summaryrefslogtreecommitdiff
path: root/regress/forward-control.sh
diff options
context:
space:
mode:
Diffstat (limited to 'regress/forward-control.sh')
-rw-r--r--regress/forward-control.sh168
1 files changed, 168 insertions, 0 deletions
diff --git a/regress/forward-control.sh b/regress/forward-control.sh
new file mode 100644
index 000000000..80ddb4167
--- /dev/null
+++ b/regress/forward-control.sh
@@ -0,0 +1,168 @@
1# $OpenBSD: forward-control.sh,v 1.1 2012/12/02 20:47:48 djm Exp $
2# Placed in the Public Domain.
3
4tid="sshd control of local and remote forwarding"
5
6LFWD_PORT=3320
7RFWD_PORT=3321
8CTL=$OBJ/ctl-sock
9READY=$OBJ/ready
10
11wait_for_file_to_appear() {
12 _path=$1
13 _n=0
14 while test ! -f $_path ; do
15 test $_n -eq 1 && trace "waiting for $_path to appear"
16 _n=`expr $_n + 1`
17 test $_n -ge 20 && return 1
18 sleep 1
19 done
20 return 0
21}
22
23wait_for_process_to_exit() {
24 _pid=$1
25 _n=0
26 while kill -0 $_pid 2>/dev/null ; do
27 test $_n -eq 1 && trace "waiting for $_pid to exit"
28 _n=`expr $_n + 1`
29 test $_n -ge 20 && return 1
30 sleep 1
31 done
32 return 0
33}
34
35# usage: check_lfwd protocol Y|N message
36check_lfwd() {
37 _proto=$1
38 _expected=$2
39 _message=$3
40 rm -f $READY
41 ${SSH} -oProtocol=$_proto -F $OBJ/ssh_proxy \
42 -L$LFWD_PORT:127.0.0.1:$PORT \
43 -o ExitOnForwardFailure=yes \
44 -n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \
45 >/dev/null 2>&1 &
46 _sshpid=$!
47 wait_for_file_to_appear $READY || \
48 fatal "check_lfwd ssh fail: $_message"
49 ${SSH} -F $OBJ/ssh_config -p $LFWD_PORT \
50 -oConnectionAttempts=4 host true >/dev/null 2>&1
51 _result=$?
52 kill $_sshpid `cat $READY` 2>/dev/null
53 wait_for_process_to_exit $_sshpid
54 if test "x$_expected" = "xY" -a $_result -ne 0 ; then
55 fail "check_lfwd failed (expecting success): $_message"
56 elif test "x$_expected" = "xN" -a $_result -eq 0 ; then
57 fail "check_lfwd succeeded (expecting failure): $_message"
58 elif test "x$_expected" != "xY" -a "x$_expected" != "xN" ; then
59 fatal "check_lfwd invalid argument \"$_expected\""
60 else
61 verbose "check_lfwd done (expecting $_expected): $_message"
62 fi
63}
64
65# usage: check_rfwd protocol Y|N message
66check_rfwd() {
67 _proto=$1
68 _expected=$2
69 _message=$3
70 rm -f $READY
71 ${SSH} -oProtocol=$_proto -F $OBJ/ssh_proxy \
72 -R$RFWD_PORT:127.0.0.1:$PORT \
73 -o ExitOnForwardFailure=yes \
74 -n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \
75 >/dev/null 2>&1 &
76 _sshpid=$!
77 wait_for_file_to_appear $READY
78 _result=$?
79 if test $_result -eq 0 ; then
80 ${SSH} -F $OBJ/ssh_config -p $RFWD_PORT \
81 -oConnectionAttempts=4 host true >/dev/null 2>&1
82 _result=$?
83 kill $_sshpid `cat $READY` 2>/dev/null
84 wait_for_process_to_exit $_sshpid
85 fi
86 if test "x$_expected" = "xY" -a $_result -ne 0 ; then
87 fail "check_rfwd failed (expecting success): $_message"
88 elif test "x$_expected" = "xN" -a $_result -eq 0 ; then
89 fail "check_rfwd succeeded (expecting failure): $_message"
90 elif test "x$_expected" != "xY" -a "x$_expected" != "xN" ; then
91 fatal "check_rfwd invalid argument \"$_expected\""
92 else
93 verbose "check_rfwd done (expecting $_expected): $_message"
94 fi
95}
96
97start_sshd
98cp ${OBJ}/sshd_proxy ${OBJ}/sshd_proxy.bak
99cp ${OBJ}/authorized_keys_${USER} ${OBJ}/authorized_keys_${USER}.bak
100
101# Sanity check: ensure the default config allows forwarding
102for p in 1 2 ; do
103 check_lfwd $p Y "proto $p, default configuration"
104 check_rfwd $p Y "proto $p, default configuration"
105done
106
107# Usage: all_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N
108all_tests() {
109 _tcpfwd=$1
110 _plain_lfwd=$2
111 _plain_rfwd=$3
112 _nopermit_lfwd=$4
113 _nopermit_rfwd=$5
114 _permit_lfwd=$6
115 _permit_rfwd=$7
116 _badfwd=127.0.0.1:22
117 _goodfwd=127.0.0.1:${PORT}
118 for _proto in 1 2 ; do
119 cp ${OBJ}/authorized_keys_${USER}.bak \
120 ${OBJ}/authorized_keys_${USER}
121 _prefix="proto $_proto, AllowTcpForwarding=$_tcpfwd"
122 # No PermitOpen
123 ( cat ${OBJ}/sshd_proxy.bak ;
124 echo "AllowTcpForwarding $_tcpfwd" ) \
125 > ${OBJ}/sshd_proxy
126 check_lfwd $_proto $_plain_lfwd "$_prefix"
127 check_rfwd $_proto $_plain_rfwd "$_prefix"
128 # PermitOpen via sshd_config that doesn't match
129 ( cat ${OBJ}/sshd_proxy.bak ;
130 echo "AllowTcpForwarding $_tcpfwd" ;
131 echo "PermitOpen $_badfwd" ) \
132 > ${OBJ}/sshd_proxy
133 check_lfwd $_proto $_nopermit_lfwd "$_prefix, !PermitOpen"
134 check_rfwd $_proto $_nopermit_rfwd "$_prefix, !PermitOpen"
135 # PermitOpen via sshd_config that does match
136 ( cat ${OBJ}/sshd_proxy.bak ;
137 echo "AllowTcpForwarding $_tcpfwd" ;
138 echo "PermitOpen $_badfwd $_goodfwd" ) \
139 > ${OBJ}/sshd_proxy
140 # NB. permitopen via authorized_keys should have same
141 # success/fail as via sshd_config
142 # permitopen via authorized_keys that doesn't match
143 sed "s/^/permitopen=\"$_badfwd\" /" \
144 < ${OBJ}/authorized_keys_${USER}.bak \
145 > ${OBJ}/authorized_keys_${USER} || fatal "sed 1 fail"
146 ( cat ${OBJ}/sshd_proxy.bak ;
147 echo "AllowTcpForwarding $_tcpfwd" ) \
148 > ${OBJ}/sshd_proxy
149 check_lfwd $_proto $_nopermit_lfwd "$_prefix, !permitopen"
150 check_rfwd $_proto $_nopermit_rfwd "$_prefix, !permitopen"
151 # permitopen via authorized_keys that does match
152 sed "s/^/permitopen=\"$_badfwd\",permitopen=\"$_goodfwd\" /" \
153 < ${OBJ}/authorized_keys_${USER}.bak \
154 > ${OBJ}/authorized_keys_${USER} || fatal "sed 2 fail"
155 ( cat ${OBJ}/sshd_proxy.bak ;
156 echo "AllowTcpForwarding $_tcpfwd" ) \
157 > ${OBJ}/sshd_proxy
158 check_lfwd $_proto $_permit_lfwd "$_prefix, permitopen"
159 check_rfwd $_proto $_permit_rfwd "$_prefix, permitopen"
160 done
161}
162
163# no-permitopen mismatch-permitopen match-permitopen
164# AllowTcpForwarding local remote local remote local remote
165all_tests yes Y Y N Y Y Y
166all_tests local Y N N N Y N
167all_tests remote N Y N Y N Y
168all_tests no N N N N N N