summaryrefslogtreecommitdiff
path: root/regress/forward-control.sh
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2017-04-30 23:34:55 +0000
committerDamien Miller <djm@mindrot.org>2017-05-01 11:59:42 +1000
commitdd369320d2435b630a5974ab270d686dcd92d024 (patch)
tree97ae4bb34d835fbafad12180862195a9e9192d28 /regress/forward-control.sh
parent557f921aad004be15805e09fd9572969eb3d9321 (diff)
upstream commit
eliminate explicit specification of protocol in tests and loops over protocol. We only support SSHv2 now. Upstream-Regress-ID: 0082838a9b8a382b7ee9cbf0c1b9db727784fadd
Diffstat (limited to 'regress/forward-control.sh')
-rw-r--r--regress/forward-control.sh109
1 files changed, 51 insertions, 58 deletions
diff --git a/regress/forward-control.sh b/regress/forward-control.sh
index 91957098f..2e9dbb53a 100644
--- a/regress/forward-control.sh
+++ b/regress/forward-control.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: forward-control.sh,v 1.3 2015/03/03 22:35:19 markus Exp $ 1# $OpenBSD: forward-control.sh,v 1.4 2017/04/30 23:34:55 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="sshd control of local and remote forwarding" 4tid="sshd control of local and remote forwarding"
@@ -32,13 +32,12 @@ wait_for_process_to_exit() {
32 return 0 32 return 0
33} 33}
34 34
35# usage: check_lfwd protocol Y|N message 35# usage: check_lfwd Y|N message
36check_lfwd() { 36check_lfwd() {
37 _proto=$1 37 _expected=$1
38 _expected=$2 38 _message=$2
39 _message=$3
40 rm -f $READY 39 rm -f $READY
41 ${SSH} -oProtocol=$_proto -F $OBJ/ssh_proxy \ 40 ${SSH} -F $OBJ/ssh_proxy \
42 -L$LFWD_PORT:127.0.0.1:$PORT \ 41 -L$LFWD_PORT:127.0.0.1:$PORT \
43 -o ExitOnForwardFailure=yes \ 42 -o ExitOnForwardFailure=yes \
44 -n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \ 43 -n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \
@@ -62,13 +61,12 @@ check_lfwd() {
62 fi 61 fi
63} 62}
64 63
65# usage: check_rfwd protocol Y|N message 64# usage: check_rfwd Y|N message
66check_rfwd() { 65check_rfwd() {
67 _proto=$1 66 _expected=$1
68 _expected=$2 67 _message=$2
69 _message=$3
70 rm -f $READY 68 rm -f $READY
71 ${SSH} -oProtocol=$_proto -F $OBJ/ssh_proxy \ 69 ${SSH} -F $OBJ/ssh_proxy \
72 -R$RFWD_PORT:127.0.0.1:$PORT \ 70 -R$RFWD_PORT:127.0.0.1:$PORT \
73 -o ExitOnForwardFailure=yes \ 71 -o ExitOnForwardFailure=yes \
74 -n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \ 72 -n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \
@@ -99,10 +97,8 @@ cp ${OBJ}/sshd_proxy ${OBJ}/sshd_proxy.bak
99cp ${OBJ}/authorized_keys_${USER} ${OBJ}/authorized_keys_${USER}.bak 97cp ${OBJ}/authorized_keys_${USER} ${OBJ}/authorized_keys_${USER}.bak
100 98
101# Sanity check: ensure the default config allows forwarding 99# Sanity check: ensure the default config allows forwarding
102for p in ${SSH_PROTOCOLS} ; do 100check_lfwd Y "default configuration"
103 check_lfwd $p Y "proto $p, default configuration" 101check_rfwd Y "default configuration"
104 check_rfwd $p Y "proto $p, default configuration"
105done
106 102
107# Usage: all_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N 103# Usage: all_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N
108all_tests() { 104all_tests() {
@@ -115,49 +111,46 @@ all_tests() {
115 _permit_rfwd=$7 111 _permit_rfwd=$7
116 _badfwd=127.0.0.1:22 112 _badfwd=127.0.0.1:22
117 _goodfwd=127.0.0.1:${PORT} 113 _goodfwd=127.0.0.1:${PORT}
118 for _proto in ${SSH_PROTOCOLS} ; do 114 cp ${OBJ}/authorized_keys_${USER}.bak ${OBJ}/authorized_keys_${USER}
119 cp ${OBJ}/authorized_keys_${USER}.bak \ 115 _prefix="AllowTcpForwarding=$_tcpfwd"
120 ${OBJ}/authorized_keys_${USER} 116 # No PermitOpen
121 _prefix="proto $_proto, AllowTcpForwarding=$_tcpfwd" 117 ( cat ${OBJ}/sshd_proxy.bak ;
122 # No PermitOpen 118 echo "AllowTcpForwarding $_tcpfwd" ) \
123 ( cat ${OBJ}/sshd_proxy.bak ; 119 > ${OBJ}/sshd_proxy
124 echo "AllowTcpForwarding $_tcpfwd" ) \ 120 check_lfwd $_plain_lfwd "$_prefix"
125 > ${OBJ}/sshd_proxy 121 check_rfwd $_plain_rfwd "$_prefix"
126 check_lfwd $_proto $_plain_lfwd "$_prefix" 122 # PermitOpen via sshd_config that doesn't match
127 check_rfwd $_proto $_plain_rfwd "$_prefix" 123 ( cat ${OBJ}/sshd_proxy.bak ;
128 # PermitOpen via sshd_config that doesn't match 124 echo "AllowTcpForwarding $_tcpfwd" ;
129 ( cat ${OBJ}/sshd_proxy.bak ; 125 echo "PermitOpen $_badfwd" ) \
130 echo "AllowTcpForwarding $_tcpfwd" ; 126 > ${OBJ}/sshd_proxy
131 echo "PermitOpen $_badfwd" ) \ 127 check_lfwd $_nopermit_lfwd "$_prefix, !PermitOpen"
132 > ${OBJ}/sshd_proxy 128 check_rfwd $_nopermit_rfwd "$_prefix, !PermitOpen"
133 check_lfwd $_proto $_nopermit_lfwd "$_prefix, !PermitOpen" 129 # PermitOpen via sshd_config that does match
134 check_rfwd $_proto $_nopermit_rfwd "$_prefix, !PermitOpen" 130 ( cat ${OBJ}/sshd_proxy.bak ;
135 # PermitOpen via sshd_config that does match 131 echo "AllowTcpForwarding $_tcpfwd" ;
136 ( cat ${OBJ}/sshd_proxy.bak ; 132 echo "PermitOpen $_badfwd $_goodfwd" ) \
137 echo "AllowTcpForwarding $_tcpfwd" ; 133 > ${OBJ}/sshd_proxy
138 echo "PermitOpen $_badfwd $_goodfwd" ) \ 134 # NB. permitopen via authorized_keys should have same
139 > ${OBJ}/sshd_proxy 135 # success/fail as via sshd_config
140 # NB. permitopen via authorized_keys should have same 136 # permitopen via authorized_keys that doesn't match
141 # success/fail as via sshd_config 137 sed "s/^/permitopen=\"$_badfwd\" /" \
142 # permitopen via authorized_keys that doesn't match 138 < ${OBJ}/authorized_keys_${USER}.bak \
143 sed "s/^/permitopen=\"$_badfwd\" /" \ 139 > ${OBJ}/authorized_keys_${USER} || fatal "sed 1 fail"
144 < ${OBJ}/authorized_keys_${USER}.bak \ 140 ( cat ${OBJ}/sshd_proxy.bak ;
145 > ${OBJ}/authorized_keys_${USER} || fatal "sed 1 fail" 141 echo "AllowTcpForwarding $_tcpfwd" ) \
146 ( cat ${OBJ}/sshd_proxy.bak ; 142 > ${OBJ}/sshd_proxy
147 echo "AllowTcpForwarding $_tcpfwd" ) \ 143 check_lfwd $_nopermit_lfwd "$_prefix, !permitopen"
148 > ${OBJ}/sshd_proxy 144 check_rfwd $_nopermit_rfwd "$_prefix, !permitopen"
149 check_lfwd $_proto $_nopermit_lfwd "$_prefix, !permitopen" 145 # permitopen via authorized_keys that does match
150 check_rfwd $_proto $_nopermit_rfwd "$_prefix, !permitopen" 146 sed "s/^/permitopen=\"$_badfwd\",permitopen=\"$_goodfwd\" /" \
151 # permitopen via authorized_keys that does match 147 < ${OBJ}/authorized_keys_${USER}.bak \
152 sed "s/^/permitopen=\"$_badfwd\",permitopen=\"$_goodfwd\" /" \ 148 > ${OBJ}/authorized_keys_${USER} || fatal "sed 2 fail"
153 < ${OBJ}/authorized_keys_${USER}.bak \ 149 ( cat ${OBJ}/sshd_proxy.bak ;
154 > ${OBJ}/authorized_keys_${USER} || fatal "sed 2 fail" 150 echo "AllowTcpForwarding $_tcpfwd" ) \
155 ( cat ${OBJ}/sshd_proxy.bak ; 151 > ${OBJ}/sshd_proxy
156 echo "AllowTcpForwarding $_tcpfwd" ) \ 152 check_lfwd $_permit_lfwd "$_prefix, permitopen"
157 > ${OBJ}/sshd_proxy 153 check_rfwd $_permit_rfwd "$_prefix, permitopen"
158 check_lfwd $_proto $_permit_lfwd "$_prefix, permitopen"
159 check_rfwd $_proto $_permit_rfwd "$_prefix, permitopen"
160 done
161} 154}
162 155
163# no-permitopen mismatch-permitopen match-permitopen 156# no-permitopen mismatch-permitopen match-permitopen