From 3d1edd1ebbc0aabea8bbe61903060f37137f7c61 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Fri, 2 Mar 2018 02:51:55 +0000 Subject: upstream: better testing for port-forwarding and restrict flags in authorized_keys OpenBSD-Regress-ID: ee771df8955f2735df54746872c6228aff381daa --- regress/forward-control.sh | 29 ++++++++++++++++++++++++++++- 1 file changed, 28 insertions(+), 1 deletion(-) (limited to 'regress/forward-control.sh') diff --git a/regress/forward-control.sh b/regress/forward-control.sh index 2e9dbb53a..93d05cf63 100644 --- a/regress/forward-control.sh +++ b/regress/forward-control.sh @@ -1,4 +1,4 @@ -# $OpenBSD: forward-control.sh,v 1.4 2017/04/30 23:34:55 djm Exp $ +# $OpenBSD: forward-control.sh,v 1.5 2018/03/02 02:51:55 djm Exp $ # Placed in the Public Domain. tid="sshd control of local and remote forwarding" @@ -151,6 +151,33 @@ all_tests() { > ${OBJ}/sshd_proxy check_lfwd $_permit_lfwd "$_prefix, permitopen" check_rfwd $_permit_rfwd "$_prefix, permitopen" + # Check port-forwarding flags in authorized_keys. + # These two should refuse all. + sed "s/^/no-port-forwarding /" \ + < ${OBJ}/authorized_keys_${USER}.bak \ + > ${OBJ}/authorized_keys_${USER} || fatal "sed 3 fail" + ( cat ${OBJ}/sshd_proxy.bak ; + echo "AllowTcpForwarding $_tcpfwd" ) \ + > ${OBJ}/sshd_proxy + check_lfwd N "$_prefix, no-port-forwarding" + check_rfwd N "$_prefix, no-port-forwarding" + sed "s/^/restrict /" \ + < ${OBJ}/authorized_keys_${USER}.bak \ + > ${OBJ}/authorized_keys_${USER} || fatal "sed 4 fail" + ( cat ${OBJ}/sshd_proxy.bak ; + echo "AllowTcpForwarding $_tcpfwd" ) \ + > ${OBJ}/sshd_proxy + check_lfwd N "$_prefix, restrict" + check_rfwd N "$_prefix, restrict" + # This should pass the same cases as _nopermit* + sed "s/^/restrict,port-forwarding /" \ + < ${OBJ}/authorized_keys_${USER}.bak \ + > ${OBJ}/authorized_keys_${USER} || fatal "sed 5 fail" + ( cat ${OBJ}/sshd_proxy.bak ; + echo "AllowTcpForwarding $_tcpfwd" ) \ + > ${OBJ}/sshd_proxy + check_lfwd $_plain_lfwd "$_prefix, restrict,port-forwarding" + check_rfwd $_plain_rfwd "$_prefix, restrict,port-forwarding" } # no-permitopen mismatch-permitopen match-permitopen -- cgit v1.2.3