diff options
author | Damien Miller <djm@mindrot.org> | 2006-07-24 15:31:41 +1000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2006-07-24 15:31:41 +1000 |
commit | 7b1877c803021430818ad7bd6bff504f0de1658f (patch) | |
tree | c6c96cdd9d78eeb1a5e7887b4c3a5f4ab6dbceff /regress/cfgmatch.sh | |
parent | 24f2a42e53d084486e93e45d96c9d6178c583043 (diff) |
- (djm) [regress/Makefile regress/agent-getpeereid.sh regress/cfgmatch.sh]
[regress/cipher-speed.sh regress/forcecommand.sh regress/forwarding.sh]
Sync regress tests to -current; include dtucker@'s new cfgmatch and
forcecommand tests. Add cipher-speed.sh test (not linked in yet)
Diffstat (limited to 'regress/cfgmatch.sh')
-rw-r--r-- | regress/cfgmatch.sh | 105 |
1 files changed, 105 insertions, 0 deletions
diff --git a/regress/cfgmatch.sh b/regress/cfgmatch.sh new file mode 100644 index 000000000..3a789faab --- /dev/null +++ b/regress/cfgmatch.sh | |||
@@ -0,0 +1,105 @@ | |||
1 | # $OpenBSD: cfgmatch.sh,v 1.2 2006/07/22 01:50:00 dtucker Exp $ | ||
2 | # Placed in the Public Domain. | ||
3 | |||
4 | tid="sshd_config match" | ||
5 | |||
6 | pidfile=$OBJ/remote_pid | ||
7 | fwdport=3301 | ||
8 | fwd="-L $fwdport:127.0.0.1:$PORT" | ||
9 | |||
10 | stop_client() | ||
11 | { | ||
12 | pid=`cat $pidfile` | ||
13 | if [ ! -z "$pid" ]; then | ||
14 | kill $pid | ||
15 | fi | ||
16 | } | ||
17 | |||
18 | cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak | ||
19 | |||
20 | echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_config | ||
21 | echo "Match Address 127.0.0.1" >>$OBJ/sshd_config | ||
22 | echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_config | ||
23 | |||
24 | echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_proxy | ||
25 | echo "Match Address 127.0.0.1" >>$OBJ/sshd_proxy | ||
26 | echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_proxy | ||
27 | |||
28 | start_sshd | ||
29 | |||
30 | #set -x | ||
31 | |||
32 | # Test Match + PermitOpen in sshd_config. This should be permitted | ||
33 | for p in 1 2; do | ||
34 | rm -f $pidfile | ||
35 | trace "match permitopen localhost proto $p" | ||
36 | ${SSH} -$p $fwd -F $OBJ/ssh_config -f somehost \ | ||
37 | "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\ | ||
38 | fail "match permitopen proto $p sshd failed" | ||
39 | sleep 1; | ||
40 | ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ | ||
41 | fail "match permitopen permit proto $p" | ||
42 | stop_client | ||
43 | done | ||
44 | |||
45 | # Same but from different source. This should not be permitted | ||
46 | for p in 1 2; do | ||
47 | rm -f $pidfile | ||
48 | trace "match permitopen proxy proto $p" | ||
49 | ${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \ | ||
50 | "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\ | ||
51 | fail "match permitopen proxy proto $p sshd failed" | ||
52 | sleep 1; | ||
53 | ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ | ||
54 | fail "match permitopen deny proto $p" | ||
55 | stop_client | ||
56 | done | ||
57 | |||
58 | # Retry previous with key option, should also be denied. | ||
59 | echo -n 'permitopen="127.0.0.1:'$PORT'" ' >$OBJ/authorized_keys_$USER | ||
60 | cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER | ||
61 | echo -n 'permitopen="127.0.0.1:'$PORT'" ' >>$OBJ/authorized_keys_$USER | ||
62 | cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER | ||
63 | for p in 1 2; do | ||
64 | rm -f $pidfile | ||
65 | trace "match permitopen proxy w/key opts proto $p" | ||
66 | ${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \ | ||
67 | "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\ | ||
68 | fail "match permitopen w/key opt proto $p sshd failed" | ||
69 | sleep 1; | ||
70 | ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ | ||
71 | fail "match permitopen deny w/key opt proto $p" | ||
72 | stop_client | ||
73 | done | ||
74 | |||
75 | # Test both sshd_config and key options permitting the same dst/port pair. | ||
76 | # Should be permitted. | ||
77 | for p in 1 2; do | ||
78 | rm -f $pidfile | ||
79 | trace "match permitopen localhost proto $p" | ||
80 | ${SSH} -$p $fwd -F $OBJ/ssh_config -f somehost \ | ||
81 | "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\ | ||
82 | fail "match permitopen proto $p sshd failed" | ||
83 | sleep 1; | ||
84 | ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ | ||
85 | fail "match permitopen permit proto $p" | ||
86 | stop_client | ||
87 | done | ||
88 | |||
89 | cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy | ||
90 | echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy | ||
91 | echo "Match User $USER" >>$OBJ/sshd_proxy | ||
92 | echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy | ||
93 | |||
94 | # Test that a Match overrides a PermitOpen in the global section | ||
95 | for p in 1 2; do | ||
96 | rm -f $pidfile | ||
97 | trace "match permitopen proxy w/key opts proto $p" | ||
98 | ${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \ | ||
99 | "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\ | ||
100 | fail "match override permitopen proto $p sshd failed" | ||
101 | sleep 1; | ||
102 | ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ | ||
103 | fail "match override permitopen proto $p" | ||
104 | stop_client | ||
105 | done | ||