1 files changed, 168 insertions, 0 deletions
diff --git a/regress/forward-control.sh b/regress/forward-control.sh
new file mode 100644
index 000000000..80ddb4167
--- /dev/null
+++ b/regress/forward-control.sh
@@ -0,0 +1,168 @@
+#       $OpenBSD: forward-control.sh,v 1.1 2012/12/02 20:47:48 djm Exp $
+#       Placed in the Public Domain.
+tid="sshd control of local and remote forwarding"
+LFWD_PORT=3320
+RFWD_PORT=3321
+CTL=$OBJ/ctl-sock
+READY=$OBJ/ready
+wait_for_file_to_appear() {
+        _path=$1
+        _n=0
+        while test ! -f $_path ; do
+                test $_n -eq 1 && trace "waiting for $_path to appear"
+                _n=`expr $_n + 1`
+                test $_n -ge 20 && return 1
+                sleep 1
+        done
+        return 0
+}
+wait_for_process_to_exit() {
+        _pid=$1
+        _n=0
+        while kill -0 $_pid 2>/dev/null ; do
+                test $_n -eq 1 && trace "waiting for $_pid to exit"
+                _n=`expr $_n + 1`
+                test $_n -ge 20 && return 1
+                sleep 1
+        done
+        return 0
+}
+# usage: check_lfwd protocol Y|N message
+check_lfwd() {
+        _proto=$1
+        _expected=$2
+        _message=$3
+        rm -f $READY
+        ${SSH} -oProtocol=$_proto -F $OBJ/ssh_proxy \
+            -L$LFWD_PORT:127.0.0.1:$PORT \
+            -o ExitOnForwardFailure=yes \
+            -n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \
+            >/dev/null 2>&1 &
+        _sshpid=$!
+        wait_for_file_to_appear $READY || \
+                fatal "check_lfwd ssh fail: $_message"
+        ${SSH} -F $OBJ/ssh_config -p $LFWD_PORT \
+            -oConnectionAttempts=4 host true >/dev/null 2>&1
+        _result=$?
+        kill $_sshpid `cat $READY` 2>/dev/null
+        wait_for_process_to_exit $_sshpid
+        if test "x$_expected" = "xY" -a $_result -ne 0 ; then
+                fail "check_lfwd failed (expecting success): $_message"
+        elif test "x$_expected" = "xN" -a $_result -eq 0 ; then
+                fail "check_lfwd succeeded (expecting failure): $_message"
+        elif test "x$_expected" != "xY" -a "x$_expected" != "xN" ; then
+                fatal "check_lfwd invalid argument \"$_expected\""
+        else
+                verbose "check_lfwd done (expecting $_expected): $_message"
+        fi
+}
+# usage: check_rfwd protocol Y|N message
+check_rfwd() {
+        _proto=$1
+        _expected=$2
+        _message=$3
+        rm -f $READY
+        ${SSH} -oProtocol=$_proto -F $OBJ/ssh_proxy \
+            -R$RFWD_PORT:127.0.0.1:$PORT \
+            -o ExitOnForwardFailure=yes \
+            -n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \
+            >/dev/null 2>&1 &
+        _sshpid=$!
+        wait_for_file_to_appear $READY
+        _result=$?
+        if test $_result -eq 0 ; then
+                ${SSH} -F $OBJ/ssh_config -p $RFWD_PORT \
+                    -oConnectionAttempts=4 host true >/dev/null 2>&1
+                _result=$?
+                kill $_sshpid `cat $READY` 2>/dev/null
+                wait_for_process_to_exit $_sshpid
+        fi
+        if test "x$_expected" = "xY" -a $_result -ne 0 ; then
+                fail "check_rfwd failed (expecting success): $_message"
+        elif test "x$_expected" = "xN" -a $_result -eq 0 ; then
+                fail "check_rfwd succeeded (expecting failure): $_message"
+        elif test "x$_expected" != "xY" -a "x$_expected" != "xN" ; then
+                fatal "check_rfwd invalid argument \"$_expected\""
+        else
+                verbose "check_rfwd done (expecting $_expected): $_message"
+        fi
+}
+start_sshd
+cp ${OBJ}/sshd_proxy ${OBJ}/sshd_proxy.bak
+cp ${OBJ}/authorized_keys_${USER} ${OBJ}/authorized_keys_${USER}.bak
+# Sanity check: ensure the default config allows forwarding
+for p in 1 2 ; do
+        check_lfwd $p Y "proto $p, default configuration"
+        check_rfwd $p Y "proto $p, default configuration"
+done
+# Usage: all_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N
+all_tests() {
+        _tcpfwd=$1
+        _plain_lfwd=$2
+        _plain_rfwd=$3
+        _nopermit_lfwd=$4
+        _nopermit_rfwd=$5
+        _permit_lfwd=$6
+        _permit_rfwd=$7
+        _badfwd=127.0.0.1:22
+        _goodfwd=127.0.0.1:${PORT}
+        for _proto in 1 2 ; do
+                cp ${OBJ}/authorized_keys_${USER}.bak \
+                    ${OBJ}/authorized_keys_${USER}
+                _prefix="proto $_proto, AllowTcpForwarding=$_tcpfwd"
+                # No PermitOpen
+                ( cat ${OBJ}/sshd_proxy.bak ;
+                  echo "AllowTcpForwarding $_tcpfwd" ) \
+                    > ${OBJ}/sshd_proxy
+                check_lfwd $_proto $_plain_lfwd "$_prefix"
+                check_rfwd $_proto $_plain_rfwd "$_prefix"
+                # PermitOpen via sshd_config that doesn't match
+                ( cat ${OBJ}/sshd_proxy.bak ;
+                  echo "AllowTcpForwarding $_tcpfwd" ;
+                  echo "PermitOpen $_badfwd" ) \
+                    > ${OBJ}/sshd_proxy
+                check_lfwd $_proto $_nopermit_lfwd "$_prefix, !PermitOpen"
+                check_rfwd $_proto $_nopermit_rfwd "$_prefix, !PermitOpen"
+                # PermitOpen via sshd_config that does match
+                ( cat ${OBJ}/sshd_proxy.bak ;
+                  echo "AllowTcpForwarding $_tcpfwd" ;
+                  echo "PermitOpen $_badfwd $_goodfwd" ) \
+                    > ${OBJ}/sshd_proxy
+                # NB. permitopen via authorized_keys should have same
+                # success/fail as via sshd_config
+                # permitopen via authorized_keys that doesn't match
+                sed "s/^/permitopen=\"$_badfwd\" /" \
+                    < ${OBJ}/authorized_keys_${USER}.bak \
+                    > ${OBJ}/authorized_keys_${USER} || fatal "sed 1 fail"
+                ( cat ${OBJ}/sshd_proxy.bak ;
+                  echo "AllowTcpForwarding $_tcpfwd" ) \
+                    > ${OBJ}/sshd_proxy
+                check_lfwd $_proto $_nopermit_lfwd "$_prefix, !permitopen"
+                check_rfwd $_proto $_nopermit_rfwd "$_prefix, !permitopen"
+                # permitopen via authorized_keys that does match
+                sed "s/^/permitopen=\"$_badfwd\",permitopen=\"$_goodfwd\" /" \
+                    < ${OBJ}/authorized_keys_${USER}.bak \
+                    > ${OBJ}/authorized_keys_${USER} || fatal "sed 2 fail"
+                ( cat ${OBJ}/sshd_proxy.bak ;
+                  echo "AllowTcpForwarding $_tcpfwd" ) \
+                    > ${OBJ}/sshd_proxy
+                check_lfwd $_proto $_permit_lfwd "$_prefix, permitopen"
+                check_rfwd $_proto $_permit_rfwd "$_prefix, permitopen"
+        done
+}
+#                      no-permitopen mismatch-permitopen match-permitopen
+#   AllowTcpForwarding  local remote        local remote     local remote
+all_tests          yes      Y      Y            N      Y         Y      Y
+all_tests        local      Y      N            N      N         Y      N
+all_tests       remote      N      Y            N      Y         N      Y
+all_tests           no      N      N            N      N         N      N

diff --git a/regress/forward-control.sh b/regress/forward-control.sh new file mode 100644 index 000000000..80ddb4167 --- /dev/null +++ b/regress/forward-control.sh
@@ -0,0 +1,168 @@
	1	# $OpenBSD: forward-control.sh,v 1.1 2012/12/02 20:47:48 djm Exp $
	2	# Placed in the Public Domain.
	3
	4	tid="sshd control of local and remote forwarding"
	5
	6	LFWD_PORT=3320
	7	RFWD_PORT=3321
	8	CTL=$OBJ/ctl-sock
	9	READY=$OBJ/ready
	10
	11	wait_for_file_to_appear() {
	12	_path=$1
	13	_n=0
	14	while test ! -f $_path ; do
	15	test $_n -eq 1 && trace "waiting for $_path to appear"
	16	_n=`expr $_n + 1`
	17	test $_n -ge 20 && return 1
	18	sleep 1
	19	done
	20	return 0
	21	}
	22
	23	wait_for_process_to_exit() {
	24	_pid=$1
	25	_n=0
	26	while kill -0 $_pid 2>/dev/null ; do
	27	test $_n -eq 1 && trace "waiting for $_pid to exit"
	28	_n=`expr $_n + 1`
	29	test $_n -ge 20 && return 1
	30	sleep 1
	31	done
	32	return 0
	33	}
	34
	35	# usage: check_lfwd protocol Y\|N message
	36	check_lfwd() {
	37	_proto=$1
	38	_expected=$2
	39	_message=$3
	40	rm -f $READY
	41	${SSH} -oProtocol=$_proto -F $OBJ/ssh_proxy \
	42	-L$LFWD_PORT:127.0.0.1:$PORT \
	43	-o ExitOnForwardFailure=yes \
	44	-n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \
	45	>/dev/null 2>&1 &
	46	_sshpid=$!
	47	wait_for_file_to_appear $READY \|\| \
	48	fatal "check_lfwd ssh fail: $_message"
	49	${SSH} -F $OBJ/ssh_config -p $LFWD_PORT \
	50	-oConnectionAttempts=4 host true >/dev/null 2>&1
	51	_result=$?
	52	kill $_sshpid `cat $READY` 2>/dev/null
	53	wait_for_process_to_exit $_sshpid
	54	if test "x$_expected" = "xY" -a $_result -ne 0 ; then
	55	fail "check_lfwd failed (expecting success): $_message"
	56	elif test "x$_expected" = "xN" -a $_result -eq 0 ; then
	57	fail "check_lfwd succeeded (expecting failure): $_message"
	58	elif test "x$_expected" != "xY" -a "x$_expected" != "xN" ; then
	59	fatal "check_lfwd invalid argument \"$_expected\""
	60	else
	61	verbose "check_lfwd done (expecting $_expected): $_message"
	62	fi
	63	}
	64
	65	# usage: check_rfwd protocol Y\|N message
	66	check_rfwd() {
	67	_proto=$1
	68	_expected=$2
	69	_message=$3
	70	rm -f $READY
	71	${SSH} -oProtocol=$_proto -F $OBJ/ssh_proxy \
	72	-R$RFWD_PORT:127.0.0.1:$PORT \
	73	-o ExitOnForwardFailure=yes \
	74	-n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \
	75	>/dev/null 2>&1 &
	76	_sshpid=$!
	77	wait_for_file_to_appear $READY
	78	_result=$?
	79	if test $_result -eq 0 ; then
	80	${SSH} -F $OBJ/ssh_config -p $RFWD_PORT \
	81	-oConnectionAttempts=4 host true >/dev/null 2>&1
	82	_result=$?
	83	kill $_sshpid `cat $READY` 2>/dev/null
	84	wait_for_process_to_exit $_sshpid
	85	fi
	86	if test "x$_expected" = "xY" -a $_result -ne 0 ; then
	87	fail "check_rfwd failed (expecting success): $_message"
	88	elif test "x$_expected" = "xN" -a $_result -eq 0 ; then
	89	fail "check_rfwd succeeded (expecting failure): $_message"
	90	elif test "x$_expected" != "xY" -a "x$_expected" != "xN" ; then
	91	fatal "check_rfwd invalid argument \"$_expected\""
	92	else
	93	verbose "check_rfwd done (expecting $_expected): $_message"
	94	fi
	95	}
	96
	97	start_sshd
	98	cp ${OBJ}/sshd_proxy ${OBJ}/sshd_proxy.bak
	99	cp ${OBJ}/authorized_keys_${USER} ${OBJ}/authorized_keys_${USER}.bak
	100
	101	# Sanity check: ensure the default config allows forwarding
	102	for p in 1 2 ; do
	103	check_lfwd $p Y "proto $p, default configuration"
	104	check_rfwd $p Y "proto $p, default configuration"
	105	done
	106
	107	# Usage: all_tests yes\|local\|remote\|no Y\|N Y\|N Y\|N Y\|N Y\|N Y\|N
	108	all_tests() {
	109	_tcpfwd=$1
	110	_plain_lfwd=$2
	111	_plain_rfwd=$3
	112	_nopermit_lfwd=$4
	113	_nopermit_rfwd=$5
	114	_permit_lfwd=$6
	115	_permit_rfwd=$7
	116	_badfwd=127.0.0.1:22
	117	_goodfwd=127.0.0.1:${PORT}
	118	for _proto in 1 2 ; do
	119	cp ${OBJ}/authorized_keys_${USER}.bak \
	120	${OBJ}/authorized_keys_${USER}
	121	_prefix="proto $_proto, AllowTcpForwarding=$_tcpfwd"
	122	# No PermitOpen
	123	( cat ${OBJ}/sshd_proxy.bak ;
	124	echo "AllowTcpForwarding $_tcpfwd" ) \
	125	> ${OBJ}/sshd_proxy
	126	check_lfwd $_proto $_plain_lfwd "$_prefix"
	127	check_rfwd $_proto $_plain_rfwd "$_prefix"
	128	# PermitOpen via sshd_config that doesn't match
	129	( cat ${OBJ}/sshd_proxy.bak ;
	130	echo "AllowTcpForwarding $_tcpfwd" ;
	131	echo "PermitOpen $_badfwd" ) \
	132	> ${OBJ}/sshd_proxy
	133	check_lfwd $_proto $_nopermit_lfwd "$_prefix, !PermitOpen"
	134	check_rfwd $_proto $_nopermit_rfwd "$_prefix, !PermitOpen"
	135	# PermitOpen via sshd_config that does match
	136	( cat ${OBJ}/sshd_proxy.bak ;
	137	echo "AllowTcpForwarding $_tcpfwd" ;
	138	echo "PermitOpen $_badfwd $_goodfwd" ) \
	139	> ${OBJ}/sshd_proxy
	140	# NB. permitopen via authorized_keys should have same
	141	# success/fail as via sshd_config
	142	# permitopen via authorized_keys that doesn't match
	143	sed "s/^/permitopen=\"$_badfwd\" /" \
	144	< ${OBJ}/authorized_keys_${USER}.bak \
	145	> ${OBJ}/authorized_keys_${USER} \|\| fatal "sed 1 fail"
	146	( cat ${OBJ}/sshd_proxy.bak ;
	147	echo "AllowTcpForwarding $_tcpfwd" ) \
	148	> ${OBJ}/sshd_proxy
	149	check_lfwd $_proto $_nopermit_lfwd "$_prefix, !permitopen"
	150	check_rfwd $_proto $_nopermit_rfwd "$_prefix, !permitopen"
	151	# permitopen via authorized_keys that does match
	152	sed "s/^/permitopen=\"$_badfwd\",permitopen=\"$_goodfwd\" /" \
	153	< ${OBJ}/authorized_keys_${USER}.bak \
	154	> ${OBJ}/authorized_keys_${USER} \|\| fatal "sed 2 fail"
	155	( cat ${OBJ}/sshd_proxy.bak ;
	156	echo "AllowTcpForwarding $_tcpfwd" ) \
	157	> ${OBJ}/sshd_proxy
	158	check_lfwd $_proto $_permit_lfwd "$_prefix, permitopen"
	159	check_rfwd $_proto $_permit_rfwd "$_prefix, permitopen"
	160	done
	161	}
	162
	163	# no-permitopen mismatch-permitopen match-permitopen
	164	# AllowTcpForwarding local remote local remote local remote
	165	all_tests yes Y Y N Y Y Y
	166	all_tests local Y N N N Y N
	167	all_tests remote N Y N Y N Y
	168	all_tests no N N N N N N