1 files changed, 202 insertions, 0 deletions
diff --git a/regress/cfgmatchlisten.sh b/regress/cfgmatchlisten.sh
new file mode 100644
index 000000000..a4fd66b32
--- /dev/null
+++ b/regress/cfgmatchlisten.sh
@@ -0,0 +1,202 @@
+#       $OpenBSD: cfgmatchlisten.sh,v 1.3 2018/07/02 14:13:30 dtucker Exp $
+#       Placed in the Public Domain.
+tid="sshd_config matchlisten"
+pidfile=$OBJ/remote_pid
+fwdport=3301
+fwdspec="localhost:${fwdport}"
+fwd="-R $fwdport:127.0.0.1:$PORT"
+echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_config
+echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_proxy
+start_client()
+{
+        rm -f $pidfile
+        ${SSH} -vvv $fwd "$@" somehost true >>$TEST_REGRESS_LOGFILE 2>&1
+        r=$?
+        if [ $r -ne 0 ]; then
+                return $r
+        fi
+        ${SSH} -vvv $fwd "$@" somehost \
+            exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' \
+            >>$TEST_REGRESS_LOGFILE 2>&1 &
+        client_pid=$!
+        # Wait for remote end
+        n=0
+        while test ! -f $pidfile ; do
+                sleep 1
+                n=`expr $n + 1`
+                if test $n -gt 60; then
+                        kill $client_pid
+                        fatal "timeout waiting for background ssh"
+                fi
+        done
+        return $r
+}
+expect_client_ok()
+{
+        start_client "$@" ||
+            fail "client did not start"
+}
+expect_client_fail()
+{
+        local failmsg="$1"
+        shift
+        start_client "$@" &&
+            fail $failmsg
+}
+stop_client()
+{
+        pid=`cat $pidfile`
+        if [ ! -z "$pid" ]; then
+                kill $pid
+        fi
+        wait
+}
+cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
+echo "PermitListen 127.0.0.1:1" >>$OBJ/sshd_config
+echo "Match Address 127.0.0.1" >>$OBJ/sshd_config
+echo "PermitListen 127.0.0.1:2 127.0.0.1:3 $fwdspec" >>$OBJ/sshd_config
+grep -v AuthorizedKeysFile $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
+echo "AuthorizedKeysFile /dev/null" >>$OBJ/sshd_proxy
+echo "PermitListen 127.0.0.1:1" >>$OBJ/sshd_proxy
+echo "Match user $USER" >>$OBJ/sshd_proxy
+echo "AuthorizedKeysFile /dev/null $OBJ/authorized_keys_%u" >>$OBJ/sshd_proxy
+echo "Match Address 127.0.0.1" >>$OBJ/sshd_proxy
+echo "PermitListen 127.0.0.1:2 127.0.0.1:3 $fwdspec" >>$OBJ/sshd_proxy
+start_sshd
+#set -x
+# Test Match + PermitListen in sshd_config.  This should be permitted
+trace "match permitlisten localhost"
+expect_client_ok -F $OBJ/ssh_config
+${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \
+    fail "match permitlisten permit"
+stop_client
+# Same but from different source.  This should not be permitted
+trace "match permitlisten proxy"
+expect_client_fail "match permitlisten deny" \
+    -F $OBJ/ssh_proxy
+# Retry previous with key option, should also be denied.
+cp /dev/null $OBJ/authorized_keys_$USER
+for t in ${SSH_KEYTYPES}; do
+        printf 'permitlisten="'$fwdspec'" ' >> $OBJ/authorized_keys_$USER
+        cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
+done
+trace "match permitlisten proxy w/key opts"
+expect_client_fail "match permitlisten deny w/key opt"\
+    -F $OBJ/ssh_proxy
+# Test both sshd_config and key options permitting the same dst/port pair.
+# Should be permitted.
+trace "match permitlisten localhost"
+expect_client_ok -F $OBJ/ssh_config
+${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \
+    fail "match permitlisten permit"
+stop_client
+# Test that a bare port number is accepted in PermitListen
+cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
+echo "PermitListen 127.0.0.1:1 $fwdport 127.0.0.2:2" >>$OBJ/sshd_proxy
+trace "match permitlisten bare"
+expect_client_ok -F $OBJ/ssh_config
+${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \
+    fail "match permitlisten bare"
+stop_client
+# Test that an incorrect bare port number is denied as expected
+cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
+echo "PermitListen 1 2 99" >>$OBJ/sshd_proxy
+trace "match permitlisten bare"
+expect_client_fail -F $OBJ/ssh_config
+cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
+echo "PermitListen 127.0.0.1:1 $fwdspec 127.0.0.2:2" >>$OBJ/sshd_proxy
+echo "Match User $USER" >>$OBJ/sshd_proxy
+echo "PermitListen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
+# Test that a Match overrides a PermitListen in the global section
+trace "match permitlisten proxy w/key opts"
+expect_client_fail "match override permitlisten" \
+    -F $OBJ/ssh_proxy
+cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
+echo "PermitListen 127.0.0.1:1 $fwdspec 127.0.0.2:2" >>$OBJ/sshd_proxy
+echo "Match User NoSuchUser" >>$OBJ/sshd_proxy
+echo "PermitListen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
+# Test that a rule that doesn't match doesn't override, plus test a
+# PermitListen entry that's not at the start of the list
+trace "nomatch permitlisten proxy w/key opts"
+expect_client_ok -F $OBJ/ssh_proxy
+${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \
+    fail "nomatch override permitlisten"
+stop_client
+# bind to 127.0.0.1 instead of default localhost
+fwdspec2="127.0.0.1:${fwdport}"
+fwd="-R ${fwdspec2}:127.0.0.1:$PORT"
+# first try w/ old fwdspec both in server config and key opts
+cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
+echo "PermitListen 127.0.0.1:1 $fwdspec 127.0.0.2:2" >>$OBJ/sshd_proxy
+cp /dev/null $OBJ/authorized_keys_$USER
+for t in ${SSH_KEYTYPES}; do
+        printf 'permitlisten="'$fwdspec'" ' >> $OBJ/authorized_keys_$USER
+        cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
+done
+trace "nomatch permitlisten 127.0.0.1 server config and userkey"
+expect_client_fail "nomatch 127.0.0.1 server config and userkey" \
+    -F $OBJ/ssh_config
+# correct server config, denied by key opts
+cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
+echo "PermitListen 127.0.0.1:1 ${fwdspec2} 127.0.0.2:2" >>$OBJ/sshd_proxy
+trace "nomatch permitlisten 127.0.0.1 w/key opts"
+expect_client_fail "nomatch 127.0.0.1 w/key opts" \
+    -F $OBJ/ssh_config
+# fix key opts
+cp /dev/null $OBJ/authorized_keys_$USER
+for t in ${SSH_KEYTYPES}; do
+        printf 'permitlisten="'$fwdspec2'" ' >> $OBJ/authorized_keys_$USER
+        cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
+done
+trace "match permitlisten 127.0.0.1 server config w/key opts"
+expect_client_ok -F $OBJ/ssh_proxy
+${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \
+    fail "match 127.0.0.1 server config w/key opts"
+stop_client
+# key opts with bare port number
+cp /dev/null $OBJ/authorized_keys_$USER
+for t in ${SSH_KEYTYPES}; do
+        printf 'permitlisten="'$fwdport'" ' >> $OBJ/authorized_keys_$USER
+        cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
+done
+trace "match permitlisten 127.0.0.1 server config w/key opts (bare)"
+expect_client_ok -F $OBJ/ssh_proxy
+${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \
+    fail "match 127.0.0.1 server config w/key opts (bare)"
+stop_client
+# key opts with incorrect bare port number
+cp /dev/null $OBJ/authorized_keys_$USER
+for t in ${SSH_KEYTYPES}; do
+        printf 'permitlisten="99" ' >> $OBJ/authorized_keys_$USER
+        cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
+done
+trace "match permitlisten 127.0.0.1 server config w/key opts (wrong bare)"
+expect_client_fail "nomatch 127.0.0.1 w/key opts (wrong bare)" \
+    -F $OBJ/ssh_config

diff --git a/regress/cfgmatchlisten.sh b/regress/cfgmatchlisten.sh new file mode 100644 index 000000000..a4fd66b32 --- /dev/null +++ b/regress/cfgmatchlisten.sh
@@ -0,0 +1,202 @@
	1	# $OpenBSD: cfgmatchlisten.sh,v 1.3 2018/07/02 14:13:30 dtucker Exp $
	2	# Placed in the Public Domain.
	3
	4	tid="sshd_config matchlisten"
	5
	6	pidfile=$OBJ/remote_pid
	7	fwdport=3301
	8	fwdspec="localhost:${fwdport}"
	9	fwd="-R $fwdport:127.0.0.1:$PORT"
	10
	11	echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_config
	12	echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_proxy
	13
	14	start_client()
	15	{
	16	rm -f $pidfile
	17	${SSH} -vvv $fwd "$@" somehost true >>$TEST_REGRESS_LOGFILE 2>&1
	18	r=$?
	19	if [ $r -ne 0 ]; then
	20	return $r
	21	fi
	22	${SSH} -vvv $fwd "$@" somehost \
	23	exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' \
	24	>>$TEST_REGRESS_LOGFILE 2>&1 &
	25	client_pid=$!
	26	# Wait for remote end
	27	n=0
	28	while test ! -f $pidfile ; do
	29	sleep 1
	30	n=`expr $n + 1`
	31	if test $n -gt 60; then
	32	kill $client_pid
	33	fatal "timeout waiting for background ssh"
	34	fi
	35	done
	36	return $r
	37	}
	38
	39	expect_client_ok()
	40	{
	41	start_client "$@" \|\|
	42	fail "client did not start"
	43	}
	44
	45	expect_client_fail()
	46	{
	47	local failmsg="$1"
	48	shift
	49	start_client "$@" &&
	50	fail $failmsg
	51	}
	52
	53	stop_client()
	54	{
	55	pid=`cat $pidfile`
	56	if [ ! -z "$pid" ]; then
	57	kill $pid
	58	fi
	59	wait
	60	}
	61
	62	cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
	63	echo "PermitListen 127.0.0.1:1" >>$OBJ/sshd_config
	64	echo "Match Address 127.0.0.1" >>$OBJ/sshd_config
	65	echo "PermitListen 127.0.0.1:2 127.0.0.1:3 $fwdspec" >>$OBJ/sshd_config
	66
	67	grep -v AuthorizedKeysFile $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
	68	echo "AuthorizedKeysFile /dev/null" >>$OBJ/sshd_proxy
	69	echo "PermitListen 127.0.0.1:1" >>$OBJ/sshd_proxy
	70	echo "Match user $USER" >>$OBJ/sshd_proxy
	71	echo "AuthorizedKeysFile /dev/null $OBJ/authorized_keys_%u" >>$OBJ/sshd_proxy
	72	echo "Match Address 127.0.0.1" >>$OBJ/sshd_proxy
	73	echo "PermitListen 127.0.0.1:2 127.0.0.1:3 $fwdspec" >>$OBJ/sshd_proxy
	74
	75	start_sshd
	76
	77	#set -x
	78
	79	# Test Match + PermitListen in sshd_config. This should be permitted
	80	trace "match permitlisten localhost"
	81	expect_client_ok -F $OBJ/ssh_config
	82	${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true \|\| \
	83	fail "match permitlisten permit"
	84	stop_client
	85
	86	# Same but from different source. This should not be permitted
	87	trace "match permitlisten proxy"
	88	expect_client_fail "match permitlisten deny" \
	89	-F $OBJ/ssh_proxy
	90
	91	# Retry previous with key option, should also be denied.
	92	cp /dev/null $OBJ/authorized_keys_$USER
	93	for t in ${SSH_KEYTYPES}; do
	94	printf 'permitlisten="'$fwdspec'" ' >> $OBJ/authorized_keys_$USER
	95	cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
	96	done
	97	trace "match permitlisten proxy w/key opts"
	98	expect_client_fail "match permitlisten deny w/key opt"\
	99	-F $OBJ/ssh_proxy
	100
	101	# Test both sshd_config and key options permitting the same dst/port pair.
	102	# Should be permitted.
	103	trace "match permitlisten localhost"
	104	expect_client_ok -F $OBJ/ssh_config
	105	${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true \|\| \
	106	fail "match permitlisten permit"
	107	stop_client
	108
	109	# Test that a bare port number is accepted in PermitListen
	110	cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
	111	echo "PermitListen 127.0.0.1:1 $fwdport 127.0.0.2:2" >>$OBJ/sshd_proxy
	112	trace "match permitlisten bare"
	113	expect_client_ok -F $OBJ/ssh_config
	114	${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true \|\| \
	115	fail "match permitlisten bare"
	116	stop_client
	117
	118	# Test that an incorrect bare port number is denied as expected
	119	cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
	120	echo "PermitListen 1 2 99" >>$OBJ/sshd_proxy
	121	trace "match permitlisten bare"
	122	expect_client_fail -F $OBJ/ssh_config
	123
	124	cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
	125	echo "PermitListen 127.0.0.1:1 $fwdspec 127.0.0.2:2" >>$OBJ/sshd_proxy
	126	echo "Match User $USER" >>$OBJ/sshd_proxy
	127	echo "PermitListen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
	128
	129	# Test that a Match overrides a PermitListen in the global section
	130	trace "match permitlisten proxy w/key opts"
	131	expect_client_fail "match override permitlisten" \
	132	-F $OBJ/ssh_proxy
	133
	134	cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
	135	echo "PermitListen 127.0.0.1:1 $fwdspec 127.0.0.2:2" >>$OBJ/sshd_proxy
	136	echo "Match User NoSuchUser" >>$OBJ/sshd_proxy
	137	echo "PermitListen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
	138
	139	# Test that a rule that doesn't match doesn't override, plus test a
	140	# PermitListen entry that's not at the start of the list
	141	trace "nomatch permitlisten proxy w/key opts"
	142	expect_client_ok -F $OBJ/ssh_proxy
	143	${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true \|\| \
	144	fail "nomatch override permitlisten"
	145	stop_client
	146
	147	# bind to 127.0.0.1 instead of default localhost
	148	fwdspec2="127.0.0.1:${fwdport}"
	149	fwd="-R ${fwdspec2}:127.0.0.1:$PORT"
	150
	151	# first try w/ old fwdspec both in server config and key opts
	152	cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
	153	echo "PermitListen 127.0.0.1:1 $fwdspec 127.0.0.2:2" >>$OBJ/sshd_proxy
	154	cp /dev/null $OBJ/authorized_keys_$USER
	155	for t in ${SSH_KEYTYPES}; do
	156	printf 'permitlisten="'$fwdspec'" ' >> $OBJ/authorized_keys_$USER
	157	cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
	158	done
	159	trace "nomatch permitlisten 127.0.0.1 server config and userkey"
	160	expect_client_fail "nomatch 127.0.0.1 server config and userkey" \
	161	-F $OBJ/ssh_config
	162
	163	# correct server config, denied by key opts
	164	cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
	165	echo "PermitListen 127.0.0.1:1 ${fwdspec2} 127.0.0.2:2" >>$OBJ/sshd_proxy
	166	trace "nomatch permitlisten 127.0.0.1 w/key opts"
	167	expect_client_fail "nomatch 127.0.0.1 w/key opts" \
	168	-F $OBJ/ssh_config
	169
	170	# fix key opts
	171	cp /dev/null $OBJ/authorized_keys_$USER
	172	for t in ${SSH_KEYTYPES}; do
	173	printf 'permitlisten="'$fwdspec2'" ' >> $OBJ/authorized_keys_$USER
	174	cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
	175	done
	176	trace "match permitlisten 127.0.0.1 server config w/key opts"
	177	expect_client_ok -F $OBJ/ssh_proxy
	178	${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true \|\| \
	179	fail "match 127.0.0.1 server config w/key opts"
	180	stop_client
	181
	182	# key opts with bare port number
	183	cp /dev/null $OBJ/authorized_keys_$USER
	184	for t in ${SSH_KEYTYPES}; do
	185	printf 'permitlisten="'$fwdport'" ' >> $OBJ/authorized_keys_$USER
	186	cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
	187	done
	188	trace "match permitlisten 127.0.0.1 server config w/key opts (bare)"
	189	expect_client_ok -F $OBJ/ssh_proxy
	190	${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true \|\| \
	191	fail "match 127.0.0.1 server config w/key opts (bare)"
	192	stop_client
	193
	194	# key opts with incorrect bare port number
	195	cp /dev/null $OBJ/authorized_keys_$USER
	196	for t in ${SSH_KEYTYPES}; do
	197	printf 'permitlisten="99" ' >> $OBJ/authorized_keys_$USER
	198	cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
	199	done
	200	trace "match permitlisten 127.0.0.1 server config w/key opts (wrong bare)"
	201	expect_client_fail "nomatch 127.0.0.1 w/key opts (wrong bare)" \
	202	-F $OBJ/ssh_config