summaryrefslogtreecommitdiff
path: root/regress
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2018-06-06 18:25:33 +0000
committerDamien Miller <djm@mindrot.org>2018-06-07 04:28:25 +1000
commit392db2bc83215986a91c0b65feb0e40e7619ce7e (patch)
tree0c911ad885ffe04e93956fa933c6c8f09ba9f865 /regress
parent803d896ef30758135e2f438bdd1a0be27989e018 (diff)
upstream: regress test for PermitOpen
OpenBSD-Regress-ID: ce8b5f28fc039f09bb297fc4a92319e65982ddaf
Diffstat (limited to 'regress')
-rw-r--r--regress/forward-control.sh77
1 files changed, 62 insertions, 15 deletions
diff --git a/regress/forward-control.sh b/regress/forward-control.sh
index 93d05cf63..c22ca223d 100644
--- a/regress/forward-control.sh
+++ b/regress/forward-control.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: forward-control.sh,v 1.5 2018/03/02 02:51:55 djm Exp $ 1# $OpenBSD: forward-control.sh,v 1.6 2018/06/06 18:25:33 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="sshd control of local and remote forwarding" 4tid="sshd control of local and remote forwarding"
@@ -67,7 +67,7 @@ check_rfwd() {
67 _message=$2 67 _message=$2
68 rm -f $READY 68 rm -f $READY
69 ${SSH} -F $OBJ/ssh_proxy \ 69 ${SSH} -F $OBJ/ssh_proxy \
70 -R$RFWD_PORT:127.0.0.1:$PORT \ 70 -R127.0.0.1:$RFWD_PORT:127.0.0.1:$PORT \
71 -o ExitOnForwardFailure=yes \ 71 -o ExitOnForwardFailure=yes \
72 -n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \ 72 -n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \
73 >/dev/null 2>&1 & 73 >/dev/null 2>&1 &
@@ -100,8 +100,8 @@ cp ${OBJ}/authorized_keys_${USER} ${OBJ}/authorized_keys_${USER}.bak
100check_lfwd Y "default configuration" 100check_lfwd Y "default configuration"
101check_rfwd Y "default configuration" 101check_rfwd Y "default configuration"
102 102
103# Usage: all_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N 103# Usage: lperm_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N
104all_tests() { 104lperm_tests() {
105 _tcpfwd=$1 105 _tcpfwd=$1
106 _plain_lfwd=$2 106 _plain_lfwd=$2
107 _plain_rfwd=$3 107 _plain_rfwd=$3
@@ -109,32 +109,39 @@ all_tests() {
109 _nopermit_rfwd=$5 109 _nopermit_rfwd=$5
110 _permit_lfwd=$6 110 _permit_lfwd=$6
111 _permit_rfwd=$7 111 _permit_rfwd=$7
112 _badfwd=127.0.0.1:22 112 _badfwd1=127.0.0.1:22
113 _badfwd2=127.0.0.2:22
113 _goodfwd=127.0.0.1:${PORT} 114 _goodfwd=127.0.0.1:${PORT}
114 cp ${OBJ}/authorized_keys_${USER}.bak ${OBJ}/authorized_keys_${USER} 115 cp ${OBJ}/authorized_keys_${USER}.bak ${OBJ}/authorized_keys_${USER}
115 _prefix="AllowTcpForwarding=$_tcpfwd" 116 _prefix="AllowTcpForwarding=$_tcpfwd"
117
116 # No PermitOpen 118 # No PermitOpen
117 ( cat ${OBJ}/sshd_proxy.bak ; 119 ( cat ${OBJ}/sshd_proxy.bak ;
118 echo "AllowTcpForwarding $_tcpfwd" ) \ 120 echo "AllowTcpForwarding $_tcpfwd" ) \
119 > ${OBJ}/sshd_proxy 121 > ${OBJ}/sshd_proxy
120 check_lfwd $_plain_lfwd "$_prefix" 122 check_lfwd $_plain_lfwd "$_prefix"
121 check_rfwd $_plain_rfwd "$_prefix" 123 check_rfwd $_plain_rfwd "$_prefix"
124
122 # PermitOpen via sshd_config that doesn't match 125 # PermitOpen via sshd_config that doesn't match
123 ( cat ${OBJ}/sshd_proxy.bak ; 126 ( cat ${OBJ}/sshd_proxy.bak ;
124 echo "AllowTcpForwarding $_tcpfwd" ; 127 echo "AllowTcpForwarding $_tcpfwd" ;
125 echo "PermitOpen $_badfwd" ) \ 128 echo "PermitOpen $_badfwd1 $_badfwd2" ) \
126 > ${OBJ}/sshd_proxy 129 > ${OBJ}/sshd_proxy
127 check_lfwd $_nopermit_lfwd "$_prefix, !PermitOpen" 130 check_lfwd $_nopermit_lfwd "$_prefix, !PermitOpen"
128 check_rfwd $_nopermit_rfwd "$_prefix, !PermitOpen" 131 check_rfwd $_nopermit_rfwd "$_prefix, !PermitOpen"
129 # PermitOpen via sshd_config that does match 132 # PermitOpen via sshd_config that does match
130 ( cat ${OBJ}/sshd_proxy.bak ; 133 ( cat ${OBJ}/sshd_proxy.bak ;
131 echo "AllowTcpForwarding $_tcpfwd" ; 134 echo "AllowTcpForwarding $_tcpfwd" ;
132 echo "PermitOpen $_badfwd $_goodfwd" ) \ 135 echo "PermitOpen $_badfwd1 $_goodfwd $_badfwd2" ) \
133 > ${OBJ}/sshd_proxy 136 > ${OBJ}/sshd_proxy
137 check_lfwd $_plain_lfwd "$_prefix, PermitOpen"
138 check_rfwd $_plain_rfwd "$_prefix, PermitOpen"
139
140 # permitopen keys option.
134 # NB. permitopen via authorized_keys should have same 141 # NB. permitopen via authorized_keys should have same
135 # success/fail as via sshd_config 142 # success/fail as via sshd_config
136 # permitopen via authorized_keys that doesn't match 143 # permitopen via authorized_keys that doesn't match
137 sed "s/^/permitopen=\"$_badfwd\" /" \ 144 sed "s/^/permitopen=\"$_badfwd1\",permitopen=\"$_badfwd2\" /" \
138 < ${OBJ}/authorized_keys_${USER}.bak \ 145 < ${OBJ}/authorized_keys_${USER}.bak \
139 > ${OBJ}/authorized_keys_${USER} || fatal "sed 1 fail" 146 > ${OBJ}/authorized_keys_${USER} || fatal "sed 1 fail"
140 ( cat ${OBJ}/sshd_proxy.bak ; 147 ( cat ${OBJ}/sshd_proxy.bak ;
@@ -143,7 +150,7 @@ all_tests() {
143 check_lfwd $_nopermit_lfwd "$_prefix, !permitopen" 150 check_lfwd $_nopermit_lfwd "$_prefix, !permitopen"
144 check_rfwd $_nopermit_rfwd "$_prefix, !permitopen" 151 check_rfwd $_nopermit_rfwd "$_prefix, !permitopen"
145 # permitopen via authorized_keys that does match 152 # permitopen via authorized_keys that does match
146 sed "s/^/permitopen=\"$_badfwd\",permitopen=\"$_goodfwd\" /" \ 153 sed "s/^/permitopen=\"$_badfwd1\",permitopen=\"$_goodfwd\" /" \
147 < ${OBJ}/authorized_keys_${USER}.bak \ 154 < ${OBJ}/authorized_keys_${USER}.bak \
148 > ${OBJ}/authorized_keys_${USER} || fatal "sed 2 fail" 155 > ${OBJ}/authorized_keys_${USER} || fatal "sed 2 fail"
149 ( cat ${OBJ}/sshd_proxy.bak ; 156 ( cat ${OBJ}/sshd_proxy.bak ;
@@ -151,6 +158,7 @@ all_tests() {
151 > ${OBJ}/sshd_proxy 158 > ${OBJ}/sshd_proxy
152 check_lfwd $_permit_lfwd "$_prefix, permitopen" 159 check_lfwd $_permit_lfwd "$_prefix, permitopen"
153 check_rfwd $_permit_rfwd "$_prefix, permitopen" 160 check_rfwd $_permit_rfwd "$_prefix, permitopen"
161
154 # Check port-forwarding flags in authorized_keys. 162 # Check port-forwarding flags in authorized_keys.
155 # These two should refuse all. 163 # These two should refuse all.
156 sed "s/^/no-port-forwarding /" \ 164 sed "s/^/no-port-forwarding /" \
@@ -180,9 +188,48 @@ all_tests() {
180 check_rfwd $_plain_rfwd "$_prefix, restrict,port-forwarding" 188 check_rfwd $_plain_rfwd "$_prefix, restrict,port-forwarding"
181} 189}
182 190
183# no-permitopen mismatch-permitopen match-permitopen 191# permit-open none mismatch match
184# AllowTcpForwarding local remote local remote local remote 192# AllowTcpForwarding local remote local remote local remote
185all_tests yes Y Y N Y Y Y 193lperm_tests yes Y Y N Y Y Y
186all_tests local Y N N N Y N 194lperm_tests local Y N N N Y N
187all_tests remote N Y N Y N Y 195lperm_tests remote N Y N Y N Y
188all_tests no N N N N N N 196lperm_tests no N N N N N N
197
198# Usage: rperm_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N
199rperm_tests() {
200 _tcpfwd=$1
201 _plain_lfwd=$2
202 _plain_rfwd=$3
203 _nopermit_lfwd=$4
204 _nopermit_rfwd=$5
205 _permit_lfwd=$6
206 _permit_rfwd=$7
207 _badfwd1=127.0.0.1:22
208 _badfwd2=127.0.0.2:${RFWD_PORT}
209 _goodfwd=127.0.0.1:${RFWD_PORT}
210 cp ${OBJ}/authorized_keys_${USER}.bak ${OBJ}/authorized_keys_${USER}
211 _prefix="AllowTcpForwarding=$_tcpfwd"
212
213 # PermitRemoteOpen via sshd_config that doesn't match
214 ( cat ${OBJ}/sshd_proxy.bak ;
215 echo "AllowTcpForwarding $_tcpfwd" ;
216 echo "PermitRemoteOpen $_badfwd1 $_badfwd2" ) \
217 > ${OBJ}/sshd_proxy
218 check_lfwd $_nopermit_lfwd "$_prefix, !PermitRemoteOpen"
219 check_rfwd $_nopermit_rfwd "$_prefix, !PermitRemoteOpen"
220 # PermitRemoteOpen via sshd_config that does match
221 ( cat ${OBJ}/sshd_proxy.bak ;
222 echo "AllowTcpForwarding $_tcpfwd" ;
223 echo "PermitRemoteOpen $_badfwd1 $_goodfwd $_badfwd2" ) \
224 > ${OBJ}/sshd_proxy
225 check_lfwd $_plain_lfwd "$_prefix, PermitRemoteOpen"
226 check_rfwd $_plain_rfwd "$_prefix, PermitRemoteOpen"
227}
228
229# permit-remote-open none mismatch match
230# AllowTcpForwarding local remote local remote local remote
231rperm_tests yes Y Y Y N Y Y
232rperm_tests local Y N Y N Y N
233rperm_tests remote N Y N N N Y
234rperm_tests no N N N N N N
235