diff options
| author | Darren Tucker <dtucker@cvs.openbsd.org> | 2012-05-13 01:42:33 +0000 |
|---|---|---|
| committer | Darren Tucker <dtucker@cvs.openbsd.org> | 2012-05-13 01:42:33 +0000 |
| commit | 23f5a4eccb89e285c41dbb45d15e63ccd7a0e7a0 (patch) | |
| tree | 2fb29573a4b42239d7dcc5076c5e0765166878da /regress/usr.bin | |
| parent | d4519c494c7974b50ea27f225264140734385a4b (diff) | |
Add "Match LocalAddress" and "Match LocalPort" to sshd and adjust tests
to match. Feedback and ok djm@ markus@.
Diffstat (limited to 'regress/usr.bin')
| -rw-r--r-- | regress/usr.bin/ssh/addrmatch.sh | 50 |
1 files changed, 30 insertions, 20 deletions
diff --git a/regress/usr.bin/ssh/addrmatch.sh b/regress/usr.bin/ssh/addrmatch.sh index f9d613baf9a..239ac0a9971 100644 --- a/regress/usr.bin/ssh/addrmatch.sh +++ b/regress/usr.bin/ssh/addrmatch.sh @@ -1,4 +1,4 @@ -# $OpenBSD: addrmatch.sh,v 1.3 2010/02/09 04:57:36 djm Exp $ +# $OpenBSD: addrmatch.sh,v 1.4 2012/05/13 01:42:32 dtucker Exp $ # Placed in the Public Domain. tid="address match" @@ -7,38 +7,48 @@ mv $OBJ/sshd_proxy $OBJ/sshd_proxy_bak run_trial() { - user="$1"; addr="$2"; host="$3"; expected="$4"; descr="$5" + user="$1"; addr="$2"; host="$3"; laddr="$4"; lport="$5" + expected="$6"; descr="$7" verbose "test $descr for $user $addr $host" result=`${SSHD} -f $OBJ/sshd_proxy -T \ - -C user=${user},addr=${addr},host=${host} | \ - awk '/^passwordauthentication/ {print $2}'` + -C user=${user},addr=${addr},host=${host},laddr=${laddr},lport=${lport} | \ + awk '/^forcecommand/ {print $2}'` if [ "$result" != "$expected" ]; then - fail "failed for $user $addr $host: expected $expected, got $result" + fail "failed '$descr' expected $expected got $result" fi } cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy cat >>$OBJ/sshd_proxy <<EOD -PasswordAuthentication no +ForceCommand nomatch Match Address 192.168.0.0/16,!192.168.30.0/24,10.0.0.0/8,host.example.com - PasswordAuthentication yes + ForceCommand match1 Match Address 1.1.1.1,::1,!::3,2000::/16 - PasswordAuthentication yes + ForceCommand match2 +Match LocalAddress 127.0.0.1,::1 + ForceCommand match3 +Match LocalPort 5678 + ForceCommand match4 EOD -run_trial user 192.168.0.1 somehost yes "permit, first entry" -run_trial user 192.168.30.1 somehost no "deny, negative match" -run_trial user 19.0.0.1 somehost no "deny, no match" -run_trial user 10.255.255.254 somehost yes "permit, list middle" -run_trial user 192.168.30.1 192.168.0.1 no "deny, faked IP in hostname" -run_trial user 1.1.1.1 somehost.example.com yes "permit, bare IP4 address" -run_trial user ::1 somehost.example.com yes "permit, bare IP6 address" -run_trial user ::2 somehost.exaple.com no "deny IPv6" -run_trial user ::3 somehost no "deny IP6 negated" -run_trial user ::4 somehost no "deny, IP6 no match" -run_trial user 2000::1 somehost yes "permit, IP6 network" -run_trial user 2001::1 somehost no "deny, IP6 network" +run_trial user 192.168.0.1 somehost 1.2.3.4 1234 match1 "first entry" +run_trial user 192.168.30.1 somehost 1.2.3.4 1234 nomatch "negative match" +run_trial user 19.0.0.1 somehost 1.2.3.4 1234 nomatch "no match" +run_trial user 10.255.255.254 somehost 1.2.3.4 1234 match1 "list middle" +run_trial user 192.168.30.1 192.168.0.1 1.2.3.4 1234 nomatch "faked IP in hostname" +run_trial user 1.1.1.1 somehost.example.com 1.2.3.4 1234 match2 "bare IP4 address" +run_trial user 19.0.0.1 somehost 127.0.0.1 1234 match3 "localaddress" +run_trial user 19.0.0.1 somehost 1.2.3.4 5678 match4 "localport" + +run_trial user ::1 somehost.example.com ::2 1234 match2 "bare IP6 address" +run_trial user ::2 somehost.exaple.com ::2 1234 nomatch "deny IPv6" +run_trial user ::3 somehost ::2 1234 nomatch "IP6 negated" +run_trial user ::4 somehost ::2 1234 nomatch "IP6 no match" +run_trial user 2000::1 somehost ::2 1234 match2 "IP6 network" +run_trial user 2001::1 somehost ::2 1234 nomatch "IP6 network" +run_trial user ::5 somehost ::1 1234 match3 "IP6 localaddress" +run_trial user ::5 somehost ::2 5678 match4 "IP6 localport" cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy rm $OBJ/sshd_proxy_bak |