diff options
| author | Damien Miller <djm@cvs.openbsd.org> | 2018-06-06 18:25:34 +0000 |
|---|---|---|
| committer | Damien Miller <djm@cvs.openbsd.org> | 2018-06-06 18:25:34 +0000 |
| commit | f2ece031fc252b0e7c50fef1cc1170da68dbd5ac (patch) | |
| tree | 5c37ac84b7453212c82922796aa7099dcaf78932 /regress | |
| parent | b897bc6202ce771b09b41e8f1f7f2f5f2e4deba5 (diff) | |
regress test for PermitOpen
Diffstat (limited to 'regress')
| -rw-r--r-- | regress/usr.bin/ssh/forward-control.sh | 77 |
1 files changed, 62 insertions, 15 deletions
diff --git a/regress/usr.bin/ssh/forward-control.sh b/regress/usr.bin/ssh/forward-control.sh index ca98ee4a714..34e07272bbf 100644 --- a/regress/usr.bin/ssh/forward-control.sh +++ b/regress/usr.bin/ssh/forward-control.sh @@ -1,4 +1,4 @@ -# $OpenBSD: forward-control.sh,v 1.5 2018/03/02 02:51:55 djm Exp $ +# $OpenBSD: forward-control.sh,v 1.6 2018/06/06 18:25:33 djm Exp $ # Placed in the Public Domain. tid="sshd control of local and remote forwarding" @@ -67,7 +67,7 @@ check_rfwd() { _message=$2 rm -f $READY ${SSH} -F $OBJ/ssh_proxy \ - -R$RFWD_PORT:127.0.0.1:$PORT \ + -R127.0.0.1:$RFWD_PORT:127.0.0.1:$PORT \ -o ExitOnForwardFailure=yes \ -n host "sleep 60 & echo \$! > $READY ; wait " \ >/dev/null 2>&1 & @@ -100,8 +100,8 @@ cp ${OBJ}/authorized_keys_${USER} ${OBJ}/authorized_keys_${USER}.bak check_lfwd Y "default configuration" check_rfwd Y "default configuration" -# Usage: all_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N -all_tests() { +# Usage: lperm_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N +lperm_tests() { _tcpfwd=$1 _plain_lfwd=$2 _plain_rfwd=$3 @@ -109,32 +109,39 @@ all_tests() { _nopermit_rfwd=$5 _permit_lfwd=$6 _permit_rfwd=$7 - _badfwd=127.0.0.1:22 + _badfwd1=127.0.0.1:22 + _badfwd2=127.0.0.2:22 _goodfwd=127.0.0.1:${PORT} cp ${OBJ}/authorized_keys_${USER}.bak ${OBJ}/authorized_keys_${USER} _prefix="AllowTcpForwarding=$_tcpfwd" + # No PermitOpen ( cat ${OBJ}/sshd_proxy.bak ; echo "AllowTcpForwarding $_tcpfwd" ) \ > ${OBJ}/sshd_proxy check_lfwd $_plain_lfwd "$_prefix" check_rfwd $_plain_rfwd "$_prefix" + # PermitOpen via sshd_config that doesn't match ( cat ${OBJ}/sshd_proxy.bak ; echo "AllowTcpForwarding $_tcpfwd" ; - echo "PermitOpen $_badfwd" ) \ + echo "PermitOpen $_badfwd1 $_badfwd2" ) \ > ${OBJ}/sshd_proxy check_lfwd $_nopermit_lfwd "$_prefix, !PermitOpen" check_rfwd $_nopermit_rfwd "$_prefix, !PermitOpen" # PermitOpen via sshd_config that does match ( cat ${OBJ}/sshd_proxy.bak ; echo "AllowTcpForwarding $_tcpfwd" ; - echo "PermitOpen $_badfwd $_goodfwd" ) \ + echo "PermitOpen $_badfwd1 $_goodfwd $_badfwd2" ) \ > ${OBJ}/sshd_proxy + check_lfwd $_plain_lfwd "$_prefix, PermitOpen" + check_rfwd $_plain_rfwd "$_prefix, PermitOpen" + + # permitopen keys option. # NB. permitopen via authorized_keys should have same # success/fail as via sshd_config # permitopen via authorized_keys that doesn't match - sed "s/^/permitopen=\"$_badfwd\" /" \ + sed "s/^/permitopen=\"$_badfwd1\",permitopen=\"$_badfwd2\" /" \ < ${OBJ}/authorized_keys_${USER}.bak \ > ${OBJ}/authorized_keys_${USER} || fatal "sed 1 fail" ( cat ${OBJ}/sshd_proxy.bak ; @@ -143,7 +150,7 @@ all_tests() { check_lfwd $_nopermit_lfwd "$_prefix, !permitopen" check_rfwd $_nopermit_rfwd "$_prefix, !permitopen" # permitopen via authorized_keys that does match - sed "s/^/permitopen=\"$_badfwd\",permitopen=\"$_goodfwd\" /" \ + sed "s/^/permitopen=\"$_badfwd1\",permitopen=\"$_goodfwd\" /" \ < ${OBJ}/authorized_keys_${USER}.bak \ > ${OBJ}/authorized_keys_${USER} || fatal "sed 2 fail" ( cat ${OBJ}/sshd_proxy.bak ; @@ -151,6 +158,7 @@ all_tests() { > ${OBJ}/sshd_proxy check_lfwd $_permit_lfwd "$_prefix, permitopen" check_rfwd $_permit_rfwd "$_prefix, permitopen" + # Check port-forwarding flags in authorized_keys. # These two should refuse all. sed "s/^/no-port-forwarding /" \ @@ -180,9 +188,48 @@ all_tests() { check_rfwd $_plain_rfwd "$_prefix, restrict,port-forwarding" } -# no-permitopen mismatch-permitopen match-permitopen -# AllowTcpForwarding local remote local remote local remote -all_tests yes Y Y N Y Y Y -all_tests local Y N N N Y N -all_tests remote N Y N Y N Y -all_tests no N N N N N N +# permit-open none mismatch match +# AllowTcpForwarding local remote local remote local remote +lperm_tests yes Y Y N Y Y Y +lperm_tests local Y N N N Y N +lperm_tests remote N Y N Y N Y +lperm_tests no N N N N N N + +# Usage: rperm_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N +rperm_tests() { + _tcpfwd=$1 + _plain_lfwd=$2 + _plain_rfwd=$3 + _nopermit_lfwd=$4 + _nopermit_rfwd=$5 + _permit_lfwd=$6 + _permit_rfwd=$7 + _badfwd1=127.0.0.1:22 + _badfwd2=127.0.0.2:${RFWD_PORT} + _goodfwd=127.0.0.1:${RFWD_PORT} + cp ${OBJ}/authorized_keys_${USER}.bak ${OBJ}/authorized_keys_${USER} + _prefix="AllowTcpForwarding=$_tcpfwd" + + # PermitRemoteOpen via sshd_config that doesn't match + ( cat ${OBJ}/sshd_proxy.bak ; + echo "AllowTcpForwarding $_tcpfwd" ; + echo "PermitRemoteOpen $_badfwd1 $_badfwd2" ) \ + > ${OBJ}/sshd_proxy + check_lfwd $_nopermit_lfwd "$_prefix, !PermitRemoteOpen" + check_rfwd $_nopermit_rfwd "$_prefix, !PermitRemoteOpen" + # PermitRemoteOpen via sshd_config that does match + ( cat ${OBJ}/sshd_proxy.bak ; + echo "AllowTcpForwarding $_tcpfwd" ; + echo "PermitRemoteOpen $_badfwd1 $_goodfwd $_badfwd2" ) \ + > ${OBJ}/sshd_proxy + check_lfwd $_plain_lfwd "$_prefix, PermitRemoteOpen" + check_rfwd $_plain_rfwd "$_prefix, PermitRemoteOpen" +} + +# permit-remote-open none mismatch match +# AllowTcpForwarding local remote local remote local remote +rperm_tests yes Y Y Y N Y Y +rperm_tests local Y N Y N Y N +rperm_tests remote N Y N N N Y +rperm_tests no N N N N N N + |