diff options
| author | Damien Miller <djm@mindrot.org> | 2006-07-24 15:31:41 +1000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2006-07-24 15:31:41 +1000 |
| commit | 7b1877c803021430818ad7bd6bff504f0de1658f (patch) | |
| tree | c6c96cdd9d78eeb1a5e7887b4c3a5f4ab6dbceff /regress/cfgmatch.sh | |
| parent | 24f2a42e53d084486e93e45d96c9d6178c583043 (diff) | |
- (djm) [regress/Makefile regress/agent-getpeereid.sh regress/cfgmatch.sh]
[regress/cipher-speed.sh regress/forcecommand.sh regress/forwarding.sh]
Sync regress tests to -current; include dtucker@'s new cfgmatch and
forcecommand tests. Add cipher-speed.sh test (not linked in yet)
Diffstat (limited to 'regress/cfgmatch.sh')
| -rw-r--r-- | regress/cfgmatch.sh | 105 |
1 files changed, 105 insertions, 0 deletions
diff --git a/regress/cfgmatch.sh b/regress/cfgmatch.sh new file mode 100644 index 000000000..3a789faab --- /dev/null +++ b/regress/cfgmatch.sh | |||
| @@ -0,0 +1,105 @@ | |||
| 1 | # $OpenBSD: cfgmatch.sh,v 1.2 2006/07/22 01:50:00 dtucker Exp $ | ||
| 2 | # Placed in the Public Domain. | ||
| 3 | |||
| 4 | tid="sshd_config match" | ||
| 5 | |||
| 6 | pidfile=$OBJ/remote_pid | ||
| 7 | fwdport=3301 | ||
| 8 | fwd="-L $fwdport:127.0.0.1:$PORT" | ||
| 9 | |||
| 10 | stop_client() | ||
| 11 | { | ||
| 12 | pid=`cat $pidfile` | ||
| 13 | if [ ! -z "$pid" ]; then | ||
| 14 | kill $pid | ||
| 15 | fi | ||
| 16 | } | ||
| 17 | |||
| 18 | cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak | ||
| 19 | |||
| 20 | echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_config | ||
| 21 | echo "Match Address 127.0.0.1" >>$OBJ/sshd_config | ||
| 22 | echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_config | ||
| 23 | |||
| 24 | echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_proxy | ||
| 25 | echo "Match Address 127.0.0.1" >>$OBJ/sshd_proxy | ||
| 26 | echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_proxy | ||
| 27 | |||
| 28 | start_sshd | ||
| 29 | |||
| 30 | #set -x | ||
| 31 | |||
| 32 | # Test Match + PermitOpen in sshd_config. This should be permitted | ||
| 33 | for p in 1 2; do | ||
| 34 | rm -f $pidfile | ||
| 35 | trace "match permitopen localhost proto $p" | ||
| 36 | ${SSH} -$p $fwd -F $OBJ/ssh_config -f somehost \ | ||
| 37 | "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\ | ||
| 38 | fail "match permitopen proto $p sshd failed" | ||
| 39 | sleep 1; | ||
| 40 | ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ | ||
| 41 | fail "match permitopen permit proto $p" | ||
| 42 | stop_client | ||
| 43 | done | ||
| 44 | |||
| 45 | # Same but from different source. This should not be permitted | ||
| 46 | for p in 1 2; do | ||
| 47 | rm -f $pidfile | ||
| 48 | trace "match permitopen proxy proto $p" | ||
| 49 | ${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \ | ||
| 50 | "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\ | ||
| 51 | fail "match permitopen proxy proto $p sshd failed" | ||
| 52 | sleep 1; | ||
| 53 | ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ | ||
| 54 | fail "match permitopen deny proto $p" | ||
| 55 | stop_client | ||
| 56 | done | ||
| 57 | |||
| 58 | # Retry previous with key option, should also be denied. | ||
| 59 | echo -n 'permitopen="127.0.0.1:'$PORT'" ' >$OBJ/authorized_keys_$USER | ||
| 60 | cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER | ||
| 61 | echo -n 'permitopen="127.0.0.1:'$PORT'" ' >>$OBJ/authorized_keys_$USER | ||
| 62 | cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER | ||
| 63 | for p in 1 2; do | ||
| 64 | rm -f $pidfile | ||
| 65 | trace "match permitopen proxy w/key opts proto $p" | ||
| 66 | ${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \ | ||
| 67 | "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\ | ||
| 68 | fail "match permitopen w/key opt proto $p sshd failed" | ||
| 69 | sleep 1; | ||
| 70 | ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ | ||
| 71 | fail "match permitopen deny w/key opt proto $p" | ||
| 72 | stop_client | ||
| 73 | done | ||
| 74 | |||
| 75 | # Test both sshd_config and key options permitting the same dst/port pair. | ||
| 76 | # Should be permitted. | ||
| 77 | for p in 1 2; do | ||
| 78 | rm -f $pidfile | ||
| 79 | trace "match permitopen localhost proto $p" | ||
| 80 | ${SSH} -$p $fwd -F $OBJ/ssh_config -f somehost \ | ||
| 81 | "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\ | ||
| 82 | fail "match permitopen proto $p sshd failed" | ||
| 83 | sleep 1; | ||
| 84 | ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ | ||
| 85 | fail "match permitopen permit proto $p" | ||
| 86 | stop_client | ||
| 87 | done | ||
| 88 | |||
| 89 | cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy | ||
| 90 | echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy | ||
| 91 | echo "Match User $USER" >>$OBJ/sshd_proxy | ||
| 92 | echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy | ||
| 93 | |||
| 94 | # Test that a Match overrides a PermitOpen in the global section | ||
| 95 | for p in 1 2; do | ||
| 96 | rm -f $pidfile | ||
| 97 | trace "match permitopen proxy w/key opts proto $p" | ||
| 98 | ${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \ | ||
| 99 | "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\ | ||
| 100 | fail "match override permitopen proto $p sshd failed" | ||
| 101 | sleep 1; | ||
| 102 | ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ | ||
| 103 | fail "match override permitopen proto $p" | ||
| 104 | stop_client | ||
| 105 | done | ||