ssh/test: skip KEX test if unsupported by system SSH client

drakkan · FiloSottile · commit 3bf9d2afd4f0 · 2025-06-05T10:42:09.000-07:00
Skip the key exchange test when using the system's ssh CLI if the required KEX algorithm (e.g., mlkem768x25519-sha256) is not supported. This is determined by running ssh -Q kex and checking for the presence of the target algorithm. Prevents false test failures in CI environments with older or limited SSH implementations. Cq-Include-Trybots: luci.golang.try:x_crypto-gotip-darwin-amd64-longtest,x_crypto-gotip-linux-amd64-longtest,x_crypto-gotip-windows-amd64-longtest Change-Id: I3fac703ec70559e18b30d5fff88274335a7c3952 Reviewed-on: https://go-review.googlesource.com/c/crypto/+/679195 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> Reviewed-by: Carlos Amedee <carlos@golang.org>
diff --git a/ssh/test/sshcli_test.go b/ssh/test/sshcli_test.go
@@ -119,6 +119,14 @@ func TestSSHCLIKeyExchanges(t *testing.T) {
 	keyExchanges := append(ssh.SupportedAlgorithms().KeyExchanges, ssh.InsecureAlgorithms().KeyExchanges...)
 	for _, kex := range keyExchanges {
 		t.Run(kex, func(t *testing.T) {
+			cmd := testenv.Command(t, sshCLI, "-Q", "kex")
+			out, err := cmd.CombinedOutput()
+			if err != nil {
+				t.Fatalf("%s failed to check if the KEX is supported, error: %v, command output %q", kex, err, string(out))
+			}
+			if !bytes.Contains(out, []byte(kex)) {
+				t.Skipf("KEX %q is not supported in the installed ssh CLI", kex)
+			}
 			config := &ssh.ServerConfig{
 				Config: ssh.Config{
 					KeyExchanges: []string{kex},
@@ -144,9 +152,9 @@ func TestSSHCLIKeyExchanges(t *testing.T) {
 				t.Fatalf("unable to get server port: %v", err)
 			}
 
-			cmd := testenv.Command(t, sshCLI, "-vvv", "-i", keyPrivPath, "-o", "StrictHostKeyChecking=no",
+			cmd = testenv.Command(t, sshCLI, "-vvv", "-i", keyPrivPath, "-o", "StrictHostKeyChecking=no",
 				"-o", fmt.Sprintf("KexAlgorithms=%s", kex), "-p", port, "testpubkey@127.0.0.1", "true")
-			out, err := cmd.CombinedOutput()
+			out, err = cmd.CombinedOutput()
 			if err != nil {
 				t.Fatalf("%s failed, error: %v, command output %q", kex, err, string(out))
 			}
