Blame - regress/cfgmatch.sh - platform/external/openssh

blob: 96badd51b26dda9a1d2f972c0820ccd9b2b1daf5 [file] [log] [blame]

Damien Miller	80ba130	2007-10-26 14:45:13 +1000	[diff] [blame]	1	# $OpenBSD: cfgmatch.sh,v 1.4 2006/12/13 08:36:36 dtucker Exp $
Damien Miller	7b1877c	2006-07-24 15:31:41 +1000	[diff] [blame]	2	# Placed in the Public Domain.
				3
				4	tid="sshd_config match"
				5
				6	pidfile=$OBJ/remote_pid
				7	fwdport=3301
				8	fwd="-L $fwdport:127.0.0.1:$PORT"
				9
				10	stop_client()
				11	{
				12	pid=`cat $pidfile`
				13	if [ ! -z "$pid" ]; then
				14	kill $pid
Darren Tucker	89f59ce	2006-09-08 00:03:05 +1000	[diff] [blame]	15	sleep 1
Damien Miller	7b1877c	2006-07-24 15:31:41 +1000	[diff] [blame]	16	fi
				17	}
				18
				19	cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
				20
				21	echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_config
				22	echo "Match Address 127.0.0.1" >>$OBJ/sshd_config
				23	echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_config
				24
				25	echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_proxy
				26	echo "Match Address 127.0.0.1" >>$OBJ/sshd_proxy
				27	echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_proxy
				28
				29	start_sshd
				30
				31	#set -x
				32
				33	# Test Match + PermitOpen in sshd_config. This should be permitted
				34	for p in 1 2; do
				35	rm -f $pidfile
				36	trace "match permitopen localhost proto $p"
				37	${SSH} -$p $fwd -F $OBJ/ssh_config -f somehost \
Damien Miller	99ad353	2007-10-26 14:44:34 +1000	[diff] [blame]	38	exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 \|\|\
Damien Miller	7b1877c	2006-07-24 15:31:41 +1000	[diff] [blame]	39	fail "match permitopen proto $p sshd failed"
				40	sleep 1;
				41	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true \|\| \
				42	fail "match permitopen permit proto $p"
				43	stop_client
				44	done
				45
				46	# Same but from different source. This should not be permitted
				47	for p in 1 2; do
				48	rm -f $pidfile
				49	trace "match permitopen proxy proto $p"
				50	${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \
Damien Miller	99ad353	2007-10-26 14:44:34 +1000	[diff] [blame]	51	exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 \|\|\
Damien Miller	7b1877c	2006-07-24 15:31:41 +1000	[diff] [blame]	52	fail "match permitopen proxy proto $p sshd failed"
				53	sleep 1;
				54	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
				55	fail "match permitopen deny proto $p"
				56	stop_client
				57	done
				58
				59	# Retry previous with key option, should also be denied.
Darren Tucker	c614c78	2010-03-01 12:49:05 +1100	[diff] [blame]	60	echon 'permitopen="127.0.0.1:'$PORT'" ' >$OBJ/authorized_keys_$USER
Damien Miller	7b1877c	2006-07-24 15:31:41 +1000	[diff] [blame]	61	cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER
Darren Tucker	c614c78	2010-03-01 12:49:05 +1100	[diff] [blame]	62	echon 'permitopen="127.0.0.1:'$PORT'" ' >>$OBJ/authorized_keys_$USER
Damien Miller	7b1877c	2006-07-24 15:31:41 +1000	[diff] [blame]	63	cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER
				64	for p in 1 2; do
				65	rm -f $pidfile
				66	trace "match permitopen proxy w/key opts proto $p"
				67	${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \
Damien Miller	99ad353	2007-10-26 14:44:34 +1000	[diff] [blame]	68	exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 \|\|\
Damien Miller	7b1877c	2006-07-24 15:31:41 +1000	[diff] [blame]	69	fail "match permitopen w/key opt proto $p sshd failed"
				70	sleep 1;
				71	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
				72	fail "match permitopen deny w/key opt proto $p"
				73	stop_client
				74	done
				75
				76	# Test both sshd_config and key options permitting the same dst/port pair.
				77	# Should be permitted.
				78	for p in 1 2; do
				79	rm -f $pidfile
				80	trace "match permitopen localhost proto $p"
				81	${SSH} -$p $fwd -F $OBJ/ssh_config -f somehost \
Damien Miller	99ad353	2007-10-26 14:44:34 +1000	[diff] [blame]	82	exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 \|\|\
Damien Miller	7b1877c	2006-07-24 15:31:41 +1000	[diff] [blame]	83	fail "match permitopen proto $p sshd failed"
				84	sleep 1;
				85	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true \|\| \
				86	fail "match permitopen permit proto $p"
				87	stop_client
				88	done
				89
				90	cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
				91	echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy
				92	echo "Match User $USER" >>$OBJ/sshd_proxy
				93	echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
				94
				95	# Test that a Match overrides a PermitOpen in the global section
				96	for p in 1 2; do
				97	rm -f $pidfile
				98	trace "match permitopen proxy w/key opts proto $p"
				99	${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \
Damien Miller	99ad353	2007-10-26 14:44:34 +1000	[diff] [blame]	100	exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 \|\|\
Damien Miller	7b1877c	2006-07-24 15:31:41 +1000	[diff] [blame]	101	fail "match override permitopen proto $p sshd failed"
				102	sleep 1;
				103	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
				104	fail "match override permitopen proto $p"
				105	stop_client
				106	done
Damien Miller	80ba130	2007-10-26 14:45:13 +1000	[diff] [blame]	107
				108	cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
				109	echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy
				110	echo "Match User NoSuchUser" >>$OBJ/sshd_proxy
				111	echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
				112
				113	# Test that a rule that doesn't match doesn't override, plus test a
				114	# PermitOpen entry that's not at the start of the list
				115	for p in 1 2; do
				116	rm -f $pidfile
				117	trace "nomatch permitopen proxy w/key opts proto $p"
				118	${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \
				119	exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 \|\|\
				120	fail "nomatch override permitopen proto $p sshd failed"
				121	sleep 1;
				122	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true \|\| \
				123	fail "nomatch override permitopen proto $p"
				124	stop_client
				125	done