diff options
| author | dtucker@openbsd.org <dtucker@openbsd.org> | 2019-04-18 18:57:16 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2019-06-19 12:21:23 +1000 |
| commit | 0bb7e38834e3f9886302bbaea630a6b0f8cfb520 (patch) | |
| tree | 91a7a8bed1b4f0722459eea0acf6f02a6830183d /regress | |
| parent | 73eb6cef41daba0359c1888e4756108d41b4e819 (diff) | |
upstream: Add tests for sshd -T -C with Match.
OpenBSD-Regress-ID: d4c34916fe20d717692f10ef50b5ae5a271c12c7
Diffstat (limited to 'regress')
| -rw-r--r-- | regress/cfgmatch.sh | 49 |
1 files changed, 46 insertions, 3 deletions
diff --git a/regress/cfgmatch.sh b/regress/cfgmatch.sh index dd11e404d..6620c84ed 100644 --- a/regress/cfgmatch.sh +++ b/regress/cfgmatch.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: cfgmatch.sh,v 1.11 2017/10/04 18:50:23 djm Exp $ | 1 | # $OpenBSD: cfgmatch.sh,v 1.12 2019/04/18 18:57:16 dtucker Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="sshd_config match" | 4 | tid="sshd_config match" |
| @@ -51,9 +51,10 @@ echo "AuthorizedKeysFile /dev/null $OBJ/authorized_keys_%u" >>$OBJ/sshd_proxy | |||
| 51 | echo "Match Address 127.0.0.1" >>$OBJ/sshd_proxy | 51 | echo "Match Address 127.0.0.1" >>$OBJ/sshd_proxy |
| 52 | echo "PermitOpen 127.0.0.1:2 127.0.0.1:3 127.0.0.1:$PORT" >>$OBJ/sshd_proxy | 52 | echo "PermitOpen 127.0.0.1:2 127.0.0.1:3 127.0.0.1:$PORT" >>$OBJ/sshd_proxy |
| 53 | 53 | ||
| 54 | start_sshd | 54 | ${SUDO} ${SSHD} -f $OBJ/sshd_config -T >/dev/null || \ |
| 55 | fail "config w/match fails config test" | ||
| 55 | 56 | ||
| 56 | #set -x | 57 | start_sshd |
| 57 | 58 | ||
| 58 | # Test Match + PermitOpen in sshd_config. This should be permitted | 59 | # Test Match + PermitOpen in sshd_config. This should be permitted |
| 59 | trace "match permitopen localhost" | 60 | trace "match permitopen localhost" |
| @@ -113,3 +114,45 @@ start_client -F $OBJ/ssh_proxy | |||
| 113 | ${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \ | 114 | ${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \ |
| 114 | fail "nomatch override permitopen" | 115 | fail "nomatch override permitopen" |
| 115 | stop_client | 116 | stop_client |
| 117 | |||
| 118 | # Test parsing of available Match criteria (with the exception of Group which | ||
| 119 | # requires knowledge of actual group memberships user running the test). | ||
| 120 | params="user:user:u1 host:host:h1 address:addr:1.2.3.4 \ | ||
| 121 | localaddress:laddr:5.6.7.8 rdomain:rdomain:rdom1" | ||
| 122 | cp $OBJ/sshd_proxy_bak $OBJ/sshd_config | ||
| 123 | echo 'Banner /nomatch' >>$OBJ/sshd_config | ||
| 124 | for i in $params; do | ||
| 125 | config=`echo $i | cut -f1 -d:` | ||
| 126 | criteria=`echo $i | cut -f2 -d:` | ||
| 127 | value=`echo $i | cut -f3 -d:` | ||
| 128 | cat >>$OBJ/sshd_config <<EOD | ||
| 129 | Match $config $value | ||
| 130 | Banner /$value | ||
| 131 | EOD | ||
| 132 | done | ||
| 133 | |||
| 134 | ${SUDO} ${SSHD} -f $OBJ/sshd_config -T >/dev/null || \ | ||
| 135 | fail "validate config for w/out spec" | ||
| 136 | |||
| 137 | # Test matching each criteria. | ||
| 138 | for i in $params; do | ||
| 139 | testcriteria=`echo $i | cut -f2 -d:` | ||
| 140 | expected=/`echo $i | cut -f3 -d:` | ||
| 141 | spec="" | ||
| 142 | for j in $params; do | ||
| 143 | config=`echo $j | cut -f1 -d:` | ||
| 144 | criteria=`echo $j | cut -f2 -d:` | ||
| 145 | value=`echo $j | cut -f3 -d:` | ||
| 146 | if [ "$criteria" = "$testcriteria" ]; then | ||
| 147 | spec="$criteria=$value,$spec" | ||
| 148 | else | ||
| 149 | spec="$criteria=1$value,$spec" | ||
| 150 | fi | ||
| 151 | done | ||
| 152 | trace "test spec $spec" | ||
| 153 | result=`${SUDO} ${SSHD} -f $OBJ/sshd_config -T -C "$spec" | \ | ||
| 154 | awk '$1=="banner"{print $2}'` | ||
| 155 | if [ "$result" != "$expected" ]; then | ||
| 156 | fail "match $config expected $expected got $result" | ||
| 157 | fi | ||
| 158 | done | ||