djm@openbsd.org | a667145 | 2017-10-04 18:50:23 +0000 | [diff] [blame] | 1 | # $OpenBSD: cfgmatch.sh,v 1.11 2017/10/04 18:50:23 djm Exp $ |
Damien Miller | 7b1877c | 2006-07-24 15:31:41 +1000 | [diff] [blame] | 2 | # Placed in the Public Domain. |
| 3 | |
| 4 | tid="sshd_config match" |
| 5 | |
| 6 | pidfile=$OBJ/remote_pid |
| 7 | fwdport=3301 |
| 8 | fwd="-L $fwdport:127.0.0.1:$PORT" |
| 9 | |
Tim Rice | bc48157 | 2011-06-02 22:26:19 -0700 | [diff] [blame] | 10 | echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_config |
| 11 | echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_proxy |
Damien Miller | 8cb3587 | 2011-05-29 21:59:10 +1000 | [diff] [blame] | 12 | |
| 13 | start_client() |
| 14 | { |
| 15 | rm -f $pidfile |
djm@openbsd.org | dd36932 | 2017-04-30 23:34:55 +0000 | [diff] [blame] | 16 | ${SSH} -q $fwd "$@" somehost \ |
Damien Miller | 8cb3587 | 2011-05-29 21:59:10 +1000 | [diff] [blame] | 17 | exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' \ |
Darren Tucker | 7512902 | 2013-05-17 09:19:10 +1000 | [diff] [blame] | 18 | >>$TEST_REGRESS_LOGFILE 2>&1 & |
Damien Miller | 8cb3587 | 2011-05-29 21:59:10 +1000 | [diff] [blame] | 19 | client_pid=$! |
| 20 | # Wait for remote end |
| 21 | n=0 |
| 22 | while test ! -f $pidfile ; do |
| 23 | sleep 1 |
| 24 | n=`expr $n + 1` |
| 25 | if test $n -gt 60; then |
| 26 | kill $client_pid |
| 27 | fatal "timeout waiting for background ssh" |
| 28 | fi |
| 29 | done |
| 30 | } |
| 31 | |
Damien Miller | 7b1877c | 2006-07-24 15:31:41 +1000 | [diff] [blame] | 32 | stop_client() |
| 33 | { |
| 34 | pid=`cat $pidfile` |
| 35 | if [ ! -z "$pid" ]; then |
| 36 | kill $pid |
Damien Miller | 7b1877c | 2006-07-24 15:31:41 +1000 | [diff] [blame] | 37 | fi |
Damien Miller | 8cb3587 | 2011-05-29 21:59:10 +1000 | [diff] [blame] | 38 | wait |
Damien Miller | 7b1877c | 2006-07-24 15:31:41 +1000 | [diff] [blame] | 39 | } |
| 40 | |
| 41 | cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak |
Damien Miller | 7b1877c | 2006-07-24 15:31:41 +1000 | [diff] [blame] | 42 | echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_config |
| 43 | echo "Match Address 127.0.0.1" >>$OBJ/sshd_config |
djm@openbsd.org | a667145 | 2017-10-04 18:50:23 +0000 | [diff] [blame] | 44 | echo "PermitOpen 127.0.0.1:2 127.0.0.1:3 127.0.0.1:$PORT" >>$OBJ/sshd_config |
Damien Miller | 7b1877c | 2006-07-24 15:31:41 +1000 | [diff] [blame] | 45 | |
Darren Tucker | 7f19323 | 2013-05-17 19:02:28 +1000 | [diff] [blame] | 46 | grep -v AuthorizedKeysFile $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy |
| 47 | echo "AuthorizedKeysFile /dev/null" >>$OBJ/sshd_proxy |
Damien Miller | 7b1877c | 2006-07-24 15:31:41 +1000 | [diff] [blame] | 48 | echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_proxy |
Darren Tucker | 7f19323 | 2013-05-17 19:02:28 +1000 | [diff] [blame] | 49 | echo "Match user $USER" >>$OBJ/sshd_proxy |
| 50 | echo "AuthorizedKeysFile /dev/null $OBJ/authorized_keys_%u" >>$OBJ/sshd_proxy |
Damien Miller | 7b1877c | 2006-07-24 15:31:41 +1000 | [diff] [blame] | 51 | echo "Match Address 127.0.0.1" >>$OBJ/sshd_proxy |
djm@openbsd.org | a667145 | 2017-10-04 18:50:23 +0000 | [diff] [blame] | 52 | echo "PermitOpen 127.0.0.1:2 127.0.0.1:3 127.0.0.1:$PORT" >>$OBJ/sshd_proxy |
Damien Miller | 7b1877c | 2006-07-24 15:31:41 +1000 | [diff] [blame] | 53 | |
| 54 | start_sshd |
| 55 | |
| 56 | #set -x |
| 57 | |
| 58 | # Test Match + PermitOpen in sshd_config. This should be permitted |
djm@openbsd.org | dd36932 | 2017-04-30 23:34:55 +0000 | [diff] [blame] | 59 | trace "match permitopen localhost" |
| 60 | start_client -F $OBJ/ssh_config |
| 61 | ${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \ |
| 62 | fail "match permitopen permit" |
| 63 | stop_client |
Damien Miller | 7b1877c | 2006-07-24 15:31:41 +1000 | [diff] [blame] | 64 | |
| 65 | # Same but from different source. This should not be permitted |
djm@openbsd.org | dd36932 | 2017-04-30 23:34:55 +0000 | [diff] [blame] | 66 | trace "match permitopen proxy" |
| 67 | start_client -F $OBJ/ssh_proxy |
| 68 | ${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \ |
| 69 | fail "match permitopen deny" |
| 70 | stop_client |
Damien Miller | 7b1877c | 2006-07-24 15:31:41 +1000 | [diff] [blame] | 71 | |
| 72 | # Retry previous with key option, should also be denied. |
markus@openbsd.org | dad2b18 | 2015-03-03 22:35:19 +0000 | [diff] [blame] | 73 | cp /dev/null $OBJ/authorized_keys_$USER |
| 74 | for t in ${SSH_KEYTYPES}; do |
| 75 | printf 'permitopen="127.0.0.1:'$PORT'" ' >> $OBJ/authorized_keys_$USER |
| 76 | cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER |
| 77 | done |
djm@openbsd.org | dd36932 | 2017-04-30 23:34:55 +0000 | [diff] [blame] | 78 | trace "match permitopen proxy w/key opts" |
| 79 | start_client -F $OBJ/ssh_proxy |
| 80 | ${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \ |
| 81 | fail "match permitopen deny w/key opt" |
| 82 | stop_client |
Damien Miller | 7b1877c | 2006-07-24 15:31:41 +1000 | [diff] [blame] | 83 | |
| 84 | # Test both sshd_config and key options permitting the same dst/port pair. |
| 85 | # Should be permitted. |
djm@openbsd.org | dd36932 | 2017-04-30 23:34:55 +0000 | [diff] [blame] | 86 | trace "match permitopen localhost" |
| 87 | start_client -F $OBJ/ssh_config |
| 88 | ${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \ |
| 89 | fail "match permitopen permit" |
| 90 | stop_client |
Damien Miller | 7b1877c | 2006-07-24 15:31:41 +1000 | [diff] [blame] | 91 | |
| 92 | cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy |
| 93 | echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy |
| 94 | echo "Match User $USER" >>$OBJ/sshd_proxy |
| 95 | echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy |
| 96 | |
| 97 | # Test that a Match overrides a PermitOpen in the global section |
djm@openbsd.org | dd36932 | 2017-04-30 23:34:55 +0000 | [diff] [blame] | 98 | trace "match permitopen proxy w/key opts" |
| 99 | start_client -F $OBJ/ssh_proxy |
| 100 | ${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \ |
| 101 | fail "match override permitopen" |
| 102 | stop_client |
Damien Miller | 80ba130 | 2007-10-26 14:45:13 +1000 | [diff] [blame] | 103 | |
| 104 | cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy |
| 105 | echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy |
| 106 | echo "Match User NoSuchUser" >>$OBJ/sshd_proxy |
| 107 | echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy |
| 108 | |
| 109 | # Test that a rule that doesn't match doesn't override, plus test a |
| 110 | # PermitOpen entry that's not at the start of the list |
djm@openbsd.org | dd36932 | 2017-04-30 23:34:55 +0000 | [diff] [blame] | 111 | trace "nomatch permitopen proxy w/key opts" |
| 112 | start_client -F $OBJ/ssh_proxy |
| 113 | ${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \ |
| 114 | fail "nomatch override permitopen" |
| 115 | stop_client |