41,14 +45,14 @@ func TestPortForward(t *testing.T) {
 	}()
 
 	forwardedAddr := sshListener.Addr().String()
-	tcpConn, err := net.Dial("tcp", forwardedAddr)
+	netConn, err := net.Dial(n, forwardedAddr)
 	if err != nil {
-		t.Fatalf("TCP dial failed: %v", err)
+		t.Fatalf("net dial failed: %v", err)
 	}
 
 	readChan := make(chan []byte)
 	go func() {
-		data, _ := ioutil.ReadAll(tcpConn)
+		data, _ := ioutil.ReadAll(netConn)
 		readChan <- data
 	}()
 
@@ -62,14 +66,14 @@ func TestPortForward(t *testing.T) {
 	for len(sent) < 1000*1000 {
 		// Send random sized chunks
 		m := rand.Intn(len(data))
-		n, err := tcpConn.Write(data[:m])
+		n, err := netConn.Write(data[:m])
 		if err != nil {
 			break
 		}
 		sent = append(sent, data[:n]...)
 	}
-	if err := tcpConn.(*net.TCPConn).CloseWrite(); err != nil {
-		t.Errorf("tcpConn.CloseWrite: %v", err)
+	if err := netConn.(closeWriter).CloseWrite(); err != nil {
+		t.Errorf("netConn.CloseWrite: %v", err)
 	}
 
 	read := <-readChan
@@ -86,19 +90,29 @@ func TestPortForward(t *testing.T) {
 	}
 
 	// Check that the forward disappeared.
-	tcpConn, err = net.Dial("tcp", forwardedAddr)
+	netConn, err = net.Dial(n, forwardedAddr)
 	if err == nil {
-		tcpConn.Close()
+		netConn.Close()
 		t.Errorf("still listening to %s after closing", forwardedAddr)
 	}
 }
 
-func TestAcceptClose(t *testing.T) {
+func TestPortForwardTCP(t *testing.T) {
+	testPortForward(t, "tcp", "localhost:0")
+}
+
+func TestPortForwardUnix(t *testing.T) {
+	addr, cleanup := newTempSocket(t)
+	defer cleanup()
+	testPortForward(t, "unix", addr)
+}
+
+func testAcceptClose(t *testing.T, n, listenAddr string) {
 	server := newServer(t)
 	defer server.Shutdown()
 	conn := server.Dial(clientConfig())
 
-	sshListener, err := conn.Listen("tcp", "localhost:0")
+	sshListener, err := conn.Listen(n, listenAddr)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -124,13 +138,23 @@ func TestAcceptClose(t *testing.T) {
 	}
 }
 
+func TestAcceptCloseTCP(t *testing.T) {
+	testAcceptClose(t, "tcp", "localhost:0")
+}
+
+func TestAcceptCloseUnix(t *testing.T) {
+	addr, cleanup := newTempSocket(t)
+	defer cleanup()
+	testAcceptClose(t, "unix", addr)
+}
+
 // Check that listeners exit if the underlying client transport dies.
-func TestPortForwardConnectionClose(t *testing.T) {
+func testPortForwardConnectionClose(t *testing.T, n, listenAddr string) {
 	server := newServer(t)
 	defer server.Shutdown()
 	conn := server.Dial(clientConfig())
 
-	sshListener, err := conn.Listen("tcp", "localhost:0")
+	sshListener, err := conn.Listen(n, listenAddr)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -158,3 +182,13 @@ func TestPortForwardConnectionClose(t *testing.T) {
 		t.Logf("quit as expected (error %v)", err)
 	}
 }
+
+func TestPortForwardConnectionCloseTCP(t *testing.T) {
+	testPortForwardConnectionClose(t, "tcp", "localhost:0")
+}
+
+func TestPortForwardConnectionCloseUnix(t *testing.T) {
+	addr, cleanup := newTempSocket(t)
+	defer cleanup()
+	testPortForwardConnectionClose(t, "unix", addr)
+}

vendor/golang.org/x/crypto/ssh/test/multi_auth_test.go

@@ -0,0 +1,144 @@
+// Copyright 2017 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Tests for ssh client multi-auth
+//
+// These tests run a simple go ssh client against OpenSSH server
+// over unix domain sockets. The tests use multiple combinations
+// of password, keyboard-interactive and publickey authentication
+// methods.
+//
+// A wrapper library for making sshd PAM authentication use test
+// passwords is required in ./sshd_test_pw.so. If the library does
+// not exist these tests will be skipped. See compile instructions
+// (for linux) in file ./sshd_test_pw.c.
+
+// +build linux
+
+package test
+
+import (
+	"fmt"
+	"strings"
+	"testing"
+
+	"golang.org/x/crypto/ssh"
+)
+
+// test cases
+type multiAuthTestCase struct {
+	authMethods         []string
+	expectedPasswordCbs int
+	expectedKbdIntCbs   int
+}
+
+// test context
+type multiAuthTestCtx struct {
+	password       string
+	numPasswordCbs int
+	numKbdIntCbs   int
+}
+
+// create test context
+func newMultiAuthTestCtx(t *testing.T) *multiAuthTestCtx {
+	password, err := randomPassword()
+	if err != nil {
+		t.Fatalf("Failed to generate random test password: %s", err.Error())
+	}
+
+	return &multiAuthTestCtx{
+		password: password,
+	}
+}
+
+// password callback
+func (ctx *multiAuthTestCtx) passwordCb() (secret string, err error) {
+	ctx.numPasswordCbs++
+	return ctx.password, nil
+}
+
+// keyboard-interactive callback
+func (ctx *multiAuthTestCtx) kbdIntCb(user, instruction string, questions []string, echos []bool) (answers []string, err error) {
+	if len(questions) == 0 {
+		return nil, nil
+	}
+
+	ctx.numKbdIntCbs++
+	if len(questions) == 1 {
+		return []string{ctx.password}, nil
+	}
+
+	return nil, fmt.Errorf("unsupported keyboard-interactive flow")
+}
+
+// TestMultiAuth runs several subtests for different combinations of password, keyboard-interactive and publickey authentication methods
+func TestMultiAuth(t *testing.T) {
+	testCases := []multiAuthTestCase{
+		// Test password,publickey authentication, assert that password callback is called 1 time
+		multiAuthTestCase{
+			authMethods:         []string{"password", "publickey"},
+			expectedPasswordCbs: 1,
+		},
+		// Test keyboard-interactive,publickey authentication, assert that keyboard-interactive callback is called 1 time
+		multiAuthTestCase{
+			authMethods:       []string{"keyboard-interactive", "publickey"},
+			expectedKbdIntCbs: 1,
+		},
+		// Test publickey,password authentication, assert that password callback is called 1 time
+		multiAuthTestCase{
+			authMethods:         []string{"publickey", "password"},
+			expectedPasswordCbs: 1,
+		},
+		// Test publickey,keyboard-interactive authentication, assert that keyboard-interactive callback is called 1 time
+		multiAuthTestCase{
+			authMethods:       []string{"publickey", "keyboard-interactive"},
+			expectedKbdIntCbs: 1,
+		},
+		// Test password,password authentication, assert that password callback is called 2 times
+		multiAuthTestCase{
+			authMethods:         []string{"password", "password"},
+			expectedPasswordCbs: 2,
+		},
+	}
+
+	for _, testCase := range testCases {
+		t.Run(strings.Join(testCase.authMethods, ","), func(t *testing.T) {
+			ctx := newMultiAuthTestCtx(t)
+
+			server := newServerForConfig(t, "MultiAuth", map[string]string{"AuthMethods": strings.Join(testCase.authMethods, ",")})
+			defer server.Shutdown()
+
+			clientConfig := clientConfig()
+			server.setTestPassword(clientConfig.User, ctx.password)
+
+			publicKeyAuthMethod := clientConfig.Auth[0]
+			clientConfig.Auth = nil
+			for _, authMethod := range testCase.authMethods {
+				switch authMethod {
+				case "publickey":
+					clientConfig.Auth = append(clientConfig.Auth, publicKeyAuthMethod)
+				case "password":
+					clientConfig.Auth = append(clientConfig.Auth,
+						ssh.RetryableAuthMethod(ssh.PasswordCallback(ctx.passwordCb), 5))
+				case "keyboard-interactive":
+					clientConfig.Auth = append(clientConfig.Auth,
+						ssh.RetryableAuthMethod(ssh.KeyboardInteractive(ctx.kbdIntCb), 5))
+				default:
+					t.Fatalf("Unknown authentication method %s", authMethod)
+				}
+			}
+
+			conn := server.Dial(clientConfig)
+			defer conn.Close()
+
+			if ctx.numPasswordCbs != testCase.expectedPasswordCbs {
+				t.Fatalf("passwordCallback was called %d times, expected %d times", ctx.numPasswordCbs, testCase.expectedPasswordCbs)
+			}
+
+			if ctx.numKbdIntCbs != testCase.expectedKbdIntCbs {
+				t.Fatalf("keyboardInteractiveCallback was called %d times, expected %d times", ctx.numKbdIntCbs, testCase.expectedKbdIntCbs)
+			}
+		})
+	}
+}

vendor/golang.org/x/crypto/ssh/test/session_test.go

@@ -11,6 +11,7 @@ package test
 import (
 	"bytes"
 	"errors"
+	"fmt"
 	"io"
 	"strings"
 	"testing"
@@ -276,24 +277,104 @@ func TestValidTerminalMode(t *testing.T) {
 	}
 }
 
+func TestWindowChange(t *testing.T) {
+	server := newServer(t)
+	defer server.Shutdown()
+	conn := server.Dial(clientConfig())
+	defer conn.Close()
+
+	session, err := conn.NewSession()
+	if err != nil {
+		t.Fatalf("session failed: %v", err)
+	}
+	defer session.Close()
+
+	stdout, err := session.StdoutPipe()
+	if err != nil {
+		t.Fatalf("unable to acquire stdout pipe: %s", err)
+	}
+
+	stdin, err := session.StdinPipe()
+	if err != nil {
+		t.Fatalf("unable to acquire stdin pipe: %s", err)
+	}
+
+	tm := ssh.TerminalModes{ssh.ECHO: 0}
+	if err = session.RequestPty("xterm", 80, 40, tm); err != nil {
+		t.Fatalf("req-pty failed: %s", err)
+	}
+
+	if err := session.WindowChange(100, 100); err != nil {
+		t.Fatalf("window-change failed: %s", err)
+	}
+
+	err = session.Shell()
+	if err != nil {
+		t.Fatalf("session failed: %s", err)
+	}
+
+	stdin.Write([]byte("stty size && exit\n"))
+
+	var buf bytes.Buffer
+	if _, err := io.Copy(&buf, stdout); err != nil {
+		t.Fatalf("reading failed: %s", err)
+	}
+
+	if sttyOutput := buf.String(); !strings.Contains(sttyOutput, "100 100") {
+		t.Fatalf("terminal WindowChange failure: expected \"100 100\" stty output, got %s", sttyOutput)
+	}
+}
+
+func testOneCipher(t *testing.T, cipher string, cipherOrder []string) {
+	server := newServer(t)
+	defer server.Shutdown()
+	conf := clientConfig()
+	conf.Ciphers = []string{cipher}
+	// Don't fail if sshd doesn't have the cipher.
+	conf.Ciphers = append(conf.Ciphers, cipherOrder...)
+	conn, err := server.TryDial(conf)
+	if err != nil {
+		t.Fatalf("TryDial: %v", err)
+	}
+	defer conn.Close()
+
+	numBytes := 4096
+
+	// Exercise sending data to the server
+	if _, _, err := conn.Conn.SendRequest("drop-me", false, make([]byte, numBytes)); err != nil {
+		t.Fatalf("SendRequest: %v", err)
+	}
+
+	// Exercise receiving data from the server
+	session, err := conn.NewSession()
+	if err != nil {
+		t.Fatalf("NewSession: %v", err)
+	}
+
+	out, err := session.Output(fmt.Sprintf("dd if=/dev/zero of=/dev/stdout bs=%d count=1", numBytes))
+	if err != nil {
+		t.Fatalf("Output: %v", err)
+	}
+
+	if len(out) != numBytes {
+		t.Fatalf("got %d bytes, want %d bytes", len(out), numBytes)
+	}
+}
+
+var deprecatedCiphers = []string{
+	"aes128-cbc", "3des-cbc",
+	"arcfour128", "arcfour256",
+}
+
 func TestCiphers(t *testing.T) {
 	var config ssh.Config
 	config.SetDefaults()
-	cipherOrder := config.Ciphers
+	cipherOrder := append(config.Ciphers, deprecatedCiphers...)
 
 	for _, ciph := range cipherOrder {
-		server := newServer(t)
-		defer server.Shutdown()
-		conf := clientConfig()
-		conf.Ciphers = []string{ciph}
-		// Don't fail if sshd doesnt have the cipher.
-		conf.Ciphers = append(conf.Ciphers, cipherOrder...)
-		conn, err := server.TryDial(conf)
-		if err == nil {
-			conn.Close()
-		} else {
-			t.Fatalf("failed for cipher %q", ciph)
-		}
+		t.Run(ciph, func(t *testing.T) {
+			testOneCipher(t, ciph, cipherOrder)
+		})
 	}
 }
 
@@ -307,7 +388,7 @@ func TestMACs(t *testing.T) {
 		defer server.Shutdown()
 		conf := clientConfig()
 		conf.MACs = []string{mac}
-		// Don't fail if sshd doesnt have the MAC.
+		// Don't fail if sshd doesn't have the MAC.
 		conf.MACs = append(conf.MACs, macOrder...)
 		if conn, err := server.TryDial(conf); err == nil {
 			conn.Close()
@@ -316,3 +397,47 @@ func TestMACs(t *testing.T) {
 		}
 	}
 }
+
+func TestKeyExchanges(t *testing.T) {
+	var config ssh.Config
+	config.SetDefaults()
+	kexOrder := config.KeyExchanges
+	for _, kex := range kexOrder {
+		server := newServer(t)
+		defer server.Shutdown()
+		conf := clientConfig()
+		// Don't fail if sshd doesn't have the kex.
+		conf.KeyExchanges = append([]string{kex}, kexOrder...)
+		conn, err := server.TryDial(conf)
+		if err == nil {
+			conn.Close()
+		} else {
+			t.Errorf("failed for kex %q", kex)
+		}
+	}
+}
+
+func TestClientAuthAlgorithms(t *testing.T) {
+	for _, key := range []string{
+		"rsa",
+		"dsa",
+		"ecdsa",
+		"ed25519",
+	} {
+		server := newServer(t)
+		conf := clientConfig()
+		conf.SetDefaults()
+		conf.Auth = []ssh.AuthMethod{
+			ssh.PublicKeys(testSigners[key]),
+		}
+
+		conn, err := server.TryDial(conf)
+		if err == nil {
+			conn.Close()
+		} else {
+			t.Errorf("failed for key %q", key)
+		}
+
+		server.Shutdown()
+	}
+}

vendor/golang.org/x/crypto/ssh/test/sshd_test_pw.c

@@ -0,0 +1,173 @@
+// Copyright 2017 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// sshd_test_pw.c
+// Wrapper to inject test password data for sshd PAM authentication
+//
+// This wrapper implements custom versions of getpwnam, getpwnam_r,
+// getspnam and getspnam_r. These functions first call their real
+// libc versions, then check if the requested user matches test user
+// specified in env variable TEST_USER and if so replace the password
+// with crypted() value of TEST_PASSWD env variable.
+//
+// Compile:
+// gcc -Wall -shared -o sshd_test_pw.so -fPIC sshd_test_pw.c
+//
+// Compile with debug:
+// gcc -DVERBOSE -Wall -shared -o sshd_test_pw.so -fPIC sshd_test_pw.c
+//
+// Run sshd:
+// LD_PRELOAD="sshd_test_pw.so" TEST_USER="..." TEST_PASSWD="..." sshd ...
+
+// +build ignore
+
+#define _GNU_SOURCE
+#include <string.h>
+#include <pwd.h>
+#include <shadow.h>
+#include <dlfcn.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <stdio.h>
+
+#ifdef VERBOSE
+#define DEBUG(X...) fprintf(stderr, X)
+#else
+#define DEBUG(X...) while (0) { }
+#endif
+
+/* crypt() password */
+static char *
+pwhash(char *passwd) {
+  return strdup(crypt(passwd, "$6$"));
+}
+
+/* Pointers to real functions in libc */
+static struct passwd * (*real_getpwnam)(const char *) = NULL;
+static int (*real_getpwnam_r)(const char *, struct passwd *, char *, size_t, struct passwd **) = NULL;
+static struct spwd * (*real_getspnam)(const char *) = NULL;
+static int (*real_getspnam_r)(const char *, struct spwd *, char *, size_t, struct spwd **) = NULL;
+
+/* Cached test user and test password */
+static char *test_user = NULL;
+static char *test_passwd_hash = NULL;
+
+static void
+init(void) {
+  /* Fetch real libc function pointers */
+  real_getpwnam = dlsym(RTLD_NEXT, "getpwnam");
+  real_getpwnam_r = dlsym(RTLD_NEXT, "getpwnam_r");
+  real_getspnam = dlsym(RTLD_NEXT, "getspnam");
+  real_getspnam_r = dlsym(RTLD_NEXT, "getspnam_r");
+  
+  /* abort if env variables are not defined */
+  if (getenv("TEST_USER") == NULL || getenv("TEST_PASSWD") == NULL) {
+    fprintf(stderr, "env variables TEST_USER and TEST_PASSWD are missing\n");
+    abort();
+  }
+
+  /* Fetch test user and test password from env */
+  test_user = strdup(getenv("TEST_USER"));
+  test_passwd_hash = pwhash(getenv("TEST_PASSWD"));
+
+  DEBUG("sshd_test_pw init():\n");
+  DEBUG("\treal_getpwnam: %p\n", real_getpwnam);
+  DEBUG("\treal_getpwnam_r: %p\n", real_getpwnam_r);
+  DEBUG("\treal_getspnam: %p\n", real_getspnam);
+  DEBUG("\treal_getspnam_r: %p\n", real_getspnam_r);
+  DEBUG("\tTEST_USER: '%s'\n", test_user);
+  DEBUG("\tTEST_PASSWD: '%s'\n", getenv("TEST_PASSWD"));
+  DEBUG("\tTEST_PASSWD_HASH: '%s'\n", test_passwd_hash);
+}
+
+static int
+is_test_user(const char *name) {
+  if (test_user != NULL && strcmp(test_user, name) == 0)
+    return 1;
+  return 0;
+}
+
+/* getpwnam */
+
+struct passwd *
+getpwnam(const char *name) {
+  struct passwd *pw;
+
+  DEBUG("sshd_test_pw getpwnam(%s)\n", name);
+  
+  if (real_getpwnam == NULL)
+    init();
+  if ((pw = real_getpwnam(name)) == NULL)
+    return NULL;
+
+  if (is_test_user(name))
+    pw->pw_passwd = strdup(test_passwd_hash);
+      
+  return pw;
+}
+
+/* getpwnam_r */
+
+int
+getpwnam_r(const char *name,
+	   struct passwd *pwd,
+	   char *buf,
+	   size_t buflen,
+	   struct passwd **result) {
+  int r;
+
+  DEBUG("sshd_test_pw getpwnam_r(%s)\n", name);
+  
+  if (real_getpwnam_r == NULL)
+    init();
+  if ((r = real_getpwnam_r(name, pwd, buf, buflen, result)) != 0 || *result == NULL)
+    return r;
+
+  if (is_test_user(name))
+    pwd->pw_passwd = strdup(test_passwd_hash);
+  
+  return 0;
+}
+
+/* getspnam */
+
+struct spwd *
+getspnam(const char *name) {
+  struct spwd *sp;
+
+  DEBUG("sshd_test_pw getspnam(%s)\n", name);
+  
+  if (real_getspnam == NULL)
+    init();
+  if ((sp = real_getspnam(name)) == NULL)
+    return NULL;
+
+  if (is_test_user(name))
+    sp->sp_pwdp = strdup(test_passwd_hash);
+  
+  return sp;
+}
+
+/* getspnam_r */
+
+int
+getspnam_r(const char *name,
+	   struct spwd *spbuf,
+	   char *buf,
+	   size_t buflen,
+	   struct spwd **spbufp) {
+  int r;
+
+  DEBUG("sshd_test_pw getspnam_r(%s)\n", name);
+  
+  if (real_getspnam_r == NULL)
+    init();
+  if ((r = real_getspnam_r(name, spbuf, buf, buflen, spbufp)) != 0)
+    return r;
+
+  if (is_test_user(name))
+    spbuf->sp_pwdp = strdup(test_passwd_hash);
+  
+  return r;
+}

vendor/golang.org/x/crypto/ssh/test/tcpip_test.go

@@ -1,46 +0,0 @@
-// Copyright 2012 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build !windows
-
-package test
-
-// direct-tcpip functional tests
-
-import (
-	"io"
-	"net"
-	"testing"
-)
-
-func TestDial(t *testing.T) {
-	server := newServer(t)
-	defer server.Shutdown()
-	sshConn := server.Dial(clientConfig())
-	defer sshConn.Close()
-
-	l, err := net.Listen("tcp", "127.0.0.1:0")
-	if err != nil {
-		t.Fatalf("Listen: %v", err)
-	}
-	defer l.Close()
-
-	go func() {
-		for {
-			c, err := l.Accept()
-			if err != nil {
-				break
-			}
-
-			io.WriteString(c, c.RemoteAddr().String())
-			c.Close()
-		}
-	}()
-
-	conn, err := sshConn.Dial("tcp", l.Addr().String())
-	if err != nil {
-		t.Fatalf("Dial: %v", err)
-	}
-	defer conn.Close()
-}

vendor/golang.org/x/crypto/ssh/test/test_unix_test.go

@@ -10,6 +10,8 @@ package test
 
 import (
 	"bytes"
+	"crypto/rand"
+	"encoding/base64"
 	"fmt"
 	"io/ioutil"
 	"log"
@@ -25,11 +27,14 @@ import (
 	"golang.org/x/crypto/ssh/testdata"
 )
 
-const sshd_config = `
+const (
+	defaultSshdConfig = `
 Protocol 2
+Banner {{.Dir}}/banner
 HostKey {{.Dir}}/id_rsa
 HostKey {{.Dir}}/id_dsa
 HostKey {{.Dir}}/id_ecdsa
+HostCertificate {{.Dir}}/id_rsa-cert.pub
 Pidfile {{.Dir}}/sshd.pid
 #UsePrivilegeSeparation no
 KeyRegenerationInterval 3600
@@ -41,14 +46,24 @@ PermitRootLogin no
 StrictModes no
 RSAAuthentication yes
 PubkeyAuthentication yes
-AuthorizedKeysFile	{{.Dir}}/id_user.pub
+AuthorizedKeysFile	{{.Dir}}/authorized_keys
 TrustedUserCAKeys {{.Dir}}/id_ecdsa.pub
 IgnoreRhosts yes
 RhostsRSAAuthentication no
 HostbasedAuthentication no
+PubkeyAcceptedKeyTypes=*
 `
+	multiAuthSshdConfigTail = `
+UsePAM yes
+PasswordAuthentication yes
+ChallengeResponseAuthentication yes
+AuthenticationMethods {{.AuthMethods}}
+`
+)
 
-var configTmpl = template.Must(template.New("").Parse(sshd_config))
+var configTmpl = map[string]*template.Template{
+	"default":   template.Must(template.New("").Parse(defaultSshdConfig)),
+	"MultiAuth": template.Must(template.New("").Parse(defaultSshdConfig + multiAuthSshdConfigTail))}
 
 type server struct {
 	t          *testing.T
@@ -57,6 +72,10 @@ type server struct {
 	cmd        *exec.Cmd
 	output     bytes.Buffer // holds stderr from sshd process
 
+	testUser     string // test username for sshd
+	testPasswd   string // test password for sshd
+	sshdTestPwSo string // dynamic library to inject a custom password into sshd
+
 	// Client half of the network connection.
 	clientConn net.Conn
 }
@@ -118,6 +137,11 @@ func clientConfig() *ssh.ClientConfig {
 			ssh.PublicKeys(testSigners["user"]),
 		},
 		HostKeyCallback: hostKeyDB().Check,
+		HostKeyAlgorithms: []string{ // by default, don't allow certs as this affects the hostKeyDB checker
+			ssh.KeyAlgoECDSA256, ssh.KeyAlgoECDSA384, ssh.KeyAlgoECDSA521,
+			ssh.KeyAlgoRSA, ssh.KeyAlgoDSA,
+			ssh.KeyAlgoED25519,
+		},
 	}
 	return config
 }
@@ -153,6 +177,12 @@ func unixConnection() (*net.UnixConn, *net.UnixConn, error) {
 }
 
 func (s *server) TryDial(config *ssh.ClientConfig) (*ssh.Client, error) {
+	return s.TryDialWithAddr(config, "")
+}
+
+// addr is the user specified host:port. While we don't actually dial it,
+// we need to know this for host key matching
+func (s *server) TryDialWithAddr(config *ssh.ClientConfig, addr string) (*ssh.Client, error) {
 	sshd, err := exec.LookPath("sshd")
 	if err != nil {
 		s.t.Skipf("skipping test: %v", err)
@@ -172,13 +202,27 @@ func (s *server) TryDial(config *ssh.ClientConfig) (*ssh.Client, error) {
 	s.cmd.Stdin = f
 	s.cmd.Stdout = f
 	s.cmd.Stderr = &s.output
+
+	if s.sshdTestPwSo != "" {
+		if s.testUser == "" {
+			s.t.Fatal("user missing from sshd_test_pw.so config")
+		}
+		if s.testPasswd == "" {
+			s.t.Fatal("password missing from sshd_test_pw.so config")
+		}
+		s.cmd.Env = append(os.Environ(),
+			fmt.Sprintf("LD_PRELOAD=%s", s.sshdTestPwSo),
+			fmt.Sprintf("TEST_USER=%s", s.testUser),
+			fmt.Sprintf("TEST_PASSWD=%s", s.testPasswd))
+	}
+
 	if err := s.cmd.Start(); err != nil {
 		s.t.Fail()
 		s.Shutdown()
 		s.t.Fatalf("s.cmd.Start: %v", err)
 	}
 	s.clientConn = c1
-	conn, chans, reqs, err := ssh.NewClientConn(c1, "", config)
+	conn, chans, reqs, err := ssh.NewClientConn(c1, addr, config)
 	if err != nil {
 		return nil, err
 	}
@@ -222,11 +266,49 @@ func writeFile(path string, contents []byte) {
 	}
 }
 
+// generate random password
+func randomPassword() (string, error) {
+	b := make([]byte, 12)
+	_, err := rand.Read(b)
+	if err != nil {
+		return "", err
+	}
+	return base64.RawURLEncoding.EncodeToString(b), nil
+}
+
+// setTestPassword is used for setting user and password data for sshd_test_pw.so
+// This function also checks that ./sshd_test_pw.so exists and if not calls s.t.Skip()
+func (s *server) setTestPassword(user, passwd string) error {
+	wd, _ := os.Getwd()
+	wrapper := filepath.Join(wd, "sshd_test_pw.so")
+	if _, err := os.Stat(wrapper); err != nil {
+		s.t.Skip(fmt.Errorf("sshd_test_pw.so is not available"))
+		return err
+	}
+
+	s.sshdTestPwSo = wrapper
+	s.testUser = user
+	s.testPasswd = passwd
+	return nil
+}
+
 // newServer returns a new mock ssh server.
 func newServer(t *testing.T) *server {
+	return newServerForConfig(t, "default", map[string]string{})
+}
+
+// newServerForConfig returns a new mock ssh server.
+func newServerForConfig(t *testing.T, config string, configVars map[string]string) *server {
 	if testing.Short() {
 		t.Skip("skipping test due to -short")
 	}
+	u, err := user.Current()
+	if err != nil {
+		t.Fatalf("user.Current: %v", err)
+	}
+	if u.Name == "root" {
+		t.Skip("skipping test because current user is root")
+	}
 	dir, err := ioutil.TempDir("", "sshtest")
 	if err != nil {
 		t.Fatal(err)
@@ -235,20 +317,35 @@ func newServer(t *testing.T) *server {
 	if err != nil {
 		t.Fatal(err)
 	}
-	err = configTmpl.Execute(f, map[string]string{
-		"Dir": dir,
-	})
+	if _, ok := configTmpl[config]; ok == false {
+		t.Fatal(fmt.Errorf("Invalid server config '%s'", config))
+	}
+	configVars["Dir"] = dir
+	err = configTmpl[config].Execute(f, configVars)
 	if err != nil {
 		t.Fatal(err)
 	}
 	f.Close()
 
+	writeFile(filepath.Join(dir, "banner"), []byte("Server Banner"))
+
 	for k, v := range testdata.PEMBytes {
 		filename := "id_" + k
 		writeFile(filepath.Join(dir, filename), v)
 		writeFile(filepath.Join(dir, filename+".pub"), ssh.MarshalAuthorizedKey(testPublicKeys[k]))
 	}
 
+	for k, v := range testdata.SSHCertificates {
+		filename := "id_" + k + "-cert.pub"
+		writeFile(filepath.Join(dir, filename), v)
+	}
+
+	var authkeys bytes.Buffer
+	for k := range testdata.PEMBytes {
+		authkeys.Write(ssh.MarshalAuthorizedKey(testPublicKeys[k]))
+	}
+	writeFile(filepath.Join(dir, "authorized_keys"), authkeys.Bytes())
+
 	return &server{
 		t:          t,
 		configfile: f.Name(),
@@ -259,3 +356,13 @@ func newServer(t *testing.T) *server {
 		},
 	}
 }
+
+func newTempSocket(t *testing.T) (string, func()) {
+	dir, err := ioutil.TempDir("", "socket")
+	if err != nil {
+		t.Fatal(err)
+	}
+	deferFunc := func() { os.RemoveAll(dir) }
+	addr := filepath.Join(dir, "sock")
+	return addr, deferFunc
+}

vendor/golang.org/x/crypto/ssh/test/testdata_test.go

@@ -2,7 +2,7 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// IMPLEMENTOR NOTE: To avoid a package loop, this file is in three places:
+// IMPLEMENTATION NOTE: To avoid a package loop, this file is in three places:
 // ssh/, ssh/agent, and ssh/test/. It should be kept in sync across all three
 // instances.