diff options
Diffstat (limited to 'regress/cfgmatch.sh')
-rw-r--r-- | regress/cfgmatch.sh | 76 |
1 files changed, 32 insertions, 44 deletions
diff --git a/regress/cfgmatch.sh b/regress/cfgmatch.sh index 056296398..2504d04f4 100644 --- a/regress/cfgmatch.sh +++ b/regress/cfgmatch.sh | |||
@@ -1,4 +1,4 @@ | |||
1 | # $OpenBSD: cfgmatch.sh,v 1.9 2015/03/03 22:35:19 markus Exp $ | 1 | # $OpenBSD: cfgmatch.sh,v 1.10 2017/04/30 23:34:55 djm Exp $ |
2 | # Placed in the Public Domain. | 2 | # Placed in the Public Domain. |
3 | 3 | ||
4 | tid="sshd_config match" | 4 | tid="sshd_config match" |
@@ -13,7 +13,7 @@ echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_proxy | |||
13 | start_client() | 13 | start_client() |
14 | { | 14 | { |
15 | rm -f $pidfile | 15 | rm -f $pidfile |
16 | ${SSH} -q -$p $fwd "$@" somehost \ | 16 | ${SSH} -q $fwd "$@" somehost \ |
17 | exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' \ | 17 | exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' \ |
18 | >>$TEST_REGRESS_LOGFILE 2>&1 & | 18 | >>$TEST_REGRESS_LOGFILE 2>&1 & |
19 | client_pid=$! | 19 | client_pid=$! |
@@ -56,22 +56,18 @@ start_sshd | |||
56 | #set -x | 56 | #set -x |
57 | 57 | ||
58 | # Test Match + PermitOpen in sshd_config. This should be permitted | 58 | # Test Match + PermitOpen in sshd_config. This should be permitted |
59 | for p in ${SSH_PROTOCOLS}; do | 59 | trace "match permitopen localhost" |
60 | trace "match permitopen localhost proto $p" | 60 | start_client -F $OBJ/ssh_config |
61 | start_client -F $OBJ/ssh_config | 61 | ${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \ |
62 | ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ | 62 | fail "match permitopen permit" |
63 | fail "match permitopen permit proto $p" | 63 | stop_client |
64 | stop_client | ||
65 | done | ||
66 | 64 | ||
67 | # Same but from different source. This should not be permitted | 65 | # Same but from different source. This should not be permitted |
68 | for p in ${SSH_PROTOCOLS}; do | 66 | trace "match permitopen proxy" |
69 | trace "match permitopen proxy proto $p" | 67 | start_client -F $OBJ/ssh_proxy |
70 | start_client -F $OBJ/ssh_proxy | 68 | ${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \ |
71 | ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ | 69 | fail "match permitopen deny" |
72 | fail "match permitopen deny proto $p" | 70 | stop_client |
73 | stop_client | ||
74 | done | ||
75 | 71 | ||
76 | # Retry previous with key option, should also be denied. | 72 | # Retry previous with key option, should also be denied. |
77 | cp /dev/null $OBJ/authorized_keys_$USER | 73 | cp /dev/null $OBJ/authorized_keys_$USER |
@@ -79,23 +75,19 @@ for t in ${SSH_KEYTYPES}; do | |||
79 | printf 'permitopen="127.0.0.1:'$PORT'" ' >> $OBJ/authorized_keys_$USER | 75 | printf 'permitopen="127.0.0.1:'$PORT'" ' >> $OBJ/authorized_keys_$USER |
80 | cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER | 76 | cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER |
81 | done | 77 | done |
82 | for p in ${SSH_PROTOCOLS}; do | 78 | trace "match permitopen proxy w/key opts" |
83 | trace "match permitopen proxy w/key opts proto $p" | 79 | start_client -F $OBJ/ssh_proxy |
84 | start_client -F $OBJ/ssh_proxy | 80 | ${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \ |
85 | ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ | 81 | fail "match permitopen deny w/key opt" |
86 | fail "match permitopen deny w/key opt proto $p" | 82 | stop_client |
87 | stop_client | ||
88 | done | ||
89 | 83 | ||
90 | # Test both sshd_config and key options permitting the same dst/port pair. | 84 | # Test both sshd_config and key options permitting the same dst/port pair. |
91 | # Should be permitted. | 85 | # Should be permitted. |
92 | for p in ${SSH_PROTOCOLS}; do | 86 | trace "match permitopen localhost" |
93 | trace "match permitopen localhost proto $p" | 87 | start_client -F $OBJ/ssh_config |
94 | start_client -F $OBJ/ssh_config | 88 | ${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \ |
95 | ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ | 89 | fail "match permitopen permit" |
96 | fail "match permitopen permit proto $p" | 90 | stop_client |
97 | stop_client | ||
98 | done | ||
99 | 91 | ||
100 | cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy | 92 | cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy |
101 | echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy | 93 | echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy |
@@ -103,13 +95,11 @@ echo "Match User $USER" >>$OBJ/sshd_proxy | |||
103 | echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy | 95 | echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy |
104 | 96 | ||
105 | # Test that a Match overrides a PermitOpen in the global section | 97 | # Test that a Match overrides a PermitOpen in the global section |
106 | for p in ${SSH_PROTOCOLS}; do | 98 | trace "match permitopen proxy w/key opts" |
107 | trace "match permitopen proxy w/key opts proto $p" | 99 | start_client -F $OBJ/ssh_proxy |
108 | start_client -F $OBJ/ssh_proxy | 100 | ${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \ |
109 | ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ | 101 | fail "match override permitopen" |
110 | fail "match override permitopen proto $p" | 102 | stop_client |
111 | stop_client | ||
112 | done | ||
113 | 103 | ||
114 | cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy | 104 | cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy |
115 | echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy | 105 | echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy |
@@ -118,10 +108,8 @@ echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy | |||
118 | 108 | ||
119 | # Test that a rule that doesn't match doesn't override, plus test a | 109 | # Test that a rule that doesn't match doesn't override, plus test a |
120 | # PermitOpen entry that's not at the start of the list | 110 | # PermitOpen entry that's not at the start of the list |
121 | for p in ${SSH_PROTOCOLS}; do | 111 | trace "nomatch permitopen proxy w/key opts" |
122 | trace "nomatch permitopen proxy w/key opts proto $p" | 112 | start_client -F $OBJ/ssh_proxy |
123 | start_client -F $OBJ/ssh_proxy | 113 | ${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \ |
124 | ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ | 114 | fail "nomatch override permitopen" |
125 | fail "nomatch override permitopen proto $p" | 115 | stop_client |
126 | stop_client | ||
127 | done | ||