summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog3
-rw-r--r--regress/Makefile9
-rw-r--r--regress/forward-control.sh168
3 files changed, 177 insertions, 3 deletions
diff --git a/ChangeLog b/ChangeLog
index 873d81d59..2e9c4e279 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -27,6 +27,9 @@
27 - djm@cvs.openbsd.org 2012/11/22 22:49:30 27 - djm@cvs.openbsd.org 2012/11/22 22:49:30
28 [regress/Makefile regress/keys-command.sh] 28 [regress/Makefile regress/keys-command.sh]
29 regress for AuthorizedKeysCommand; hints from markus@ 29 regress for AuthorizedKeysCommand; hints from markus@
30 - djm@cvs.openbsd.org 2012/12/02 20:47:48
31 [Makefile regress/forward-control.sh]
32 regress for AllowTcpForwarding local/remote; ok markus@
30 33
3120121114 3420121114
32 - (djm) OpenBSD CVS Sync 35 - (djm) OpenBSD CVS Sync
diff --git a/regress/Makefile b/regress/Makefile
index dcc80b734..c628fb5ff 100644
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -1,4 +1,4 @@
1# $OpenBSD: Makefile,v 1.59 2012/11/22 22:49:30 djm Exp $ 1# $OpenBSD: Makefile,v 1.60 2012/12/02 20:47:48 djm Exp $
2 2
3REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t8 t9 t-exec 3REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t8 t9 t-exec
4tests: $(REGRESS_TARGETS) 4tests: $(REGRESS_TARGETS)
@@ -58,7 +58,8 @@ LTESTS= connect \
58 cert-hostkey \ 58 cert-hostkey \
59 cert-userkey \ 59 cert-userkey \
60 host-expand \ 60 host-expand \
61 keys-command 61 keys-command \
62 forward-control
62 63
63INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers 64INTEROP_TESTS= putty-transfer putty-ciphers putty-kex conch-ciphers
64#INTEROP_TESTS+=ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp 65#INTEROP_TESTS+=ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp
@@ -78,7 +79,9 @@ CLEANFILES= t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \
78 known_hosts-cert host_ca_key* cert_host_key* \ 79 known_hosts-cert host_ca_key* cert_host_key* \
79 putty.rsa2 sshd_proxy_orig ssh_proxy_bak \ 80 putty.rsa2 sshd_proxy_orig ssh_proxy_bak \
80 key.rsa-* key.dsa-* key.ecdsa-* \ 81 key.rsa-* key.dsa-* key.ecdsa-* \
81 authorized_principals_${USER} expect actual 82 authorized_principals_${USER} expect actual ready \
83 sshd_proxy.* authorized_keys_${USER}.*
84
82 85
83# Enable all malloc(3) randomisations and checks 86# Enable all malloc(3) randomisations and checks
84TEST_ENV= "MALLOC_OPTIONS=AFGJPRX" 87TEST_ENV= "MALLOC_OPTIONS=AFGJPRX"
diff --git a/regress/forward-control.sh b/regress/forward-control.sh
new file mode 100644
index 000000000..9d000bc76
--- /dev/null
+++ b/regress/forward-control.sh
@@ -0,0 +1,168 @@
1# $OpenBSD: forward-control.sh,v 1.1 2012/12/02 20:47:48 djm Exp $
2# Placed in the Public Domain.
3
4tid="sshd control of local and remote forwarding"
5
6LFWD_PORT=3320
7RFWD_PORT=3321
8CTL=$OBJ/ctl-sock
9READY=$OBJ/ready
10
11wait_for_file_to_appear() {
12 _path=$1
13 _n=0
14 while test ! -e $_path ; do
15 test $_n -eq 1 && trace "waiting for $_path to appear"
16 _n=`expr $_n + 1`
17 test $_n -ge 5 && return 1
18 sleep 1
19 done
20 return 0
21}
22
23wait_for_process_to_exit() {
24 _pid=$1
25 _n=0
26 while kill -0 $_pid 2>/dev/null ; do
27 test $_n -eq 1 && trace "waiting for $_pid to exit"
28 _n=`expr $_n + 1`
29 test $_n -ge 5 && return 1
30 sleep 1
31 done
32 return 0
33}
34
35# usage: check_lfwd protocol Y|N message
36check_lfwd() {
37 _proto=$1
38 _expected=$2
39 _message=$3
40 rm -f $READY
41 ${SSH} -oProtocol=$_proto -F $OBJ/ssh_proxy \
42 -L$LFWD_PORT:127.0.0.1:$PORT \
43 -o ExitOnForwardFailure=yes \
44 -n host "sleep 60 & echo \$! > $READY ; wait " \
45 >/dev/null 2>&1 &
46 _sshpid=$!
47 wait_for_file_to_appear $READY || \
48 fatal "check_lfwd ssh fail: $_message"
49 ${SSH} -F $OBJ/ssh_config -p $LFWD_PORT \
50 -oConnectionAttempts=4 host true >/dev/null 2>&1
51 _result=$?
52 kill $_sshpid `cat $READY` 2>/dev/null
53 wait_for_process_to_exit $_sshpid
54 if test "x$_expected" = "xY" -a $_result -ne 0 ; then
55 fail "check_lfwd failed (expecting success): $_message"
56 elif test "x$_expected" = "xN" -a $_result -eq 0 ; then
57 fail "check_lfwd succeeded (expecting failure): $_message"
58 elif test "x$_expected" != "xY" -a "x$_expected" != "xN" ; then
59 fatal "check_lfwd invalid argument \"$_expected\""
60 else
61 verbose "check_lfwd done (expecting $_expected): $_message"
62 fi
63}
64
65# usage: check_rfwd protocol Y|N message
66check_rfwd() {
67 _proto=$1
68 _expected=$2
69 _message=$3
70 rm -f $READY
71 ${SSH} -oProtocol=$_proto -F $OBJ/ssh_proxy \
72 -R$RFWD_PORT:127.0.0.1:$PORT \
73 -o ExitOnForwardFailure=yes \
74 -n host "sleep 60 & echo \$! > $READY ; wait " \
75 >/dev/null 2>&1 &
76 _sshpid=$!
77 wait_for_file_to_appear $READY
78 _result=$?
79 if test $_result -eq 0 ; then
80 ${SSH} -F $OBJ/ssh_config -p $RFWD_PORT \
81 -oConnectionAttempts=4 host true >/dev/null 2>&1
82 _result=$?
83 kill $_sshpid `cat $READY` 2>/dev/null
84 wait_for_process_to_exit $_sshpid
85 fi
86 if test "x$_expected" = "xY" -a $_result -ne 0 ; then
87 fail "check_rfwd failed (expecting success): $_message"
88 elif test "x$_expected" = "xN" -a $_result -eq 0 ; then
89 fail "check_rfwd succeeded (expecting failure): $_message"
90 elif test "x$_expected" != "xY" -a "x$_expected" != "xN" ; then
91 fatal "check_rfwd invalid argument \"$_expected\""
92 else
93 verbose "check_rfwd done (expecting $_expected): $_message"
94 fi
95}
96
97start_sshd
98cp ${OBJ}/sshd_proxy ${OBJ}/sshd_proxy.bak
99cp ${OBJ}/authorized_keys_${USER} ${OBJ}/authorized_keys_${USER}.bak
100
101# Sanity check: ensure the default config allows forwarding
102for p in 1 2 ; do
103 check_lfwd $p Y "proto $p, default configuration"
104 check_rfwd $p Y "proto $p, default configuration"
105done
106
107# Usage: all_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N
108all_tests() {
109 _tcpfwd=$1
110 _plain_lfwd=$2
111 _plain_rfwd=$3
112 _nopermit_lfwd=$4
113 _nopermit_rfwd=$5
114 _permit_lfwd=$6
115 _permit_rfwd=$7
116 _badfwd=127.0.0.1:22
117 _goodfwd=127.0.0.1:${PORT}
118 for _proto in 1 2 ; do
119 cp ${OBJ}/authorized_keys_${USER}.bak \
120 ${OBJ}/authorized_keys_${USER}
121 _prefix="proto $_proto, AllowTcpForwarding=$_tcpfwd"
122 # No PermitOpen
123 ( cat ${OBJ}/sshd_proxy.bak ;
124 echo "AllowTcpForwarding $_tcpfwd" ) \
125 > ${OBJ}/sshd_proxy
126 check_lfwd $_proto $_plain_lfwd "$_prefix"
127 check_rfwd $_proto $_plain_rfwd "$_prefix"
128 # PermitOpen via sshd_config that doesn't match
129 ( cat ${OBJ}/sshd_proxy.bak ;
130 echo "AllowTcpForwarding $_tcpfwd" ;
131 echo "PermitOpen $_badfwd" ) \
132 > ${OBJ}/sshd_proxy
133 check_lfwd $_proto $_nopermit_lfwd "$_prefix, !PermitOpen"
134 check_rfwd $_proto $_nopermit_rfwd "$_prefix, !PermitOpen"
135 # PermitOpen via sshd_config that does match
136 ( cat ${OBJ}/sshd_proxy.bak ;
137 echo "AllowTcpForwarding $_tcpfwd" ;
138 echo "PermitOpen $_badfwd $_goodfwd" ) \
139 > ${OBJ}/sshd_proxy
140 # NB. permitopen via authorized_keys should have same
141 # success/fail as via sshd_config
142 # permitopen via authorized_keys that doesn't match
143 sed "s/^/permitopen=\"$_badfwd\" /" \
144 < ${OBJ}/authorized_keys_${USER}.bak \
145 > ${OBJ}/authorized_keys_${USER} || fatal "sed 1 fail"
146 ( cat ${OBJ}/sshd_proxy.bak ;
147 echo "AllowTcpForwarding $_tcpfwd" ) \
148 > ${OBJ}/sshd_proxy
149 check_lfwd $_proto $_nopermit_lfwd "$_prefix, !permitopen"
150 check_rfwd $_proto $_nopermit_rfwd "$_prefix, !permitopen"
151 # permitopen via authorized_keys that does match
152 sed "s/^/permitopen=\"$_badfwd\",permitopen=\"$_goodfwd\" /" \
153 < ${OBJ}/authorized_keys_${USER}.bak \
154 > ${OBJ}/authorized_keys_${USER} || fatal "sed 2 fail"
155 ( cat ${OBJ}/sshd_proxy.bak ;
156 echo "AllowTcpForwarding $_tcpfwd" ) \
157 > ${OBJ}/sshd_proxy
158 check_lfwd $_proto $_permit_lfwd "$_prefix, permitopen"
159 check_rfwd $_proto $_permit_rfwd "$_prefix, permitopen"
160 done
161}
162
163# no-permitopen mismatch-permitopen match-permitopen
164# AllowTcpForwarding local remote local remote local remote
165all_tests yes Y Y N Y Y Y
166all_tests local Y N N N Y N
167all_tests remote N Y N Y N Y
168all_tests no N N N N N N