upstream: better testing for port-forwarding and restrict flags in

authorized_keys OpenBSD-Regress-ID: ee771df8955f2735df54746872c6228aff381daa
author: djm@openbsd.org <djm@openbsd.org> 2018-03-02 02:51:55 +0000
committer: Damien Miller <djm@mindrot.org> 2018-03-03 14:38:26 +1100
commit: 3d1edd1ebbc0aabea8bbe61903060f37137f7c61 (patch)
tree: acf8934dd30c6060e1c5e2eebd6c231028c8fc3a /regress/forward-control.sh
parent: 7c856857607112a3dfe6414696bf4c7ab7fb0cb3 (diff)
1 files changed, 28 insertions, 1 deletions
diff --git a/regress/forward-control.sh b/regress/forward-control.sh
index 2e9dbb53a..93d05cf63 100644
--- a/regress/forward-control.sh
+++ b/regress/forward-control.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: forward-control.sh,v 1.4 2017/04/30 23:34:55 djm Exp $
+#       $OpenBSD: forward-control.sh,v 1.5 2018/03/02 02:51:55 djm Exp $
 #       Placed in the Public Domain.
 tid="sshd control of local and remote forwarding"
@@ -151,6 +151,33 @@ all_tests() {
            > ${OBJ}/sshd_proxy
        check_lfwd $_permit_lfwd "$_prefix, permitopen"
        check_rfwd $_permit_rfwd "$_prefix, permitopen"
+        # Check port-forwarding flags in authorized_keys.
+        # These two should refuse all.
+        sed "s/^/no-port-forwarding /" \
+            < ${OBJ}/authorized_keys_${USER}.bak \
+            > ${OBJ}/authorized_keys_${USER} || fatal "sed 3 fail"
+        ( cat ${OBJ}/sshd_proxy.bak ;
+          echo "AllowTcpForwarding $_tcpfwd" ) \
+            > ${OBJ}/sshd_proxy
+        check_lfwd N "$_prefix, no-port-forwarding"
+        check_rfwd N "$_prefix, no-port-forwarding"
+        sed "s/^/restrict /" \
+            < ${OBJ}/authorized_keys_${USER}.bak \
+            > ${OBJ}/authorized_keys_${USER} || fatal "sed 4 fail"
+        ( cat ${OBJ}/sshd_proxy.bak ;
+          echo "AllowTcpForwarding $_tcpfwd" ) \
+            > ${OBJ}/sshd_proxy
+        check_lfwd N "$_prefix, restrict"
+        check_rfwd N "$_prefix, restrict"
+        # This should pass the same cases as _nopermit*
+        sed "s/^/restrict,port-forwarding /" \
+            < ${OBJ}/authorized_keys_${USER}.bak \
+            > ${OBJ}/authorized_keys_${USER} || fatal "sed 5 fail"
+        ( cat ${OBJ}/sshd_proxy.bak ;
+          echo "AllowTcpForwarding $_tcpfwd" ) \
+            > ${OBJ}/sshd_proxy
+        check_lfwd $_plain_lfwd "$_prefix, restrict,port-forwarding"
+        check_rfwd $_plain_rfwd "$_prefix, restrict,port-forwarding"
 }
 #                      no-permitopen mismatch-permitopen match-permitopen
author	djm@openbsd.org <djm@openbsd.org>	2018-03-02 02:51:55 +0000
committer	Damien Miller <djm@mindrot.org>	2018-03-03 14:38:26 +1100
commit	3d1edd1ebbc0aabea8bbe61903060f37137f7c61 (patch)
tree	acf8934dd30c6060e1c5e2eebd6c231028c8fc3a /regress/forward-control.sh
parent	7c856857607112a3dfe6414696bf4c7ab7fb0cb3 (diff)

diff --git a/regress/forward-control.sh b/regress/forward-control.sh index 2e9dbb53a..93d05cf63 100644 --- a/regress/forward-control.sh +++ b/regress/forward-control.sh
@@ -1,4 +1,4 @@
1	# $OpenBSD: forward-control.sh,v 1.4 2017/04/30 23:34:55 djm Exp $	1	# $OpenBSD: forward-control.sh,v 1.5 2018/03/02 02:51:55 djm Exp $
2	# Placed in the Public Domain.	2	# Placed in the Public Domain.
3		3
4	tid="sshd control of local and remote forwarding"	4	tid="sshd control of local and remote forwarding"
@@ -151,6 +151,33 @@ all_tests() {
151	> ${OBJ}/sshd_proxy	151	> ${OBJ}/sshd_proxy
152	check_lfwd $_permit_lfwd "$_prefix, permitopen"	152	check_lfwd $_permit_lfwd "$_prefix, permitopen"
153	check_rfwd $_permit_rfwd "$_prefix, permitopen"	153	check_rfwd $_permit_rfwd "$_prefix, permitopen"
		154	# Check port-forwarding flags in authorized_keys.
		155	# These two should refuse all.
		156	sed "s/^/no-port-forwarding /" \
		157	< ${OBJ}/authorized_keys_${USER}.bak \
		158	> ${OBJ}/authorized_keys_${USER} \|\| fatal "sed 3 fail"
		159	( cat ${OBJ}/sshd_proxy.bak ;
		160	echo "AllowTcpForwarding $_tcpfwd" ) \
		161	> ${OBJ}/sshd_proxy
		162	check_lfwd N "$_prefix, no-port-forwarding"
		163	check_rfwd N "$_prefix, no-port-forwarding"
		164	sed "s/^/restrict /" \
		165	< ${OBJ}/authorized_keys_${USER}.bak \
		166	> ${OBJ}/authorized_keys_${USER} \|\| fatal "sed 4 fail"
		167	( cat ${OBJ}/sshd_proxy.bak ;
		168	echo "AllowTcpForwarding $_tcpfwd" ) \
		169	> ${OBJ}/sshd_proxy
		170	check_lfwd N "$_prefix, restrict"
		171	check_rfwd N "$_prefix, restrict"
		172	# This should pass the same cases as _nopermit*
		173	sed "s/^/restrict,port-forwarding /" \
		174	< ${OBJ}/authorized_keys_${USER}.bak \
		175	> ${OBJ}/authorized_keys_${USER} \|\| fatal "sed 5 fail"
		176	( cat ${OBJ}/sshd_proxy.bak ;
		177	echo "AllowTcpForwarding $_tcpfwd" ) \
		178	> ${OBJ}/sshd_proxy
		179	check_lfwd $_plain_lfwd "$_prefix, restrict,port-forwarding"
		180	check_rfwd $_plain_rfwd "$_prefix, restrict,port-forwarding"
154	}	181	}
155		182
156	# no-permitopen mismatch-permitopen match-permitopen	183	# no-permitopen mismatch-permitopen match-permitopen