diff options
Diffstat (limited to 'regress/cfgmatch.sh')
| -rw-r--r-- | regress/cfgmatch.sh | 23 |
1 files changed, 12 insertions, 11 deletions
diff --git a/regress/cfgmatch.sh b/regress/cfgmatch.sh index 80cf22930..056296398 100644 --- a/regress/cfgmatch.sh +++ b/regress/cfgmatch.sh | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | # $OpenBSD: cfgmatch.sh,v 1.8 2013/05/17 00:37:40 dtucker Exp $ | 1 | # $OpenBSD: cfgmatch.sh,v 1.9 2015/03/03 22:35:19 markus Exp $ |
| 2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
| 3 | 3 | ||
| 4 | tid="sshd_config match" | 4 | tid="sshd_config match" |
| @@ -56,7 +56,7 @@ start_sshd | |||
| 56 | #set -x | 56 | #set -x |
| 57 | 57 | ||
| 58 | # Test Match + PermitOpen in sshd_config. This should be permitted | 58 | # Test Match + PermitOpen in sshd_config. This should be permitted |
| 59 | for p in 1 2; do | 59 | for p in ${SSH_PROTOCOLS}; do |
| 60 | trace "match permitopen localhost proto $p" | 60 | trace "match permitopen localhost proto $p" |
| 61 | start_client -F $OBJ/ssh_config | 61 | start_client -F $OBJ/ssh_config |
| 62 | ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ | 62 | ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ |
| @@ -65,7 +65,7 @@ for p in 1 2; do | |||
| 65 | done | 65 | done |
| 66 | 66 | ||
| 67 | # Same but from different source. This should not be permitted | 67 | # Same but from different source. This should not be permitted |
| 68 | for p in 1 2; do | 68 | for p in ${SSH_PROTOCOLS}; do |
| 69 | trace "match permitopen proxy proto $p" | 69 | trace "match permitopen proxy proto $p" |
| 70 | start_client -F $OBJ/ssh_proxy | 70 | start_client -F $OBJ/ssh_proxy |
| 71 | ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ | 71 | ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ |
| @@ -74,11 +74,12 @@ for p in 1 2; do | |||
| 74 | done | 74 | done |
| 75 | 75 | ||
| 76 | # Retry previous with key option, should also be denied. | 76 | # Retry previous with key option, should also be denied. |
| 77 | printf 'permitopen="127.0.0.1:'$PORT'" ' >$OBJ/authorized_keys_$USER | 77 | cp /dev/null $OBJ/authorized_keys_$USER |
| 78 | cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER | 78 | for t in ${SSH_KEYTYPES}; do |
| 79 | printf 'permitopen="127.0.0.1:'$PORT'" ' >>$OBJ/authorized_keys_$USER | 79 | printf 'permitopen="127.0.0.1:'$PORT'" ' >> $OBJ/authorized_keys_$USER |
| 80 | cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER | 80 | cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER |
| 81 | for p in 1 2; do | 81 | done |
| 82 | for p in ${SSH_PROTOCOLS}; do | ||
| 82 | trace "match permitopen proxy w/key opts proto $p" | 83 | trace "match permitopen proxy w/key opts proto $p" |
| 83 | start_client -F $OBJ/ssh_proxy | 84 | start_client -F $OBJ/ssh_proxy |
| 84 | ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ | 85 | ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ |
| @@ -88,7 +89,7 @@ done | |||
| 88 | 89 | ||
| 89 | # Test both sshd_config and key options permitting the same dst/port pair. | 90 | # Test both sshd_config and key options permitting the same dst/port pair. |
| 90 | # Should be permitted. | 91 | # Should be permitted. |
| 91 | for p in 1 2; do | 92 | for p in ${SSH_PROTOCOLS}; do |
| 92 | trace "match permitopen localhost proto $p" | 93 | trace "match permitopen localhost proto $p" |
| 93 | start_client -F $OBJ/ssh_config | 94 | start_client -F $OBJ/ssh_config |
| 94 | ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ | 95 | ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ |
| @@ -102,7 +103,7 @@ echo "Match User $USER" >>$OBJ/sshd_proxy | |||
| 102 | echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy | 103 | echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy |
| 103 | 104 | ||
| 104 | # Test that a Match overrides a PermitOpen in the global section | 105 | # Test that a Match overrides a PermitOpen in the global section |
| 105 | for p in 1 2; do | 106 | for p in ${SSH_PROTOCOLS}; do |
| 106 | trace "match permitopen proxy w/key opts proto $p" | 107 | trace "match permitopen proxy w/key opts proto $p" |
| 107 | start_client -F $OBJ/ssh_proxy | 108 | start_client -F $OBJ/ssh_proxy |
| 108 | ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ | 109 | ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ |
| @@ -117,7 +118,7 @@ echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy | |||
| 117 | 118 | ||
| 118 | # Test that a rule that doesn't match doesn't override, plus test a | 119 | # Test that a rule that doesn't match doesn't override, plus test a |
| 119 | # PermitOpen entry that's not at the start of the list | 120 | # PermitOpen entry that's not at the start of the list |
| 120 | for p in 1 2; do | 121 | for p in ${SSH_PROTOCOLS}; do |
| 121 | trace "nomatch permitopen proxy w/key opts proto $p" | 122 | trace "nomatch permitopen proxy w/key opts proto $p" |
| 122 | start_client -F $OBJ/ssh_proxy | 123 | start_client -F $OBJ/ssh_proxy |
| 123 | ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ | 124 | ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ |