diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2018-06-06 18:25:33 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2018-06-07 04:28:25 +1000 |
| commit | 392db2bc83215986a91c0b65feb0e40e7619ce7e (patch) | |
| tree | 0c911ad885ffe04e93956fa933c6c8f09ba9f865 /regress | |
| parent | 803d896ef30758135e2f438bdd1a0be27989e018 (diff) | |
upstream: regress test for PermitOpen
OpenBSD-Regress-ID: ce8b5f28fc039f09bb297fc4a92319e65982ddaf
Diffstat (limited to 'regress')
| -rw-r--r-- | regress/forward-control.sh | 77 |
1 files changed, 62 insertions, 15 deletions
diff --git a/regress/forward-control.sh b/regress/forward-control.sh index 93d05cf63..c22ca223d 100644 --- a/regress/forward-control.sh +++ b/regress/forward-control.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: forward-control.sh,v 1.5 2018/03/02 02:51:55 djm Exp $ | 1 | # $OpenBSD: forward-control.sh,v 1.6 2018/06/06 18:25:33 djm Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="sshd control of local and remote forwarding" | 4 | tid="sshd control of local and remote forwarding" |
| @@ -67,7 +67,7 @@ check_rfwd() { | |||
| 67 | _message=$2 | 67 | _message=$2 |
| 68 | rm -f $READY | 68 | rm -f $READY |
| 69 | ${SSH} -F $OBJ/ssh_proxy \ | 69 | ${SSH} -F $OBJ/ssh_proxy \ |
| 70 | -R$RFWD_PORT:127.0.0.1:$PORT \ | 70 | -R127.0.0.1:$RFWD_PORT:127.0.0.1:$PORT \ |
| 71 | -o ExitOnForwardFailure=yes \ | 71 | -o ExitOnForwardFailure=yes \ |
| 72 | -n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \ | 72 | -n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \ |
| 73 | >/dev/null 2>&1 & | 73 | >/dev/null 2>&1 & |
| @@ -100,8 +100,8 @@ cp ${OBJ}/authorized_keys_${USER} ${OBJ}/authorized_keys_${USER}.bak | |||
| 100 | check_lfwd Y "default configuration" | 100 | check_lfwd Y "default configuration" |
| 101 | check_rfwd Y "default configuration" | 101 | check_rfwd Y "default configuration" |
| 102 | 102 | ||
| 103 | # Usage: all_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N | 103 | # Usage: lperm_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N |
| 104 | all_tests() { | 104 | lperm_tests() { |
| 105 | _tcpfwd=$1 | 105 | _tcpfwd=$1 |
| 106 | _plain_lfwd=$2 | 106 | _plain_lfwd=$2 |
| 107 | _plain_rfwd=$3 | 107 | _plain_rfwd=$3 |
| @@ -109,32 +109,39 @@ all_tests() { | |||
| 109 | _nopermit_rfwd=$5 | 109 | _nopermit_rfwd=$5 |
| 110 | _permit_lfwd=$6 | 110 | _permit_lfwd=$6 |
| 111 | _permit_rfwd=$7 | 111 | _permit_rfwd=$7 |
| 112 | _badfwd=127.0.0.1:22 | 112 | _badfwd1=127.0.0.1:22 |
| 113 | _badfwd2=127.0.0.2:22 | ||
| 113 | _goodfwd=127.0.0.1:${PORT} | 114 | _goodfwd=127.0.0.1:${PORT} |
| 114 | cp ${OBJ}/authorized_keys_${USER}.bak ${OBJ}/authorized_keys_${USER} | 115 | cp ${OBJ}/authorized_keys_${USER}.bak ${OBJ}/authorized_keys_${USER} |
| 115 | _prefix="AllowTcpForwarding=$_tcpfwd" | 116 | _prefix="AllowTcpForwarding=$_tcpfwd" |
| 117 | |||
| 116 | # No PermitOpen | 118 | # No PermitOpen |
| 117 | ( cat ${OBJ}/sshd_proxy.bak ; | 119 | ( cat ${OBJ}/sshd_proxy.bak ; |
| 118 | echo "AllowTcpForwarding $_tcpfwd" ) \ | 120 | echo "AllowTcpForwarding $_tcpfwd" ) \ |
| 119 | > ${OBJ}/sshd_proxy | 121 | > ${OBJ}/sshd_proxy |
| 120 | check_lfwd $_plain_lfwd "$_prefix" | 122 | check_lfwd $_plain_lfwd "$_prefix" |
| 121 | check_rfwd $_plain_rfwd "$_prefix" | 123 | check_rfwd $_plain_rfwd "$_prefix" |
| 124 | |||
| 122 | # PermitOpen via sshd_config that doesn't match | 125 | # PermitOpen via sshd_config that doesn't match |
| 123 | ( cat ${OBJ}/sshd_proxy.bak ; | 126 | ( cat ${OBJ}/sshd_proxy.bak ; |
| 124 | echo "AllowTcpForwarding $_tcpfwd" ; | 127 | echo "AllowTcpForwarding $_tcpfwd" ; |
| 125 | echo "PermitOpen $_badfwd" ) \ | 128 | echo "PermitOpen $_badfwd1 $_badfwd2" ) \ |
| 126 | > ${OBJ}/sshd_proxy | 129 | > ${OBJ}/sshd_proxy |
| 127 | check_lfwd $_nopermit_lfwd "$_prefix, !PermitOpen" | 130 | check_lfwd $_nopermit_lfwd "$_prefix, !PermitOpen" |
| 128 | check_rfwd $_nopermit_rfwd "$_prefix, !PermitOpen" | 131 | check_rfwd $_nopermit_rfwd "$_prefix, !PermitOpen" |
| 129 | # PermitOpen via sshd_config that does match | 132 | # PermitOpen via sshd_config that does match |
| 130 | ( cat ${OBJ}/sshd_proxy.bak ; | 133 | ( cat ${OBJ}/sshd_proxy.bak ; |
| 131 | echo "AllowTcpForwarding $_tcpfwd" ; | 134 | echo "AllowTcpForwarding $_tcpfwd" ; |
| 132 | echo "PermitOpen $_badfwd $_goodfwd" ) \ | 135 | echo "PermitOpen $_badfwd1 $_goodfwd $_badfwd2" ) \ |
| 133 | > ${OBJ}/sshd_proxy | 136 | > ${OBJ}/sshd_proxy |
| 137 | check_lfwd $_plain_lfwd "$_prefix, PermitOpen" | ||
| 138 | check_rfwd $_plain_rfwd "$_prefix, PermitOpen" | ||
| 139 | |||
| 140 | # permitopen keys option. | ||
| 134 | # NB. permitopen via authorized_keys should have same | 141 | # NB. permitopen via authorized_keys should have same |
| 135 | # success/fail as via sshd_config | 142 | # success/fail as via sshd_config |
| 136 | # permitopen via authorized_keys that doesn't match | 143 | # permitopen via authorized_keys that doesn't match |
| 137 | sed "s/^/permitopen=\"$_badfwd\" /" \ | 144 | sed "s/^/permitopen=\"$_badfwd1\",permitopen=\"$_badfwd2\" /" \ |
| 138 | < ${OBJ}/authorized_keys_${USER}.bak \ | 145 | < ${OBJ}/authorized_keys_${USER}.bak \ |
| 139 | > ${OBJ}/authorized_keys_${USER} || fatal "sed 1 fail" | 146 | > ${OBJ}/authorized_keys_${USER} || fatal "sed 1 fail" |
| 140 | ( cat ${OBJ}/sshd_proxy.bak ; | 147 | ( cat ${OBJ}/sshd_proxy.bak ; |
| @@ -143,7 +150,7 @@ all_tests() { | |||
| 143 | check_lfwd $_nopermit_lfwd "$_prefix, !permitopen" | 150 | check_lfwd $_nopermit_lfwd "$_prefix, !permitopen" |
| 144 | check_rfwd $_nopermit_rfwd "$_prefix, !permitopen" | 151 | check_rfwd $_nopermit_rfwd "$_prefix, !permitopen" |
| 145 | # permitopen via authorized_keys that does match | 152 | # permitopen via authorized_keys that does match |
| 146 | sed "s/^/permitopen=\"$_badfwd\",permitopen=\"$_goodfwd\" /" \ | 153 | sed "s/^/permitopen=\"$_badfwd1\",permitopen=\"$_goodfwd\" /" \ |
| 147 | < ${OBJ}/authorized_keys_${USER}.bak \ | 154 | < ${OBJ}/authorized_keys_${USER}.bak \ |
| 148 | > ${OBJ}/authorized_keys_${USER} || fatal "sed 2 fail" | 155 | > ${OBJ}/authorized_keys_${USER} || fatal "sed 2 fail" |
| 149 | ( cat ${OBJ}/sshd_proxy.bak ; | 156 | ( cat ${OBJ}/sshd_proxy.bak ; |
| @@ -151,6 +158,7 @@ all_tests() { | |||
| 151 | > ${OBJ}/sshd_proxy | 158 | > ${OBJ}/sshd_proxy |
| 152 | check_lfwd $_permit_lfwd "$_prefix, permitopen" | 159 | check_lfwd $_permit_lfwd "$_prefix, permitopen" |
| 153 | check_rfwd $_permit_rfwd "$_prefix, permitopen" | 160 | check_rfwd $_permit_rfwd "$_prefix, permitopen" |
| 161 | |||
| 154 | # Check port-forwarding flags in authorized_keys. | 162 | # Check port-forwarding flags in authorized_keys. |
| 155 | # These two should refuse all. | 163 | # These two should refuse all. |
| 156 | sed "s/^/no-port-forwarding /" \ | 164 | sed "s/^/no-port-forwarding /" \ |
| @@ -180,9 +188,48 @@ all_tests() { | |||
| 180 | check_rfwd $_plain_rfwd "$_prefix, restrict,port-forwarding" | 188 | check_rfwd $_plain_rfwd "$_prefix, restrict,port-forwarding" |
| 181 | } | 189 | } |
| 182 | 190 | ||
| 183 | # no-permitopen mismatch-permitopen match-permitopen | 191 | # permit-open none mismatch match |
| 184 | # AllowTcpForwarding local remote local remote local remote | 192 | # AllowTcpForwarding local remote local remote local remote |
| 185 | all_tests yes Y Y N Y Y Y | 193 | lperm_tests yes Y Y N Y Y Y |
| 186 | all_tests local Y N N N Y N | 194 | lperm_tests local Y N N N Y N |
| 187 | all_tests remote N Y N Y N Y | 195 | lperm_tests remote N Y N Y N Y |
| 188 | all_tests no N N N N N N | 196 | lperm_tests no N N N N N N |
| 197 | |||
| 198 | # Usage: rperm_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N | ||
| 199 | rperm_tests() { | ||
| 200 | _tcpfwd=$1 | ||
| 201 | _plain_lfwd=$2 | ||
| 202 | _plain_rfwd=$3 | ||
| 203 | _nopermit_lfwd=$4 | ||
| 204 | _nopermit_rfwd=$5 | ||
| 205 | _permit_lfwd=$6 | ||
| 206 | _permit_rfwd=$7 | ||
| 207 | _badfwd1=127.0.0.1:22 | ||
| 208 | _badfwd2=127.0.0.2:${RFWD_PORT} | ||
| 209 | _goodfwd=127.0.0.1:${RFWD_PORT} | ||
| 210 | cp ${OBJ}/authorized_keys_${USER}.bak ${OBJ}/authorized_keys_${USER} | ||
| 211 | _prefix="AllowTcpForwarding=$_tcpfwd" | ||
| 212 | |||
| 213 | # PermitRemoteOpen via sshd_config that doesn't match | ||
| 214 | ( cat ${OBJ}/sshd_proxy.bak ; | ||
| 215 | echo "AllowTcpForwarding $_tcpfwd" ; | ||
| 216 | echo "PermitRemoteOpen $_badfwd1 $_badfwd2" ) \ | ||
| 217 | > ${OBJ}/sshd_proxy | ||
| 218 | check_lfwd $_nopermit_lfwd "$_prefix, !PermitRemoteOpen" | ||
| 219 | check_rfwd $_nopermit_rfwd "$_prefix, !PermitRemoteOpen" | ||
| 220 | # PermitRemoteOpen via sshd_config that does match | ||
| 221 | ( cat ${OBJ}/sshd_proxy.bak ; | ||
| 222 | echo "AllowTcpForwarding $_tcpfwd" ; | ||
| 223 | echo "PermitRemoteOpen $_badfwd1 $_goodfwd $_badfwd2" ) \ | ||
| 224 | > ${OBJ}/sshd_proxy | ||
| 225 | check_lfwd $_plain_lfwd "$_prefix, PermitRemoteOpen" | ||
| 226 | check_rfwd $_plain_rfwd "$_prefix, PermitRemoteOpen" | ||
| 227 | } | ||
| 228 | |||
| 229 | # permit-remote-open none mismatch match | ||
| 230 | # AllowTcpForwarding local remote local remote local remote | ||
| 231 | rperm_tests yes Y Y Y N Y Y | ||
| 232 | rperm_tests local Y N Y N Y N | ||
| 233 | rperm_tests remote N Y N N N Y | ||
| 234 | rperm_tests no N N N N N N | ||
| 235 | |||