diff options
-rw-r--r-- | ChangeLog | 4 | ||||
-rw-r--r-- | regress/addrmatch.sh | 50 |
2 files changed, 34 insertions, 20 deletions
@@ -23,6 +23,10 @@ | |||
23 | - naddy@cvs.openbsd.org 2012/06/29 13:57:25 | 23 | - naddy@cvs.openbsd.org 2012/06/29 13:57:25 |
24 | [ssh_config.5 sshd_config.5] | 24 | [ssh_config.5 sshd_config.5] |
25 | match the documented MAC order of preference to the actual one; ok dtucker@ | 25 | match the documented MAC order of preference to the actual one; ok dtucker@ |
26 | - dtucker@cvs.openbsd.org 2012/05/13 01:42:32 | ||
27 | [regress/addrmatch.sh] | ||
28 | Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests | ||
29 | to match. Feedback and ok djm@ markus@. | ||
26 | 30 | ||
27 | 20120628 | 31 | 20120628 |
28 | - (dtucker) [openbsd-compat/getrrsetbyname-ldns.c] bz #2022: prevent null | 32 | - (dtucker) [openbsd-compat/getrrsetbyname-ldns.c] bz #2022: prevent null |
diff --git a/regress/addrmatch.sh b/regress/addrmatch.sh index 5102317df..1584bd405 100644 --- a/regress/addrmatch.sh +++ b/regress/addrmatch.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: addrmatch.sh,v 1.3 2010/02/09 04:57:36 djm Exp $ | 1 | # $OpenBSD: addrmatch.sh,v 1.4 2012/05/13 01:42:32 dtucker Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="address match" | 4 | tid="address match" |
@@ -7,39 +7,49 @@ mv $OBJ/sshd_proxy $OBJ/sshd_proxy_bak | |||
7 | 7 | ||
8 | run_trial() | 8 | run_trial() |
9 | { | 9 | { |
10 | user="$1"; addr="$2"; host="$3"; expected="$4"; descr="$5" | 10 | user="$1"; addr="$2"; host="$3"; laddr="$4"; lport="$5" |
11 | expected="$6"; descr="$7" | ||
11 | 12 | ||
12 | verbose "test $descr for $user $addr $host" | 13 | verbose "test $descr for $user $addr $host" |
13 | result=`${SSHD} -f $OBJ/sshd_proxy -T \ | 14 | result=`${SSHD} -f $OBJ/sshd_proxy -T \ |
14 | -C user=${user},addr=${addr},host=${host} | \ | 15 | -C user=${user},addr=${addr},host=${host},laddr=${laddr},lport=${lport} | \ |
15 | awk '/^passwordauthentication/ {print $2}'` | 16 | awk '/^forcecommand/ {print $2}'` |
16 | if [ "$result" != "$expected" ]; then | 17 | if [ "$result" != "$expected" ]; then |
17 | fail "failed for $user $addr $host: expected $expected, got $result" | 18 | fail "failed '$descr' expected $expected got $result" |
18 | fi | 19 | fi |
19 | } | 20 | } |
20 | 21 | ||
21 | cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy | 22 | cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy |
22 | cat >>$OBJ/sshd_proxy <<EOD | 23 | cat >>$OBJ/sshd_proxy <<EOD |
23 | PasswordAuthentication no | 24 | ForceCommand nomatch |
24 | Match Address 192.168.0.0/16,!192.168.30.0/24,10.0.0.0/8,host.example.com | 25 | Match Address 192.168.0.0/16,!192.168.30.0/24,10.0.0.0/8,host.example.com |
25 | PasswordAuthentication yes | 26 | ForceCommand match1 |
26 | Match Address 1.1.1.1,::1,!::3,2000::/16 | 27 | Match Address 1.1.1.1,::1,!::3,2000::/16 |
27 | PasswordAuthentication yes | 28 | ForceCommand match2 |
29 | Match LocalAddress 127.0.0.1,::1 | ||
30 | ForceCommand match3 | ||
31 | Match LocalPort 5678 | ||
32 | ForceCommand match4 | ||
28 | EOD | 33 | EOD |
29 | 34 | ||
30 | run_trial user 192.168.0.1 somehost yes "permit, first entry" | 35 | run_trial user 192.168.0.1 somehost 1.2.3.4 1234 match1 "first entry" |
31 | run_trial user 192.168.30.1 somehost no "deny, negative match" | 36 | run_trial user 192.168.30.1 somehost 1.2.3.4 1234 nomatch "negative match" |
32 | run_trial user 19.0.0.1 somehost no "deny, no match" | 37 | run_trial user 19.0.0.1 somehost 1.2.3.4 1234 nomatch "no match" |
33 | run_trial user 10.255.255.254 somehost yes "permit, list middle" | 38 | run_trial user 10.255.255.254 somehost 1.2.3.4 1234 match1 "list middle" |
34 | run_trial user 192.168.30.1 192.168.0.1 no "deny, faked IP in hostname" | 39 | run_trial user 192.168.30.1 192.168.0.1 1.2.3.4 1234 nomatch "faked IP in hostname" |
35 | run_trial user 1.1.1.1 somehost.example.com yes "permit, bare IP4 address" | 40 | run_trial user 1.1.1.1 somehost.example.com 1.2.3.4 1234 match2 "bare IP4 address" |
41 | run_trial user 19.0.0.1 somehost 127.0.0.1 1234 match3 "localaddress" | ||
42 | run_trial user 19.0.0.1 somehost 1.2.3.4 5678 match4 "localport" | ||
43 | |||
36 | if test "$TEST_SSH_IPV6" != "no"; then | 44 | if test "$TEST_SSH_IPV6" != "no"; then |
37 | run_trial user ::1 somehost.example.com yes "permit, bare IP6 address" | 45 | run_trial user ::1 somehost.example.com ::2 1234 match2 "bare IP6 address" |
38 | run_trial user ::2 somehost.exaple.com no "deny IPv6" | 46 | run_trial user ::2 somehost.exaple.com ::2 1234 nomatch "deny IPv6" |
39 | run_trial user ::3 somehost no "deny IP6 negated" | 47 | run_trial user ::3 somehost ::2 1234 nomatch "IP6 negated" |
40 | run_trial user ::4 somehost no "deny, IP6 no match" | 48 | run_trial user ::4 somehost ::2 1234 nomatch "IP6 no match" |
41 | run_trial user 2000::1 somehost yes "permit, IP6 network" | 49 | run_trial user 2000::1 somehost ::2 1234 match2 "IP6 network" |
42 | run_trial user 2001::1 somehost no "deny, IP6 network" | 50 | run_trial user 2001::1 somehost ::2 1234 nomatch "IP6 network" |
51 | run_trial user ::5 somehost ::1 1234 match3 "IP6 localaddress" | ||
52 | run_trial user ::5 somehost ::2 5678 match4 "IP6 localport" | ||
43 | fi | 53 | fi |
44 | 54 | ||
45 | cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy | 55 | cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy |