- djm@cvs.openbsd.org 2011/05/23 03:31:31

[regress/cfgmatch.sh] include testing of multiple/overridden AuthorizedKeysFiles refactor to simply daemon start/stop and get rid of racy constructs
author: Damien Miller <djm@mindrot.org> 2011-05-29 21:59:10 +1000
committer: Damien Miller <djm@mindrot.org> 2011-05-29 21:59:10 +1000
commit: 8cb3587336d3fe8e67db1d75da5f4c11456d3f1a (patch)
tree: cddb1df6de8212481b4eac38d90b4a9d38421d4b /regress/cfgmatch.sh
parent: 295ee63ab2123899fb21f76616ef4dac51515236 (diff)
1 files changed, 34 insertions, 32 deletions
diff --git a/regress/cfgmatch.sh b/regress/cfgmatch.sh
index 96badd51b..29234e566 100644
--- a/regress/cfgmatch.sh
+++ b/regress/cfgmatch.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: cfgmatch.sh,v 1.4 2006/12/13 08:36:36 dtucker Exp $
+#       $OpenBSD: cfgmatch.sh,v 1.5 2011/05/23 03:31:31 djm Exp $
 #       Placed in the Public Domain.
 tid="sshd_config match"
@@ -7,6 +7,28 @@ pidfile=$OBJ/remote_pid
 fwdport=3301
 fwd="-L $fwdport:127.0.0.1:$PORT"
+echo "ExitOnForwardFailure=yes" >> ssh_config
+echo "ExitOnForwardFailure=yes" >> ssh_proxy
+start_client()
+{
+        rm -f $pidfile
+        ${SSH} -q -$p $fwd "$@" somehost \
+            exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' \
+            >>$TEST_SSH_LOGFILE 2>&1 &
+        client_pid=$!
+        # Wait for remote end
+        n=0
+        while test ! -f $pidfile ; do
+                sleep 1
+                n=`expr $n + 1`
+                if test $n -gt 60; then
+                        kill $client_pid
+                        fatal "timeout waiting for background ssh"
+                fi
+        done    
+}
 stop_client()
 {
        pid=`cat $pidfile`
@@ -14,11 +36,15 @@ stop_client()
                kill $pid
                sleep 1
        fi
+        wait
 }
 cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
+grep -v AuthorizedKeysFile $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
+echo "AuthorizedKeysFile /dev/null" >>$OBJ/sshd_proxy
 echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_config
+echo "Match user $USER" >>$OBJ/sshd_proxy
+echo "AuthorizedKeysFile /dev/null $OBJ/authorized_keys_%u" >>$OBJ/sshd_proxy
 echo "Match Address 127.0.0.1" >>$OBJ/sshd_config
 echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_config
@@ -32,12 +58,8 @@ start_sshd
 # Test Match + PermitOpen in sshd_config.  This should be permitted
 for p in 1 2; do
-        rm -f $pidfile
        trace "match permitopen localhost proto $p"
-        ${SSH} -$p $fwd -F $OBJ/ssh_config -f somehost \
+        start_client -F $OBJ/ssh_config
-            exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 ||\
-            fail "match permitopen proto $p sshd failed"
-        sleep 1;
        ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
            fail "match permitopen permit proto $p"
        stop_client
@@ -45,12 +67,8 @@ done
 # Same but from different source.  This should not be permitted
 for p in 1 2; do
-        rm -f $pidfile
        trace "match permitopen proxy proto $p"
-        ${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \
+        start_client -F $OBJ/ssh_proxy
-            exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 ||\
-            fail "match permitopen proxy proto $p sshd failed"
-        sleep 1;
        ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
            fail "match permitopen deny proto $p"
        stop_client
@@ -62,12 +80,8 @@ cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER
 echon 'permitopen="127.0.0.1:'$PORT'" ' >>$OBJ/authorized_keys_$USER
 cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER
 for p in 1 2; do
-        rm -f $pidfile
        trace "match permitopen proxy w/key opts proto $p"
-        ${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \
+        start_client -F $OBJ/ssh_proxy
-            exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 ||\
-            fail "match permitopen w/key opt proto $p sshd failed"
-        sleep 1;
        ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
            fail "match permitopen deny w/key opt proto $p"
        stop_client
@@ -76,12 +90,8 @@ done
 # Test both sshd_config and key options permitting the same dst/port pair.
 # Should be permitted.
 for p in 1 2; do
-        rm -f $pidfile
        trace "match permitopen localhost proto $p"
-        ${SSH} -$p $fwd -F $OBJ/ssh_config -f somehost \
+        start_client -F $OBJ/ssh_config
-            exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 ||\
-            fail "match permitopen proto $p sshd failed"
-        sleep 1;
        ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
            fail "match permitopen permit proto $p"
        stop_client
@@ -94,12 +104,8 @@ echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
 # Test that a Match overrides a PermitOpen in the global section
 for p in 1 2; do
-        rm -f $pidfile
        trace "match permitopen proxy w/key opts proto $p"
-        ${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \
+        start_client -F $OBJ/ssh_proxy
-            exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 ||\
-            fail "match override permitopen proto $p sshd failed"
-        sleep 1;
        ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
            fail "match override permitopen proto $p"
        stop_client
@@ -113,12 +119,8 @@ echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
 # Test that a rule that doesn't match doesn't override, plus test a
 # PermitOpen entry that's not at the start of the list
 for p in 1 2; do
-        rm -f $pidfile
        trace "nomatch permitopen proxy w/key opts proto $p"
-        ${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \
+        start_client -F $OBJ/ssh_proxy
-            exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 ||\
-            fail "nomatch override permitopen proto $p sshd failed"
-        sleep 1;
        ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
            fail "nomatch override permitopen proto $p"
        stop_client
author	Damien Miller <djm@mindrot.org>	2011-05-29 21:59:10 +1000
committer	Damien Miller <djm@mindrot.org>	2011-05-29 21:59:10 +1000
commit	8cb3587336d3fe8e67db1d75da5f4c11456d3f1a (patch)
tree	cddb1df6de8212481b4eac38d90b4a9d38421d4b /regress/cfgmatch.sh
parent	295ee63ab2123899fb21f76616ef4dac51515236 (diff)

diff --git a/regress/cfgmatch.sh b/regress/cfgmatch.sh index 96badd51b..29234e566 100644 --- a/regress/cfgmatch.sh +++ b/regress/cfgmatch.sh
@@ -1,4 +1,4 @@
1	# $OpenBSD: cfgmatch.sh,v 1.4 2006/12/13 08:36:36 dtucker Exp $	1	# $OpenBSD: cfgmatch.sh,v 1.5 2011/05/23 03:31:31 djm Exp $
2	# Placed in the Public Domain.	2	# Placed in the Public Domain.
3		3
4	tid="sshd_config match"	4	tid="sshd_config match"
@@ -7,6 +7,28 @@ pidfile=$OBJ/remote_pid
7	fwdport=3301	7	fwdport=3301
8	fwd="-L $fwdport:127.0.0.1:$PORT"	8	fwd="-L $fwdport:127.0.0.1:$PORT"
9		9
		10	echo "ExitOnForwardFailure=yes" >> ssh_config
		11	echo "ExitOnForwardFailure=yes" >> ssh_proxy
		12
		13	start_client()
		14	{
		15	rm -f $pidfile
		16	${SSH} -q -$p $fwd "$@" somehost \
		17	exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' \
		18	>>$TEST_SSH_LOGFILE 2>&1 &
		19	client_pid=$!
		20	# Wait for remote end
		21	n=0
		22	while test ! -f $pidfile ; do
		23	sleep 1
		24	n=`expr $n + 1`
		25	if test $n -gt 60; then
		26	kill $client_pid
		27	fatal "timeout waiting for background ssh"
		28	fi
		29	done
		30	}
		31
10	stop_client()	32	stop_client()
11	{	33	{
12	pid=`cat $pidfile`	34	pid=`cat $pidfile`
@@ -14,11 +36,15 @@ stop_client()
14	kill $pid	36	kill $pid
15	sleep 1	37	sleep 1
16	fi	38	fi
		39	wait
17	}	40	}
18		41
19	cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak	42	cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
20		43	grep -v AuthorizedKeysFile $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
		44	echo "AuthorizedKeysFile /dev/null" >>$OBJ/sshd_proxy
21	echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_config	45	echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_config
		46	echo "Match user $USER" >>$OBJ/sshd_proxy
		47	echo "AuthorizedKeysFile /dev/null $OBJ/authorized_keys_%u" >>$OBJ/sshd_proxy
22	echo "Match Address 127.0.0.1" >>$OBJ/sshd_config	48	echo "Match Address 127.0.0.1" >>$OBJ/sshd_config
23	echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_config	49	echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_config
24		50
@@ -32,12 +58,8 @@ start_sshd
32		58
33	# Test Match + PermitOpen in sshd_config. This should be permitted	59	# Test Match + PermitOpen in sshd_config. This should be permitted
34	for p in 1 2; do	60	for p in 1 2; do
35	rm -f $pidfile
36	trace "match permitopen localhost proto $p"	61	trace "match permitopen localhost proto $p"
37	${SSH} -$p $fwd -F $OBJ/ssh_config -f somehost \	62	start_client -F $OBJ/ssh_config
38	exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 \|\|\
39	fail "match permitopen proto $p sshd failed"
40	sleep 1;
41	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true \|\| \	63	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true \|\| \
42	fail "match permitopen permit proto $p"	64	fail "match permitopen permit proto $p"
43	stop_client	65	stop_client
@@ -45,12 +67,8 @@ done
45		67
46	# Same but from different source. This should not be permitted	68	# Same but from different source. This should not be permitted
47	for p in 1 2; do	69	for p in 1 2; do
48	rm -f $pidfile
49	trace "match permitopen proxy proto $p"	70	trace "match permitopen proxy proto $p"
50	${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \	71	start_client -F $OBJ/ssh_proxy
51	exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 \|\|\
52	fail "match permitopen proxy proto $p sshd failed"
53	sleep 1;
54	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \	72	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
55	fail "match permitopen deny proto $p"	73	fail "match permitopen deny proto $p"
56	stop_client	74	stop_client
@@ -62,12 +80,8 @@ cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER
62	echon 'permitopen="127.0.0.1:'$PORT'" ' >>$OBJ/authorized_keys_$USER	80	echon 'permitopen="127.0.0.1:'$PORT'" ' >>$OBJ/authorized_keys_$USER
63	cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER	81	cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER
64	for p in 1 2; do	82	for p in 1 2; do
65	rm -f $pidfile
66	trace "match permitopen proxy w/key opts proto $p"	83	trace "match permitopen proxy w/key opts proto $p"
67	${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \	84	start_client -F $OBJ/ssh_proxy
68	exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 \|\|\
69	fail "match permitopen w/key opt proto $p sshd failed"
70	sleep 1;
71	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \	85	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
72	fail "match permitopen deny w/key opt proto $p"	86	fail "match permitopen deny w/key opt proto $p"
73	stop_client	87	stop_client
@@ -76,12 +90,8 @@ done
76	# Test both sshd_config and key options permitting the same dst/port pair.	90	# Test both sshd_config and key options permitting the same dst/port pair.
77	# Should be permitted.	91	# Should be permitted.
78	for p in 1 2; do	92	for p in 1 2; do
79	rm -f $pidfile
80	trace "match permitopen localhost proto $p"	93	trace "match permitopen localhost proto $p"
81	${SSH} -$p $fwd -F $OBJ/ssh_config -f somehost \	94	start_client -F $OBJ/ssh_config
82	exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 \|\|\
83	fail "match permitopen proto $p sshd failed"
84	sleep 1;
85	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true \|\| \	95	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true \|\| \
86	fail "match permitopen permit proto $p"	96	fail "match permitopen permit proto $p"
87	stop_client	97	stop_client
@@ -94,12 +104,8 @@ echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
94		104
95	# Test that a Match overrides a PermitOpen in the global section	105	# Test that a Match overrides a PermitOpen in the global section
96	for p in 1 2; do	106	for p in 1 2; do
97	rm -f $pidfile
98	trace "match permitopen proxy w/key opts proto $p"	107	trace "match permitopen proxy w/key opts proto $p"
99	${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \	108	start_client -F $OBJ/ssh_proxy
100	exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 \|\|\
101	fail "match override permitopen proto $p sshd failed"
102	sleep 1;
103	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \	109	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
104	fail "match override permitopen proto $p"	110	fail "match override permitopen proto $p"
105	stop_client	111	stop_client
@@ -113,12 +119,8 @@ echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
113	# Test that a rule that doesn't match doesn't override, plus test a	119	# Test that a rule that doesn't match doesn't override, plus test a
114	# PermitOpen entry that's not at the start of the list	120	# PermitOpen entry that's not at the start of the list
115	for p in 1 2; do	121	for p in 1 2; do
116	rm -f $pidfile
117	trace "nomatch permitopen proxy w/key opts proto $p"	122	trace "nomatch permitopen proxy w/key opts proto $p"
118	${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \	123	start_client -F $OBJ/ssh_proxy
119	exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 \|\|\
120	fail "nomatch override permitopen proto $p sshd failed"
121	sleep 1;
122	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true \|\| \	124	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true \|\| \
123	fail "nomatch override permitopen proto $p"	125	fail "nomatch override permitopen proto $p"
124	stop_client	126	stop_client