summaryrefslogtreecommitdiff
path: root/regress/cfgmatch.sh
diff options
context:
space:
mode:
Diffstat (limited to 'regress/cfgmatch.sh')
-rw-r--r--regress/cfgmatch.sh76
1 files changed, 32 insertions, 44 deletions
diff --git a/regress/cfgmatch.sh b/regress/cfgmatch.sh
index 056296398..2504d04f4 100644
--- a/regress/cfgmatch.sh
+++ b/regress/cfgmatch.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: cfgmatch.sh,v 1.9 2015/03/03 22:35:19 markus Exp $ 1# $OpenBSD: cfgmatch.sh,v 1.10 2017/04/30 23:34:55 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4tid="sshd_config match" 4tid="sshd_config match"
@@ -13,7 +13,7 @@ echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_proxy
13start_client() 13start_client()
14{ 14{
15 rm -f $pidfile 15 rm -f $pidfile
16 ${SSH} -q -$p $fwd "$@" somehost \ 16 ${SSH} -q $fwd "$@" somehost \
17 exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' \ 17 exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' \
18 >>$TEST_REGRESS_LOGFILE 2>&1 & 18 >>$TEST_REGRESS_LOGFILE 2>&1 &
19 client_pid=$! 19 client_pid=$!
@@ -56,22 +56,18 @@ start_sshd
56#set -x 56#set -x
57 57
58# Test Match + PermitOpen in sshd_config. This should be permitted 58# Test Match + PermitOpen in sshd_config. This should be permitted
59for p in ${SSH_PROTOCOLS}; do 59trace "match permitopen localhost"
60 trace "match permitopen localhost proto $p" 60start_client -F $OBJ/ssh_config
61 start_client -F $OBJ/ssh_config 61${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \
62 ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ 62 fail "match permitopen permit"
63 fail "match permitopen permit proto $p" 63stop_client
64 stop_client
65done
66 64
67# Same but from different source. This should not be permitted 65# Same but from different source. This should not be permitted
68for p in ${SSH_PROTOCOLS}; do 66trace "match permitopen proxy"
69 trace "match permitopen proxy proto $p" 67start_client -F $OBJ/ssh_proxy
70 start_client -F $OBJ/ssh_proxy 68${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \
71 ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ 69 fail "match permitopen deny"
72 fail "match permitopen deny proto $p" 70stop_client
73 stop_client
74done
75 71
76# Retry previous with key option, should also be denied. 72# Retry previous with key option, should also be denied.
77cp /dev/null $OBJ/authorized_keys_$USER 73cp /dev/null $OBJ/authorized_keys_$USER
@@ -79,23 +75,19 @@ for t in ${SSH_KEYTYPES}; do
79 printf 'permitopen="127.0.0.1:'$PORT'" ' >> $OBJ/authorized_keys_$USER 75 printf 'permitopen="127.0.0.1:'$PORT'" ' >> $OBJ/authorized_keys_$USER
80 cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER 76 cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
81done 77done
82for p in ${SSH_PROTOCOLS}; do 78trace "match permitopen proxy w/key opts"
83 trace "match permitopen proxy w/key opts proto $p" 79start_client -F $OBJ/ssh_proxy
84 start_client -F $OBJ/ssh_proxy 80${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \
85 ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ 81 fail "match permitopen deny w/key opt"
86 fail "match permitopen deny w/key opt proto $p" 82stop_client
87 stop_client
88done
89 83
90# Test both sshd_config and key options permitting the same dst/port pair. 84# Test both sshd_config and key options permitting the same dst/port pair.
91# Should be permitted. 85# Should be permitted.
92for p in ${SSH_PROTOCOLS}; do 86trace "match permitopen localhost"
93 trace "match permitopen localhost proto $p" 87start_client -F $OBJ/ssh_config
94 start_client -F $OBJ/ssh_config 88${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \
95 ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ 89 fail "match permitopen permit"
96 fail "match permitopen permit proto $p" 90stop_client
97 stop_client
98done
99 91
100cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy 92cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
101echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy 93echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy
@@ -103,13 +95,11 @@ echo "Match User $USER" >>$OBJ/sshd_proxy
103echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy 95echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
104 96
105# Test that a Match overrides a PermitOpen in the global section 97# Test that a Match overrides a PermitOpen in the global section
106for p in ${SSH_PROTOCOLS}; do 98trace "match permitopen proxy w/key opts"
107 trace "match permitopen proxy w/key opts proto $p" 99start_client -F $OBJ/ssh_proxy
108 start_client -F $OBJ/ssh_proxy 100${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \
109 ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ 101 fail "match override permitopen"
110 fail "match override permitopen proto $p" 102stop_client
111 stop_client
112done
113 103
114cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy 104cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
115echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy 105echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy
@@ -118,10 +108,8 @@ echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
118 108
119# Test that a rule that doesn't match doesn't override, plus test a 109# Test that a rule that doesn't match doesn't override, plus test a
120# PermitOpen entry that's not at the start of the list 110# PermitOpen entry that's not at the start of the list
121for p in ${SSH_PROTOCOLS}; do 111trace "nomatch permitopen proxy w/key opts"
122 trace "nomatch permitopen proxy w/key opts proto $p" 112start_client -F $OBJ/ssh_proxy
123 start_client -F $OBJ/ssh_proxy 113${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \
124 ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ 114 fail "nomatch override permitopen"
125 fail "nomatch override permitopen proto $p" 115stop_client
126 stop_client
127done
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-26 18:42:15 +0000