| # $OpenBSD: forward-control.sh,v 1.7 2018/06/07 14:29:43 djm Exp $ |
| # Placed in the Public Domain. |
| |
| tid="sshd control of local and remote forwarding" |
| |
| LFWD_PORT=3320 |
| RFWD_PORT=3321 |
| CTL=$OBJ/ctl-sock |
| READY=$OBJ/ready |
| |
| wait_for_file_to_appear() { |
| _path=$1 |
| _n=0 |
| while test ! -f $_path ; do |
| test $_n -eq 1 && trace "waiting for $_path to appear" |
| _n=`expr $_n + 1` |
| test $_n -ge 20 && return 1 |
| sleep 1 |
| done |
| return 0 |
| } |
| |
| wait_for_process_to_exit() { |
| _pid=$1 |
| _n=0 |
| while kill -0 $_pid 2>/dev/null ; do |
| test $_n -eq 1 && trace "waiting for $_pid to exit" |
| _n=`expr $_n + 1` |
| test $_n -ge 20 && return 1 |
| sleep 1 |
| done |
| return 0 |
| } |
| |
| # usage: check_lfwd Y|N message |
| check_lfwd() { |
| _expected=$1 |
| _message=$2 |
| rm -f $READY |
| ${SSH} -F $OBJ/ssh_proxy \ |
| -L$LFWD_PORT:127.0.0.1:$PORT \ |
| -o ExitOnForwardFailure=yes \ |
| -n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \ |
| >/dev/null 2>&1 & |
| _sshpid=$! |
| wait_for_file_to_appear $READY || \ |
| fatal "check_lfwd ssh fail: $_message" |
| ${SSH} -F $OBJ/ssh_config -p $LFWD_PORT \ |
| -oConnectionAttempts=4 host true >/dev/null 2>&1 |
| _result=$? |
| kill $_sshpid `cat $READY` 2>/dev/null |
| wait_for_process_to_exit $_sshpid |
| if test "x$_expected" = "xY" -a $_result -ne 0 ; then |
| fail "check_lfwd failed (expecting success): $_message" |
| elif test "x$_expected" = "xN" -a $_result -eq 0 ; then |
| fail "check_lfwd succeeded (expecting failure): $_message" |
| elif test "x$_expected" != "xY" -a "x$_expected" != "xN" ; then |
| fatal "check_lfwd invalid argument \"$_expected\"" |
| else |
| verbose "check_lfwd done (expecting $_expected): $_message" |
| fi |
| } |
| |
| # usage: check_rfwd Y|N message |
| check_rfwd() { |
| _expected=$1 |
| _message=$2 |
| rm -f $READY |
| ${SSH} -F $OBJ/ssh_proxy \ |
| -R127.0.0.1:$RFWD_PORT:127.0.0.1:$PORT \ |
| -o ExitOnForwardFailure=yes \ |
| -n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \ |
| >/dev/null 2>&1 & |
| _sshpid=$! |
| wait_for_file_to_appear $READY |
| _result=$? |
| if test $_result -eq 0 ; then |
| ${SSH} -F $OBJ/ssh_config -p $RFWD_PORT \ |
| -oConnectionAttempts=4 host true >/dev/null 2>&1 |
| _result=$? |
| kill $_sshpid `cat $READY` 2>/dev/null |
| wait_for_process_to_exit $_sshpid |
| fi |
| if test "x$_expected" = "xY" -a $_result -ne 0 ; then |
| fail "check_rfwd failed (expecting success): $_message" |
| elif test "x$_expected" = "xN" -a $_result -eq 0 ; then |
| fail "check_rfwd succeeded (expecting failure): $_message" |
| elif test "x$_expected" != "xY" -a "x$_expected" != "xN" ; then |
| fatal "check_rfwd invalid argument \"$_expected\"" |
| else |
| verbose "check_rfwd done (expecting $_expected): $_message" |
| fi |
| } |
| |
| start_sshd |
| cp ${OBJ}/sshd_proxy ${OBJ}/sshd_proxy.bak |
| cp ${OBJ}/authorized_keys_${USER} ${OBJ}/authorized_keys_${USER}.bak |
| |
| # Sanity check: ensure the default config allows forwarding |
| check_lfwd Y "default configuration" |
| check_rfwd Y "default configuration" |
| |
| # Usage: lperm_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N |
| lperm_tests() { |
| _tcpfwd=$1 |
| _plain_lfwd=$2 |
| _plain_rfwd=$3 |
| _nopermit_lfwd=$4 |
| _nopermit_rfwd=$5 |
| _permit_lfwd=$6 |
| _permit_rfwd=$7 |
| _badfwd1=127.0.0.1:22 |
| _badfwd2=127.0.0.2:22 |
| _goodfwd=127.0.0.1:${PORT} |
| cp ${OBJ}/authorized_keys_${USER}.bak ${OBJ}/authorized_keys_${USER} |
| _prefix="AllowTcpForwarding=$_tcpfwd" |
| |
| # No PermitOpen |
| ( cat ${OBJ}/sshd_proxy.bak ; |
| echo "AllowTcpForwarding $_tcpfwd" ) \ |
| > ${OBJ}/sshd_proxy |
| check_lfwd $_plain_lfwd "$_prefix" |
| check_rfwd $_plain_rfwd "$_prefix" |
| |
| # PermitOpen via sshd_config that doesn't match |
| ( cat ${OBJ}/sshd_proxy.bak ; |
| echo "AllowTcpForwarding $_tcpfwd" ; |
| echo "PermitOpen $_badfwd1 $_badfwd2" ) \ |
| > ${OBJ}/sshd_proxy |
| check_lfwd $_nopermit_lfwd "$_prefix, !PermitOpen" |
| check_rfwd $_nopermit_rfwd "$_prefix, !PermitOpen" |
| # PermitOpen via sshd_config that does match |
| ( cat ${OBJ}/sshd_proxy.bak ; |
| echo "AllowTcpForwarding $_tcpfwd" ; |
| echo "PermitOpen $_badfwd1 $_goodfwd $_badfwd2" ) \ |
| > ${OBJ}/sshd_proxy |
| check_lfwd $_plain_lfwd "$_prefix, PermitOpen" |
| check_rfwd $_plain_rfwd "$_prefix, PermitOpen" |
| |
| # permitopen keys option. |
| # NB. permitopen via authorized_keys should have same |
| # success/fail as via sshd_config |
| # permitopen via authorized_keys that doesn't match |
| sed "s/^/permitopen=\"$_badfwd1\",permitopen=\"$_badfwd2\" /" \ |
| < ${OBJ}/authorized_keys_${USER}.bak \ |
| > ${OBJ}/authorized_keys_${USER} || fatal "sed 1 fail" |
| ( cat ${OBJ}/sshd_proxy.bak ; |
| echo "AllowTcpForwarding $_tcpfwd" ) \ |
| > ${OBJ}/sshd_proxy |
| check_lfwd $_nopermit_lfwd "$_prefix, !permitopen" |
| check_rfwd $_nopermit_rfwd "$_prefix, !permitopen" |
| # permitopen via authorized_keys that does match |
| sed "s/^/permitopen=\"$_badfwd1\",permitopen=\"$_goodfwd\" /" \ |
| < ${OBJ}/authorized_keys_${USER}.bak \ |
| > ${OBJ}/authorized_keys_${USER} || fatal "sed 2 fail" |
| ( cat ${OBJ}/sshd_proxy.bak ; |
| echo "AllowTcpForwarding $_tcpfwd" ) \ |
| > ${OBJ}/sshd_proxy |
| check_lfwd $_permit_lfwd "$_prefix, permitopen" |
| check_rfwd $_permit_rfwd "$_prefix, permitopen" |
| |
| # Check port-forwarding flags in authorized_keys. |
| # These two should refuse all. |
| sed "s/^/no-port-forwarding /" \ |
| < ${OBJ}/authorized_keys_${USER}.bak \ |
| > ${OBJ}/authorized_keys_${USER} || fatal "sed 3 fail" |
| ( cat ${OBJ}/sshd_proxy.bak ; |
| echo "AllowTcpForwarding $_tcpfwd" ) \ |
| > ${OBJ}/sshd_proxy |
| check_lfwd N "$_prefix, no-port-forwarding" |
| check_rfwd N "$_prefix, no-port-forwarding" |
| sed "s/^/restrict /" \ |
| < ${OBJ}/authorized_keys_${USER}.bak \ |
| > ${OBJ}/authorized_keys_${USER} || fatal "sed 4 fail" |
| ( cat ${OBJ}/sshd_proxy.bak ; |
| echo "AllowTcpForwarding $_tcpfwd" ) \ |
| > ${OBJ}/sshd_proxy |
| check_lfwd N "$_prefix, restrict" |
| check_rfwd N "$_prefix, restrict" |
| # This should pass the same cases as _nopermit* |
| sed "s/^/restrict,port-forwarding /" \ |
| < ${OBJ}/authorized_keys_${USER}.bak \ |
| > ${OBJ}/authorized_keys_${USER} || fatal "sed 5 fail" |
| ( cat ${OBJ}/sshd_proxy.bak ; |
| echo "AllowTcpForwarding $_tcpfwd" ) \ |
| > ${OBJ}/sshd_proxy |
| check_lfwd $_plain_lfwd "$_prefix, restrict,port-forwarding" |
| check_rfwd $_plain_rfwd "$_prefix, restrict,port-forwarding" |
| } |
| |
| # permit-open none mismatch match |
| # AllowTcpForwarding local remote local remote local remote |
| lperm_tests yes Y Y N Y Y Y |
| lperm_tests local Y N N N Y N |
| lperm_tests remote N Y N Y N Y |
| lperm_tests no N N N N N N |
| |
| # Usage: rperm_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N |
| rperm_tests() { |
| _tcpfwd=$1 |
| _plain_lfwd=$2 |
| _plain_rfwd=$3 |
| _nopermit_lfwd=$4 |
| _nopermit_rfwd=$5 |
| _permit_lfwd=$6 |
| _permit_rfwd=$7 |
| _badfwd1=127.0.0.1:22 |
| _badfwd2=127.0.0.2:${RFWD_PORT} |
| _goodfwd=127.0.0.1:${RFWD_PORT} |
| cp ${OBJ}/authorized_keys_${USER}.bak ${OBJ}/authorized_keys_${USER} |
| _prefix="AllowTcpForwarding=$_tcpfwd" |
| |
| # PermitListen via sshd_config that doesn't match |
| ( cat ${OBJ}/sshd_proxy.bak ; |
| echo "AllowTcpForwarding $_tcpfwd" ; |
| echo "PermitListen $_badfwd1 $_badfwd2" ) \ |
| > ${OBJ}/sshd_proxy |
| check_lfwd $_nopermit_lfwd "$_prefix, !PermitListen" |
| check_rfwd $_nopermit_rfwd "$_prefix, !PermitListen" |
| # PermitListen via sshd_config that does match |
| ( cat ${OBJ}/sshd_proxy.bak ; |
| echo "AllowTcpForwarding $_tcpfwd" ; |
| echo "PermitListen $_badfwd1 $_goodfwd $_badfwd2" ) \ |
| > ${OBJ}/sshd_proxy |
| check_lfwd $_plain_lfwd "$_prefix, PermitListen" |
| check_rfwd $_plain_rfwd "$_prefix, PermitListen" |
| } |
| |
| # permit-remote-open none mismatch match |
| # AllowTcpForwarding local remote local remote local remote |
| rperm_tests yes Y Y Y N Y Y |
| rperm_tests local Y N Y N Y N |
| rperm_tests remote N Y N N N Y |
| rperm_tests no N N N N N N |
| |