upstream: test PermitListen with bare port numbers

OpenBSD-Regress-ID: 4b50a02dfb0ccaca08247f3877c444126ba901b3
author: djm@openbsd.org <djm@openbsd.org> 2018-06-19 03:02:17 +0000
committer: Damien Miller <djm@mindrot.org> 2018-06-19 13:03:03 +1000
commit: 80e199d6175904152aafc5c297096c3e18297691 (patch)
tree: 3502f91bf61798a4faf84835c361ae48215bf588 /regress/cfgmatchlisten.sh
parent: 87ddd676da0f3abd08b778b12b53b91b670dc93c (diff)
1 files changed, 39 insertions, 2 deletions
diff --git a/regress/cfgmatchlisten.sh b/regress/cfgmatchlisten.sh
index 8155c56bc..470e55c46 100644
--- a/regress/cfgmatchlisten.sh
+++ b/regress/cfgmatchlisten.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: cfgmatchlisten.sh,v 1.1 2018/06/07 04:46:34 djm Exp $
+#       $OpenBSD: cfgmatchlisten.sh,v 1.2 2018/06/19 03:02:17 djm Exp $
 #       Placed in the Public Domain.
 tid="sshd_config matchlisten"
@@ -106,6 +106,21 @@ ${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \
    fail "match permitlisten permit"
 stop_client
+# Test that a bare port number is accepted in PermitListen
+cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
+echo "PermitListen 127.0.0.1:1 $fwdport 127.0.0.2:2" >>$OBJ/sshd_proxy
+trace "match permitlisten bare"
+expect_client_ok -F $OBJ/ssh_config
+${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \
+    fail "match permitlisten bare"
+stop_client
+# Test that an incorrect bare port number is denied as expected
+cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
+echo "PermitListen 1 2 99" >>$OBJ/sshd_proxy
+trace "match permitlisten bare"
+expect_client_fail -F $OBJ/ssh_config
 cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
 echo "PermitListen 127.0.0.1:1 $fwdspec 127.0.0.2:2" >>$OBJ/sshd_proxy
 echo "Match User $USER" >>$OBJ/sshd_proxy
@@ -149,7 +164,7 @@ expect_client_fail "nomatch 127.0.0.1 server config and userkey" \
 cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
 echo "PermitListen 127.0.0.1:1 ${fwdspec2} 127.0.0.2:2" >>$OBJ/sshd_proxy
 trace "nomatch permitlisten 127.0.0.1 w/key opts"
-expect_client_fail "nomatch 127.0.0.1 w/key otps" \
+expect_client_fail "nomatch 127.0.0.1 w/key opts" \
    -F $OBJ/ssh_config
 # fix key opts
@@ -163,3 +178,25 @@ expect_client_ok -F $OBJ/ssh_proxy
 ${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \
    fail "match 127.0.0.1 server config w/key opts"
 stop_client
+# key opts with bare port number
+cp /dev/null $OBJ/authorized_keys_$USER
+for t in ${SSH_KEYTYPES}; do
+        printf 'permitlisten="'$fwdport'" ' >> $OBJ/authorized_keys_$USER
+        cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
+done
+trace "match permitlisten 127.0.0.1 server config w/key opts (bare)"
+expect_client_ok -F $OBJ/ssh_proxy
+${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \
+    fail "match 127.0.0.1 server config w/key opts (bare)"
+stop_client
+# key opts with incorrect bare port number
+cp /dev/null $OBJ/authorized_keys_$USER
+for t in ${SSH_KEYTYPES}; do
+        printf 'permitlisten="99" ' >> $OBJ/authorized_keys_$USER
+        cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
+done
+trace "match permitlisten 127.0.0.1 server config w/key opts (wrong bare)"
+expect_client_fail "nomatch 127.0.0.1 w/key opts (wrong bare)" \
+    -F $OBJ/ssh_config
author	djm@openbsd.org <djm@openbsd.org>	2018-06-19 03:02:17 +0000
committer	Damien Miller <djm@mindrot.org>	2018-06-19 13:03:03 +1000
commit	80e199d6175904152aafc5c297096c3e18297691 (patch)
tree	3502f91bf61798a4faf84835c361ae48215bf588 /regress/cfgmatchlisten.sh
parent	87ddd676da0f3abd08b778b12b53b91b670dc93c (diff)

diff --git a/regress/cfgmatchlisten.sh b/regress/cfgmatchlisten.sh index 8155c56bc..470e55c46 100644 --- a/regress/cfgmatchlisten.sh +++ b/regress/cfgmatchlisten.sh
@@ -1,4 +1,4 @@
1	# $OpenBSD: cfgmatchlisten.sh,v 1.1 2018/06/07 04:46:34 djm Exp $	1	# $OpenBSD: cfgmatchlisten.sh,v 1.2 2018/06/19 03:02:17 djm Exp $
2	# Placed in the Public Domain.	2	# Placed in the Public Domain.
3		3
4	tid="sshd_config matchlisten"	4	tid="sshd_config matchlisten"
@@ -106,6 +106,21 @@ ${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true \|\| \
106	fail "match permitlisten permit"	106	fail "match permitlisten permit"
107	stop_client	107	stop_client
108		108
		109	# Test that a bare port number is accepted in PermitListen
		110	cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
		111	echo "PermitListen 127.0.0.1:1 $fwdport 127.0.0.2:2" >>$OBJ/sshd_proxy
		112	trace "match permitlisten bare"
		113	expect_client_ok -F $OBJ/ssh_config
		114	${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true \|\| \
		115	fail "match permitlisten bare"
		116	stop_client
		117
		118	# Test that an incorrect bare port number is denied as expected
		119	cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
		120	echo "PermitListen 1 2 99" >>$OBJ/sshd_proxy
		121	trace "match permitlisten bare"
		122	expect_client_fail -F $OBJ/ssh_config
		123
109	cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy	124	cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
110	echo "PermitListen 127.0.0.1:1 $fwdspec 127.0.0.2:2" >>$OBJ/sshd_proxy	125	echo "PermitListen 127.0.0.1:1 $fwdspec 127.0.0.2:2" >>$OBJ/sshd_proxy
111	echo "Match User $USER" >>$OBJ/sshd_proxy	126	echo "Match User $USER" >>$OBJ/sshd_proxy
@@ -149,7 +164,7 @@ expect_client_fail "nomatch 127.0.0.1 server config and userkey" \
149	cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy	164	cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
150	echo "PermitListen 127.0.0.1:1 ${fwdspec2} 127.0.0.2:2" >>$OBJ/sshd_proxy	165	echo "PermitListen 127.0.0.1:1 ${fwdspec2} 127.0.0.2:2" >>$OBJ/sshd_proxy
151	trace "nomatch permitlisten 127.0.0.1 w/key opts"	166	trace "nomatch permitlisten 127.0.0.1 w/key opts"
152	expect_client_fail "nomatch 127.0.0.1 w/key otps" \	167	expect_client_fail "nomatch 127.0.0.1 w/key opts" \
153	-F $OBJ/ssh_config	168	-F $OBJ/ssh_config
154		169
155	# fix key opts	170	# fix key opts
@@ -163,3 +178,25 @@ expect_client_ok -F $OBJ/ssh_proxy
163	${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true \|\| \	178	${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true \|\| \
164	fail "match 127.0.0.1 server config w/key opts"	179	fail "match 127.0.0.1 server config w/key opts"
165	stop_client	180	stop_client
		181
		182	# key opts with bare port number
		183	cp /dev/null $OBJ/authorized_keys_$USER
		184	for t in ${SSH_KEYTYPES}; do
		185	printf 'permitlisten="'$fwdport'" ' >> $OBJ/authorized_keys_$USER
		186	cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
		187	done
		188	trace "match permitlisten 127.0.0.1 server config w/key opts (bare)"
		189	expect_client_ok -F $OBJ/ssh_proxy
		190	${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true \|\| \
		191	fail "match 127.0.0.1 server config w/key opts (bare)"
		192	stop_client
		193
		194	# key opts with incorrect bare port number
		195	cp /dev/null $OBJ/authorized_keys_$USER
		196	for t in ${SSH_KEYTYPES}; do
		197	printf 'permitlisten="99" ' >> $OBJ/authorized_keys_$USER
		198	cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
		199	done
		200	trace "match permitlisten 127.0.0.1 server config w/key opts (wrong bare)"
		201	expect_client_fail "nomatch 127.0.0.1 w/key opts (wrong bare)" \
		202	-F $OBJ/ssh_config