summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog6
-rw-r--r--regress/Makefile10
-rw-r--r--regress/agent-getpeereid.sh7
-rw-r--r--regress/cfgmatch.sh105
-rw-r--r--regress/cipher-speed.sh47
-rw-r--r--regress/forcecommand.sh42
-rw-r--r--regress/forwarding.sh32
7 files changed, 242 insertions, 7 deletions
diff --git a/ChangeLog b/ChangeLog
index b26426265..9e9bb3068 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -131,6 +131,10 @@
131 names) 131 names)
132 - (djm) [Makefile.in] 132 - (djm) [Makefile.in]
133 Remove generated openbsd-compat/regress/Makefile in distclean target 133 Remove generated openbsd-compat/regress/Makefile in distclean target
134 - (djm) [regress/Makefile regress/agent-getpeereid.sh regress/cfgmatch.sh]
135 [regress/cipher-speed.sh regress/forcecommand.sh regress/forwarding.sh]
136 Sync regress tests to -current; include dtucker@'s new cfgmatch and
137 forcecommand tests. Add cipher-speed.sh test (not linked in yet)
134 138
13520060713 13920060713
136 - (dtucker) [auth-krb5.c auth-pam.c] Still more errno.h 140 - (dtucker) [auth-krb5.c auth-pam.c] Still more errno.h
@@ -5049,4 +5053,4 @@
5049 - (djm) Trim deprecated options from INSTALL. Mention UsePAM 5053 - (djm) Trim deprecated options from INSTALL. Mention UsePAM
5050 - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu 5054 - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
5051 5055
5052$Id: ChangeLog,v 1.4435 2006/07/24 05:30:18 djm Exp $ 5056$Id: ChangeLog,v 1.4436 2006/07/24 05:31:41 djm Exp $
diff --git a/regress/Makefile b/regress/Makefile
index 4f47bc3fd..539956398 100644
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -1,4 +1,4 @@
1# $OpenBSD: Makefile,v 1.36 2005/03/04 08:48:46 djm Exp $ 1# $OpenBSD: Makefile,v 1.42 2006/07/19 13:34:52 dtucker Exp $
2 2
3REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t-exec 3REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t-exec
4tests: $(REGRESS_TARGETS) 4tests: $(REGRESS_TARGETS)
@@ -40,7 +40,9 @@ LTESTS= connect \
40 forwarding \ 40 forwarding \
41 multiplex \ 41 multiplex \
42 reexec \ 42 reexec \
43 brokenkeys 43 brokenkeys \
44 cfgmatch \
45 forcecommand
44 46
45USER!= id -un 47USER!= id -un
46CLEANFILES= t2.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \ 48CLEANFILES= t2.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \
@@ -49,8 +51,8 @@ CLEANFILES= t2.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \
49 rsa.pub rsa rsa1.pub rsa1 host.rsa host.rsa1 \ 51 rsa.pub rsa rsa1.pub rsa1 host.rsa host.rsa1 \
50 rsa-agent rsa-agent.pub rsa1-agent rsa1-agent.pub \ 52 rsa-agent rsa-agent.pub rsa1-agent rsa1-agent.pub \
51 ls.copy banner.in banner.out empty.in \ 53 ls.copy banner.in banner.out empty.in \
52 scp-ssh-wrapper.scp ssh_proxy_envpass \ 54 scp-ssh-wrapper.scp ssh_proxy_envpass remote_pid \
53 remote_pid 55 sshd_proxy_bak rsa_ssh2_cr.prv rsa_ssh2_crnl.prv
54 56
55#LTESTS += ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp 57#LTESTS += ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp
56 58
diff --git a/regress/agent-getpeereid.sh b/regress/agent-getpeereid.sh
index 6186a8d48..e5fcedda7 100644
--- a/regress/agent-getpeereid.sh
+++ b/regress/agent-getpeereid.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: agent-getpeereid.sh,v 1.2 2005/11/14 21:25:56 grunk Exp $ 1# $OpenBSD: agent-getpeereid.sh,v 1.3 2006/07/06 12:01:53 grunk Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="disallow agent attach from other uid" 4tid="disallow agent attach from other uid"
@@ -12,6 +12,11 @@ then
12 echo "skipped (not supported on this platform)" 12 echo "skipped (not supported on this platform)"
13 exit 0 13 exit 0
14fi 14fi
15if [ -z "$SUDO" ]; then
16 echo "skipped: need SUDO to switch to uid $UNPRIV"
17 exit 0
18fi
19
15 20
16trace "start agent" 21trace "start agent"
17eval `${SSHAGENT} -s -a ${ASOCK}` > /dev/null 22eval `${SSHAGENT} -s -a ${ASOCK}` > /dev/null
diff --git a/regress/cfgmatch.sh b/regress/cfgmatch.sh
new file mode 100644
index 000000000..3a789faab
--- /dev/null
+++ b/regress/cfgmatch.sh
@@ -0,0 +1,105 @@
1# $OpenBSD: cfgmatch.sh,v 1.2 2006/07/22 01:50:00 dtucker Exp $
2# Placed in the Public Domain.
3
4tid="sshd_config match"
5
6pidfile=$OBJ/remote_pid
7fwdport=3301
8fwd="-L $fwdport:127.0.0.1:$PORT"
9
10stop_client()
11{
12 pid=`cat $pidfile`
13 if [ ! -z "$pid" ]; then
14 kill $pid
15 fi
16}
17
18cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
19
20echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_config
21echo "Match Address 127.0.0.1" >>$OBJ/sshd_config
22echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_config
23
24echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_proxy
25echo "Match Address 127.0.0.1" >>$OBJ/sshd_proxy
26echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_proxy
27
28start_sshd
29
30#set -x
31
32# Test Match + PermitOpen in sshd_config. This should be permitted
33for p in 1 2; do
34 rm -f $pidfile
35 trace "match permitopen localhost proto $p"
36 ${SSH} -$p $fwd -F $OBJ/ssh_config -f somehost \
37 "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\
38 fail "match permitopen proto $p sshd failed"
39 sleep 1;
40 ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
41 fail "match permitopen permit proto $p"
42 stop_client
43done
44
45# Same but from different source. This should not be permitted
46for p in 1 2; do
47 rm -f $pidfile
48 trace "match permitopen proxy proto $p"
49 ${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \
50 "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\
51 fail "match permitopen proxy proto $p sshd failed"
52 sleep 1;
53 ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
54 fail "match permitopen deny proto $p"
55 stop_client
56done
57
58# Retry previous with key option, should also be denied.
59echo -n 'permitopen="127.0.0.1:'$PORT'" ' >$OBJ/authorized_keys_$USER
60cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER
61echo -n 'permitopen="127.0.0.1:'$PORT'" ' >>$OBJ/authorized_keys_$USER
62cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER
63for p in 1 2; do
64 rm -f $pidfile
65 trace "match permitopen proxy w/key opts proto $p"
66 ${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \
67 "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\
68 fail "match permitopen w/key opt proto $p sshd failed"
69 sleep 1;
70 ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
71 fail "match permitopen deny w/key opt proto $p"
72 stop_client
73done
74
75# Test both sshd_config and key options permitting the same dst/port pair.
76# Should be permitted.
77for p in 1 2; do
78 rm -f $pidfile
79 trace "match permitopen localhost proto $p"
80 ${SSH} -$p $fwd -F $OBJ/ssh_config -f somehost \
81 "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\
82 fail "match permitopen proto $p sshd failed"
83 sleep 1;
84 ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
85 fail "match permitopen permit proto $p"
86 stop_client
87done
88
89cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
90echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy
91echo "Match User $USER" >>$OBJ/sshd_proxy
92echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
93
94# Test that a Match overrides a PermitOpen in the global section
95for p in 1 2; do
96 rm -f $pidfile
97 trace "match permitopen proxy w/key opts proto $p"
98 ${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \
99 "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\
100 fail "match override permitopen proto $p sshd failed"
101 sleep 1;
102 ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
103 fail "match override permitopen proto $p"
104 stop_client
105done
diff --git a/regress/cipher-speed.sh b/regress/cipher-speed.sh
new file mode 100644
index 000000000..592511143
--- /dev/null
+++ b/regress/cipher-speed.sh
@@ -0,0 +1,47 @@
1# $OpenBSD: cipher-speed.sh,v 1.2 2005/05/24 04:09:54 djm Exp $
2# Placed in the Public Domain.
3
4tid="cipher speed"
5
6getbytes ()
7{
8 sed -n '/transferred/s/.*secs (\(.* bytes.sec\).*/\1/p'
9}
10
11tries="1 2"
12DATA=/bin/ls
13DATA=/bsd
14
15macs="hmac-sha1 hmac-md5 hmac-sha1-96 hmac-md5-96"
16ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc
17 arcfour128 arcfour256 arcfour aes192-cbc aes256-cbc aes128-ctr"
18
19for c in $ciphers; do for m in $macs; do
20 trace "proto 2 cipher $c mac $m"
21 for x in $tries; do
22 echo -n "$c/$m:\t"
23 ( ${SSH} -o 'compression no' \
24 -F $OBJ/ssh_proxy -2 -m $m -c $c somehost \
25 exec sh -c \'"dd of=/dev/null obs=32k"\' \
26 < ${DATA} ) 2>&1 | getbytes
27
28 if [ $? -ne 0 ]; then
29 fail "ssh -2 failed with mac $m cipher $c"
30 fi
31 done
32done; done
33
34ciphers="3des blowfish"
35for c in $ciphers; do
36 trace "proto 1 cipher $c"
37 for x in $tries; do
38 echo -n "$c:\t"
39 ( ${SSH} -o 'compression no' \
40 -F $OBJ/ssh_proxy -1 -c $c somehost \
41 exec sh -c \'"dd of=/dev/null obs=32k"\' \
42 < ${DATA} ) 2>&1 | getbytes
43 if [ $? -ne 0 ]; then
44 fail "ssh -1 failed with cipher $c"
45 fi
46 done
47done
diff --git a/regress/forcecommand.sh b/regress/forcecommand.sh
new file mode 100644
index 000000000..796e7c2c0
--- /dev/null
+++ b/regress/forcecommand.sh
@@ -0,0 +1,42 @@
1# $OpenBSD: forcecommand.sh,v 1.1 2006/07/19 13:09:28 dtucker Exp $
2# Placed in the Public Domain.
3
4tid="forced command"
5
6cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
7
8echo -n 'command="true" ' >$OBJ/authorized_keys_$USER
9cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER
10echo -n 'command="true" ' >>$OBJ/authorized_keys_$USER
11cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER
12
13for p in 1 2; do
14 trace "forced command in key option proto $p"
15 ${SSH} -$p -F $OBJ/ssh_proxy somehost false \ ||
16 fail "forced command in key proto $p"
17done
18
19echo -n 'command="false" ' >$OBJ/authorized_keys_$USER
20cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER
21echo -n 'command="false" ' >>$OBJ/authorized_keys_$USER
22cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER
23
24cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
25echo "ForceCommand true" >> $OBJ/sshd_proxy
26
27for p in 1 2; do
28 trace "forced command in sshd_config overrides key option proto $p"
29 ${SSH} -$p -F $OBJ/ssh_proxy somehost false \ ||
30 fail "forced command in key proto $p"
31done
32
33cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
34echo "ForceCommand false" >> $OBJ/sshd_proxy
35echo "Match User $USER" >> $OBJ/sshd_proxy
36echo " ForceCommand true" >> $OBJ/sshd_proxy
37
38for p in 1 2; do
39 trace "forced command with match proto $p"
40 ${SSH} -$p -F $OBJ/ssh_proxy somehost false \ ||
41 fail "forced command in key proto $p"
42done
diff --git a/regress/forwarding.sh b/regress/forwarding.sh
index 3b171144f..9ffbb3dd4 100644
--- a/regress/forwarding.sh
+++ b/regress/forwarding.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: forwarding.sh,v 1.5 2005/03/10 10:20:39 dtucker Exp $ 1# $OpenBSD: forwarding.sh,v 1.6 2006/07/11 18:51:21 markus Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="local and remote forwarding" 4tid="local and remote forwarding"
@@ -34,6 +34,36 @@ for p in 1 2; do
34done 34done
35 35
36for p in 1 2; do 36for p in 1 2; do
37for d in L R; do
38 trace "exit on -$d forward failure, proto $p"
39
40 # this one should succeed
41 ${SSH} -$p -F $OBJ/ssh_config \
42 -$d ${base}01:127.0.0.1:$PORT \
43 -$d ${base}02:127.0.0.1:$PORT \
44 -$d ${base}03:127.0.0.1:$PORT \
45 -$d ${base}04:127.0.0.1:$PORT \
46 -oExitOnForwardFailure=yes somehost true
47 if [ $? != 0 ]; then
48 fail "connection failed, should not"
49 else
50 # this one should fail
51 ${SSH} -q -$p -F $OBJ/ssh_config \
52 -$d ${base}01:127.0.0.1:$PORT \
53 -$d ${base}02:127.0.0.1:$PORT \
54 -$d ${base}03:127.0.0.1:$PORT \
55 -$d ${base}01:127.0.0.1:$PORT \
56 -$d ${base}04:127.0.0.1:$PORT \
57 -oExitOnForwardFailure=yes somehost true
58 r=$?
59 if [ $r != 255 ]; then
60 fail "connection not termintated, but should ($r)"
61 fi
62 fi
63done
64done
65
66for p in 1 2; do
37 trace "simple clear forwarding proto $p" 67 trace "simple clear forwarding proto $p"
38 ${SSH} -$p -F $OBJ/ssh_config -oClearAllForwardings=yes somehost true 68 ${SSH} -$p -F $OBJ/ssh_config -oClearAllForwardings=yes somehost true
39 69