From 392db2bc83215986a91c0b65feb0e40e7619ce7e Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Wed, 6 Jun 2018 18:25:33 +0000 Subject: upstream: regress test for PermitOpen OpenBSD-Regress-ID: ce8b5f28fc039f09bb297fc4a92319e65982ddaf --- regress/forward-control.sh | 77 +++++++++++++++++++++++++++++++++++++--------- 1 file changed, 62 insertions(+), 15 deletions(-) (limited to 'regress/forward-control.sh') diff --git a/regress/forward-control.sh b/regress/forward-control.sh index 93d05cf63..c22ca223d 100644 --- a/regress/forward-control.sh +++ b/regress/forward-control.sh @@ -1,4 +1,4 @@ -# $OpenBSD: forward-control.sh,v 1.5 2018/03/02 02:51:55 djm Exp $ +# $OpenBSD: forward-control.sh,v 1.6 2018/06/06 18:25:33 djm Exp $ # Placed in the Public Domain. tid="sshd control of local and remote forwarding" @@ -67,7 +67,7 @@ check_rfwd() { _message=$2 rm -f $READY ${SSH} -F $OBJ/ssh_proxy \ - -R$RFWD_PORT:127.0.0.1:$PORT \ + -R127.0.0.1:$RFWD_PORT:127.0.0.1:$PORT \ -o ExitOnForwardFailure=yes \ -n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \ >/dev/null 2>&1 & @@ -100,8 +100,8 @@ cp ${OBJ}/authorized_keys_${USER} ${OBJ}/authorized_keys_${USER}.bak check_lfwd Y "default configuration" check_rfwd Y "default configuration" -# Usage: all_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N -all_tests() { +# Usage: lperm_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N +lperm_tests() { _tcpfwd=$1 _plain_lfwd=$2 _plain_rfwd=$3 @@ -109,32 +109,39 @@ all_tests() { _nopermit_rfwd=$5 _permit_lfwd=$6 _permit_rfwd=$7 - _badfwd=127.0.0.1:22 + _badfwd1=127.0.0.1:22 + _badfwd2=127.0.0.2:22 _goodfwd=127.0.0.1:${PORT} cp ${OBJ}/authorized_keys_${USER}.bak ${OBJ}/authorized_keys_${USER} _prefix="AllowTcpForwarding=$_tcpfwd" + # No PermitOpen ( cat ${OBJ}/sshd_proxy.bak ; echo "AllowTcpForwarding $_tcpfwd" ) \ > ${OBJ}/sshd_proxy check_lfwd $_plain_lfwd "$_prefix" check_rfwd $_plain_rfwd "$_prefix" + # PermitOpen via sshd_config that doesn't match ( cat ${OBJ}/sshd_proxy.bak ; echo "AllowTcpForwarding $_tcpfwd" ; - echo "PermitOpen $_badfwd" ) \ + echo "PermitOpen $_badfwd1 $_badfwd2" ) \ > ${OBJ}/sshd_proxy check_lfwd $_nopermit_lfwd "$_prefix, !PermitOpen" check_rfwd $_nopermit_rfwd "$_prefix, !PermitOpen" # PermitOpen via sshd_config that does match ( cat ${OBJ}/sshd_proxy.bak ; echo "AllowTcpForwarding $_tcpfwd" ; - echo "PermitOpen $_badfwd $_goodfwd" ) \ + echo "PermitOpen $_badfwd1 $_goodfwd $_badfwd2" ) \ > ${OBJ}/sshd_proxy + check_lfwd $_plain_lfwd "$_prefix, PermitOpen" + check_rfwd $_plain_rfwd "$_prefix, PermitOpen" + + # permitopen keys option. # NB. permitopen via authorized_keys should have same # success/fail as via sshd_config # permitopen via authorized_keys that doesn't match - sed "s/^/permitopen=\"$_badfwd\" /" \ + sed "s/^/permitopen=\"$_badfwd1\",permitopen=\"$_badfwd2\" /" \ < ${OBJ}/authorized_keys_${USER}.bak \ > ${OBJ}/authorized_keys_${USER} || fatal "sed 1 fail" ( cat ${OBJ}/sshd_proxy.bak ; @@ -143,7 +150,7 @@ all_tests() { check_lfwd $_nopermit_lfwd "$_prefix, !permitopen" check_rfwd $_nopermit_rfwd "$_prefix, !permitopen" # permitopen via authorized_keys that does match - sed "s/^/permitopen=\"$_badfwd\",permitopen=\"$_goodfwd\" /" \ + sed "s/^/permitopen=\"$_badfwd1\",permitopen=\"$_goodfwd\" /" \ < ${OBJ}/authorized_keys_${USER}.bak \ > ${OBJ}/authorized_keys_${USER} || fatal "sed 2 fail" ( cat ${OBJ}/sshd_proxy.bak ; @@ -151,6 +158,7 @@ all_tests() { > ${OBJ}/sshd_proxy check_lfwd $_permit_lfwd "$_prefix, permitopen" check_rfwd $_permit_rfwd "$_prefix, permitopen" + # Check port-forwarding flags in authorized_keys. # These two should refuse all. sed "s/^/no-port-forwarding /" \ @@ -180,9 +188,48 @@ all_tests() { check_rfwd $_plain_rfwd "$_prefix, restrict,port-forwarding" } -# no-permitopen mismatch-permitopen match-permitopen -# AllowTcpForwarding local remote local remote local remote -all_tests yes Y Y N Y Y Y -all_tests local Y N N N Y N -all_tests remote N Y N Y N Y -all_tests no N N N N N N +# permit-open none mismatch match +# AllowTcpForwarding local remote local remote local remote +lperm_tests yes Y Y N Y Y Y +lperm_tests local Y N N N Y N +lperm_tests remote N Y N Y N Y +lperm_tests no N N N N N N + +# Usage: rperm_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N +rperm_tests() { + _tcpfwd=$1 + _plain_lfwd=$2 + _plain_rfwd=$3 + _nopermit_lfwd=$4 + _nopermit_rfwd=$5 + _permit_lfwd=$6 + _permit_rfwd=$7 + _badfwd1=127.0.0.1:22 + _badfwd2=127.0.0.2:${RFWD_PORT} + _goodfwd=127.0.0.1:${RFWD_PORT} + cp ${OBJ}/authorized_keys_${USER}.bak ${OBJ}/authorized_keys_${USER} + _prefix="AllowTcpForwarding=$_tcpfwd" + + # PermitRemoteOpen via sshd_config that doesn't match + ( cat ${OBJ}/sshd_proxy.bak ; + echo "AllowTcpForwarding $_tcpfwd" ; + echo "PermitRemoteOpen $_badfwd1 $_badfwd2" ) \ + > ${OBJ}/sshd_proxy + check_lfwd $_nopermit_lfwd "$_prefix, !PermitRemoteOpen" + check_rfwd $_nopermit_rfwd "$_prefix, !PermitRemoteOpen" + # PermitRemoteOpen via sshd_config that does match + ( cat ${OBJ}/sshd_proxy.bak ; + echo "AllowTcpForwarding $_tcpfwd" ; + echo "PermitRemoteOpen $_badfwd1 $_goodfwd $_badfwd2" ) \ + > ${OBJ}/sshd_proxy + check_lfwd $_plain_lfwd "$_prefix, PermitRemoteOpen" + check_rfwd $_plain_rfwd "$_prefix, PermitRemoteOpen" +} + +# permit-remote-open none mismatch match +# AllowTcpForwarding local remote local remote local remote +rperm_tests yes Y Y Y N Y Y +rperm_tests local Y N Y N Y N +rperm_tests remote N Y N N N Y +rperm_tests no N N N N N N + -- cgit v1.2.3