diff options
-rw-r--r-- | ChangeLog | 6 | ||||
-rw-r--r-- | regress/Makefile | 10 | ||||
-rw-r--r-- | regress/agent-getpeereid.sh | 7 | ||||
-rw-r--r-- | regress/cfgmatch.sh | 105 | ||||
-rw-r--r-- | regress/cipher-speed.sh | 47 | ||||
-rw-r--r-- | regress/forcecommand.sh | 42 | ||||
-rw-r--r-- | regress/forwarding.sh | 32 |
7 files changed, 242 insertions, 7 deletions
@@ -131,6 +131,10 @@ | |||
131 | names) | 131 | names) |
132 | - (djm) [Makefile.in] | 132 | - (djm) [Makefile.in] |
133 | Remove generated openbsd-compat/regress/Makefile in distclean target | 133 | Remove generated openbsd-compat/regress/Makefile in distclean target |
134 | - (djm) [regress/Makefile regress/agent-getpeereid.sh regress/cfgmatch.sh] | ||
135 | [regress/cipher-speed.sh regress/forcecommand.sh regress/forwarding.sh] | ||
136 | Sync regress tests to -current; include dtucker@'s new cfgmatch and | ||
137 | forcecommand tests. Add cipher-speed.sh test (not linked in yet) | ||
134 | 138 | ||
135 | 20060713 | 139 | 20060713 |
136 | - (dtucker) [auth-krb5.c auth-pam.c] Still more errno.h | 140 | - (dtucker) [auth-krb5.c auth-pam.c] Still more errno.h |
@@ -5049,4 +5053,4 @@ | |||
5049 | - (djm) Trim deprecated options from INSTALL. Mention UsePAM | 5053 | - (djm) Trim deprecated options from INSTALL. Mention UsePAM |
5050 | - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu | 5054 | - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu |
5051 | 5055 | ||
5052 | $Id: ChangeLog,v 1.4435 2006/07/24 05:30:18 djm Exp $ | 5056 | $Id: ChangeLog,v 1.4436 2006/07/24 05:31:41 djm Exp $ |
diff --git a/regress/Makefile b/regress/Makefile index 4f47bc3fd..539956398 100644 --- a/regress/Makefile +++ b/regress/Makefile | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: Makefile,v 1.36 2005/03/04 08:48:46 djm Exp $ | 1 | # $OpenBSD: Makefile,v 1.42 2006/07/19 13:34:52 dtucker Exp $ |
2 | 2 | ||
3 | REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t-exec | 3 | REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t-exec |
4 | tests: $(REGRESS_TARGETS) | 4 | tests: $(REGRESS_TARGETS) |
@@ -40,7 +40,9 @@ LTESTS= connect \ | |||
40 | forwarding \ | 40 | forwarding \ |
41 | multiplex \ | 41 | multiplex \ |
42 | reexec \ | 42 | reexec \ |
43 | brokenkeys | 43 | brokenkeys \ |
44 | cfgmatch \ | ||
45 | forcecommand | ||
44 | 46 | ||
45 | USER!= id -un | 47 | USER!= id -un |
46 | CLEANFILES= t2.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \ | 48 | CLEANFILES= t2.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \ |
@@ -49,8 +51,8 @@ CLEANFILES= t2.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \ | |||
49 | rsa.pub rsa rsa1.pub rsa1 host.rsa host.rsa1 \ | 51 | rsa.pub rsa rsa1.pub rsa1 host.rsa host.rsa1 \ |
50 | rsa-agent rsa-agent.pub rsa1-agent rsa1-agent.pub \ | 52 | rsa-agent rsa-agent.pub rsa1-agent rsa1-agent.pub \ |
51 | ls.copy banner.in banner.out empty.in \ | 53 | ls.copy banner.in banner.out empty.in \ |
52 | scp-ssh-wrapper.scp ssh_proxy_envpass \ | 54 | scp-ssh-wrapper.scp ssh_proxy_envpass remote_pid \ |
53 | remote_pid | 55 | sshd_proxy_bak rsa_ssh2_cr.prv rsa_ssh2_crnl.prv |
54 | 56 | ||
55 | #LTESTS += ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp | 57 | #LTESTS += ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp |
56 | 58 | ||
diff --git a/regress/agent-getpeereid.sh b/regress/agent-getpeereid.sh index 6186a8d48..e5fcedda7 100644 --- a/regress/agent-getpeereid.sh +++ b/regress/agent-getpeereid.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: agent-getpeereid.sh,v 1.2 2005/11/14 21:25:56 grunk Exp $ | 1 | # $OpenBSD: agent-getpeereid.sh,v 1.3 2006/07/06 12:01:53 grunk Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="disallow agent attach from other uid" | 4 | tid="disallow agent attach from other uid" |
@@ -12,6 +12,11 @@ then | |||
12 | echo "skipped (not supported on this platform)" | 12 | echo "skipped (not supported on this platform)" |
13 | exit 0 | 13 | exit 0 |
14 | fi | 14 | fi |
15 | if [ -z "$SUDO" ]; then | ||
16 | echo "skipped: need SUDO to switch to uid $UNPRIV" | ||
17 | exit 0 | ||
18 | fi | ||
19 | |||
15 | 20 | ||
16 | trace "start agent" | 21 | trace "start agent" |
17 | eval `${SSHAGENT} -s -a ${ASOCK}` > /dev/null | 22 | eval `${SSHAGENT} -s -a ${ASOCK}` > /dev/null |
diff --git a/regress/cfgmatch.sh b/regress/cfgmatch.sh new file mode 100644 index 000000000..3a789faab --- /dev/null +++ b/regress/cfgmatch.sh | |||
@@ -0,0 +1,105 @@ | |||
1 | # $OpenBSD: cfgmatch.sh,v 1.2 2006/07/22 01:50:00 dtucker Exp $ | ||
2 | # Placed in the Public Domain. | ||
3 | |||
4 | tid="sshd_config match" | ||
5 | |||
6 | pidfile=$OBJ/remote_pid | ||
7 | fwdport=3301 | ||
8 | fwd="-L $fwdport:127.0.0.1:$PORT" | ||
9 | |||
10 | stop_client() | ||
11 | { | ||
12 | pid=`cat $pidfile` | ||
13 | if [ ! -z "$pid" ]; then | ||
14 | kill $pid | ||
15 | fi | ||
16 | } | ||
17 | |||
18 | cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak | ||
19 | |||
20 | echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_config | ||
21 | echo "Match Address 127.0.0.1" >>$OBJ/sshd_config | ||
22 | echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_config | ||
23 | |||
24 | echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_proxy | ||
25 | echo "Match Address 127.0.0.1" >>$OBJ/sshd_proxy | ||
26 | echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_proxy | ||
27 | |||
28 | start_sshd | ||
29 | |||
30 | #set -x | ||
31 | |||
32 | # Test Match + PermitOpen in sshd_config. This should be permitted | ||
33 | for p in 1 2; do | ||
34 | rm -f $pidfile | ||
35 | trace "match permitopen localhost proto $p" | ||
36 | ${SSH} -$p $fwd -F $OBJ/ssh_config -f somehost \ | ||
37 | "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\ | ||
38 | fail "match permitopen proto $p sshd failed" | ||
39 | sleep 1; | ||
40 | ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ | ||
41 | fail "match permitopen permit proto $p" | ||
42 | stop_client | ||
43 | done | ||
44 | |||
45 | # Same but from different source. This should not be permitted | ||
46 | for p in 1 2; do | ||
47 | rm -f $pidfile | ||
48 | trace "match permitopen proxy proto $p" | ||
49 | ${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \ | ||
50 | "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\ | ||
51 | fail "match permitopen proxy proto $p sshd failed" | ||
52 | sleep 1; | ||
53 | ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ | ||
54 | fail "match permitopen deny proto $p" | ||
55 | stop_client | ||
56 | done | ||
57 | |||
58 | # Retry previous with key option, should also be denied. | ||
59 | echo -n 'permitopen="127.0.0.1:'$PORT'" ' >$OBJ/authorized_keys_$USER | ||
60 | cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER | ||
61 | echo -n 'permitopen="127.0.0.1:'$PORT'" ' >>$OBJ/authorized_keys_$USER | ||
62 | cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER | ||
63 | for p in 1 2; do | ||
64 | rm -f $pidfile | ||
65 | trace "match permitopen proxy w/key opts proto $p" | ||
66 | ${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \ | ||
67 | "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\ | ||
68 | fail "match permitopen w/key opt proto $p sshd failed" | ||
69 | sleep 1; | ||
70 | ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ | ||
71 | fail "match permitopen deny w/key opt proto $p" | ||
72 | stop_client | ||
73 | done | ||
74 | |||
75 | # Test both sshd_config and key options permitting the same dst/port pair. | ||
76 | # Should be permitted. | ||
77 | for p in 1 2; do | ||
78 | rm -f $pidfile | ||
79 | trace "match permitopen localhost proto $p" | ||
80 | ${SSH} -$p $fwd -F $OBJ/ssh_config -f somehost \ | ||
81 | "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\ | ||
82 | fail "match permitopen proto $p sshd failed" | ||
83 | sleep 1; | ||
84 | ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ | ||
85 | fail "match permitopen permit proto $p" | ||
86 | stop_client | ||
87 | done | ||
88 | |||
89 | cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy | ||
90 | echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy | ||
91 | echo "Match User $USER" >>$OBJ/sshd_proxy | ||
92 | echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy | ||
93 | |||
94 | # Test that a Match overrides a PermitOpen in the global section | ||
95 | for p in 1 2; do | ||
96 | rm -f $pidfile | ||
97 | trace "match permitopen proxy w/key opts proto $p" | ||
98 | ${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \ | ||
99 | "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\ | ||
100 | fail "match override permitopen proto $p sshd failed" | ||
101 | sleep 1; | ||
102 | ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ | ||
103 | fail "match override permitopen proto $p" | ||
104 | stop_client | ||
105 | done | ||
diff --git a/regress/cipher-speed.sh b/regress/cipher-speed.sh new file mode 100644 index 000000000..592511143 --- /dev/null +++ b/regress/cipher-speed.sh | |||
@@ -0,0 +1,47 @@ | |||
1 | # $OpenBSD: cipher-speed.sh,v 1.2 2005/05/24 04:09:54 djm Exp $ | ||
2 | # Placed in the Public Domain. | ||
3 | |||
4 | tid="cipher speed" | ||
5 | |||
6 | getbytes () | ||
7 | { | ||
8 | sed -n '/transferred/s/.*secs (\(.* bytes.sec\).*/\1/p' | ||
9 | } | ||
10 | |||
11 | tries="1 2" | ||
12 | DATA=/bin/ls | ||
13 | DATA=/bsd | ||
14 | |||
15 | macs="hmac-sha1 hmac-md5 hmac-sha1-96 hmac-md5-96" | ||
16 | ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc | ||
17 | arcfour128 arcfour256 arcfour aes192-cbc aes256-cbc aes128-ctr" | ||
18 | |||
19 | for c in $ciphers; do for m in $macs; do | ||
20 | trace "proto 2 cipher $c mac $m" | ||
21 | for x in $tries; do | ||
22 | echo -n "$c/$m:\t" | ||
23 | ( ${SSH} -o 'compression no' \ | ||
24 | -F $OBJ/ssh_proxy -2 -m $m -c $c somehost \ | ||
25 | exec sh -c \'"dd of=/dev/null obs=32k"\' \ | ||
26 | < ${DATA} ) 2>&1 | getbytes | ||
27 | |||
28 | if [ $? -ne 0 ]; then | ||
29 | fail "ssh -2 failed with mac $m cipher $c" | ||
30 | fi | ||
31 | done | ||
32 | done; done | ||
33 | |||
34 | ciphers="3des blowfish" | ||
35 | for c in $ciphers; do | ||
36 | trace "proto 1 cipher $c" | ||
37 | for x in $tries; do | ||
38 | echo -n "$c:\t" | ||
39 | ( ${SSH} -o 'compression no' \ | ||
40 | -F $OBJ/ssh_proxy -1 -c $c somehost \ | ||
41 | exec sh -c \'"dd of=/dev/null obs=32k"\' \ | ||
42 | < ${DATA} ) 2>&1 | getbytes | ||
43 | if [ $? -ne 0 ]; then | ||
44 | fail "ssh -1 failed with cipher $c" | ||
45 | fi | ||
46 | done | ||
47 | done | ||
diff --git a/regress/forcecommand.sh b/regress/forcecommand.sh new file mode 100644 index 000000000..796e7c2c0 --- /dev/null +++ b/regress/forcecommand.sh | |||
@@ -0,0 +1,42 @@ | |||
1 | # $OpenBSD: forcecommand.sh,v 1.1 2006/07/19 13:09:28 dtucker Exp $ | ||
2 | # Placed in the Public Domain. | ||
3 | |||
4 | tid="forced command" | ||
5 | |||
6 | cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak | ||
7 | |||
8 | echo -n 'command="true" ' >$OBJ/authorized_keys_$USER | ||
9 | cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER | ||
10 | echo -n 'command="true" ' >>$OBJ/authorized_keys_$USER | ||
11 | cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER | ||
12 | |||
13 | for p in 1 2; do | ||
14 | trace "forced command in key option proto $p" | ||
15 | ${SSH} -$p -F $OBJ/ssh_proxy somehost false \ || | ||
16 | fail "forced command in key proto $p" | ||
17 | done | ||
18 | |||
19 | echo -n 'command="false" ' >$OBJ/authorized_keys_$USER | ||
20 | cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER | ||
21 | echo -n 'command="false" ' >>$OBJ/authorized_keys_$USER | ||
22 | cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER | ||
23 | |||
24 | cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy | ||
25 | echo "ForceCommand true" >> $OBJ/sshd_proxy | ||
26 | |||
27 | for p in 1 2; do | ||
28 | trace "forced command in sshd_config overrides key option proto $p" | ||
29 | ${SSH} -$p -F $OBJ/ssh_proxy somehost false \ || | ||
30 | fail "forced command in key proto $p" | ||
31 | done | ||
32 | |||
33 | cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy | ||
34 | echo "ForceCommand false" >> $OBJ/sshd_proxy | ||
35 | echo "Match User $USER" >> $OBJ/sshd_proxy | ||
36 | echo " ForceCommand true" >> $OBJ/sshd_proxy | ||
37 | |||
38 | for p in 1 2; do | ||
39 | trace "forced command with match proto $p" | ||
40 | ${SSH} -$p -F $OBJ/ssh_proxy somehost false \ || | ||
41 | fail "forced command in key proto $p" | ||
42 | done | ||
diff --git a/regress/forwarding.sh b/regress/forwarding.sh index 3b171144f..9ffbb3dd4 100644 --- a/regress/forwarding.sh +++ b/regress/forwarding.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: forwarding.sh,v 1.5 2005/03/10 10:20:39 dtucker Exp $ | 1 | # $OpenBSD: forwarding.sh,v 1.6 2006/07/11 18:51:21 markus Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="local and remote forwarding" | 4 | tid="local and remote forwarding" |
@@ -34,6 +34,36 @@ for p in 1 2; do | |||
34 | done | 34 | done |
35 | 35 | ||
36 | for p in 1 2; do | 36 | for p in 1 2; do |
37 | for d in L R; do | ||
38 | trace "exit on -$d forward failure, proto $p" | ||
39 | |||
40 | # this one should succeed | ||
41 | ${SSH} -$p -F $OBJ/ssh_config \ | ||
42 | -$d ${base}01:127.0.0.1:$PORT \ | ||
43 | -$d ${base}02:127.0.0.1:$PORT \ | ||
44 | -$d ${base}03:127.0.0.1:$PORT \ | ||
45 | -$d ${base}04:127.0.0.1:$PORT \ | ||
46 | -oExitOnForwardFailure=yes somehost true | ||
47 | if [ $? != 0 ]; then | ||
48 | fail "connection failed, should not" | ||
49 | else | ||
50 | # this one should fail | ||
51 | ${SSH} -q -$p -F $OBJ/ssh_config \ | ||
52 | -$d ${base}01:127.0.0.1:$PORT \ | ||
53 | -$d ${base}02:127.0.0.1:$PORT \ | ||
54 | -$d ${base}03:127.0.0.1:$PORT \ | ||
55 | -$d ${base}01:127.0.0.1:$PORT \ | ||
56 | -$d ${base}04:127.0.0.1:$PORT \ | ||
57 | -oExitOnForwardFailure=yes somehost true | ||
58 | r=$? | ||
59 | if [ $r != 255 ]; then | ||
60 | fail "connection not termintated, but should ($r)" | ||
61 | fi | ||
62 | fi | ||
63 | done | ||
64 | done | ||
65 | |||
66 | for p in 1 2; do | ||
37 | trace "simple clear forwarding proto $p" | 67 | trace "simple clear forwarding proto $p" |
38 | ${SSH} -$p -F $OBJ/ssh_config -oClearAllForwardings=yes somehost true | 68 | ${SSH} -$p -F $OBJ/ssh_config -oClearAllForwardings=yes somehost true |
39 | 69 | ||