diff options
-rw-r--r-- | regress/usr.bin/ssh/cfgmatch.sh | 66 |
1 files changed, 34 insertions, 32 deletions
diff --git a/regress/usr.bin/ssh/cfgmatch.sh b/regress/usr.bin/ssh/cfgmatch.sh index 2819b4f62b4..11b48f21cb4 100644 --- a/regress/usr.bin/ssh/cfgmatch.sh +++ b/regress/usr.bin/ssh/cfgmatch.sh @@ -1,4 +1,4 @@ -# $OpenBSD: cfgmatch.sh,v 1.4 2006/12/13 08:36:36 dtucker Exp $ +# $OpenBSD: cfgmatch.sh,v 1.5 2011/05/23 03:31:31 djm Exp $ # Placed in the Public Domain. tid="sshd_config match" @@ -7,21 +7,47 @@ pidfile=$OBJ/remote_pid fwdport=3301 fwd="-L $fwdport:127.0.0.1:$PORT" +echo "ExitOnForwardFailure=yes" >> ssh_config +echo "ExitOnForwardFailure=yes" >> ssh_proxy + +start_client() +{ + rm -f $pidfile + ${SSH} -q -$p $fwd "$@" somehost \ + exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' \ + >>$TEST_SSH_LOGFILE 2>&1 & + client_pid=$! + # Wait for remote end + n=0 + while test ! -f $pidfile ; do + sleep 1 + n=`expr $n + 1` + if test $n -gt 60; then + kill $client_pid + fatal "timeout waiting for background ssh" + fi + done +} + stop_client() { pid=`cat $pidfile` if [ ! -z "$pid" ]; then kill $pid fi + wait } cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak - echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_config echo "Match Address 127.0.0.1" >>$OBJ/sshd_config echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_config +grep -v AuthorizedKeysFile $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy +echo "AuthorizedKeysFile /dev/null" >>$OBJ/sshd_proxy echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_proxy +echo "Match user $USER" >>$OBJ/sshd_proxy +echo "AuthorizedKeysFile /dev/null $OBJ/authorized_keys_%u" >>$OBJ/sshd_proxy echo "Match Address 127.0.0.1" >>$OBJ/sshd_proxy echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_proxy @@ -31,12 +57,8 @@ start_sshd # Test Match + PermitOpen in sshd_config. This should be permitted for p in 1 2; do - rm -f $pidfile trace "match permitopen localhost proto $p" - ${SSH} -$p $fwd -F $OBJ/ssh_config -f somehost \ - exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 ||\ - fail "match permitopen proto $p sshd failed" - sleep 1; + start_client -F $OBJ/ssh_config ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ fail "match permitopen permit proto $p" stop_client @@ -44,12 +66,8 @@ done # Same but from different source. This should not be permitted for p in 1 2; do - rm -f $pidfile trace "match permitopen proxy proto $p" - ${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \ - exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 ||\ - fail "match permitopen proxy proto $p sshd failed" - sleep 1; + start_client -F $OBJ/ssh_proxy ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ fail "match permitopen deny proto $p" stop_client @@ -61,12 +79,8 @@ cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER echo -n 'permitopen="127.0.0.1:'$PORT'" ' >>$OBJ/authorized_keys_$USER cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER for p in 1 2; do - rm -f $pidfile trace "match permitopen proxy w/key opts proto $p" - ${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \ - exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 ||\ - fail "match permitopen w/key opt proto $p sshd failed" - sleep 1; + start_client -F $OBJ/ssh_proxy ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ fail "match permitopen deny w/key opt proto $p" stop_client @@ -75,12 +89,8 @@ done # Test both sshd_config and key options permitting the same dst/port pair. # Should be permitted. for p in 1 2; do - rm -f $pidfile trace "match permitopen localhost proto $p" - ${SSH} -$p $fwd -F $OBJ/ssh_config -f somehost \ - exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 ||\ - fail "match permitopen proto $p sshd failed" - sleep 1; + start_client -F $OBJ/ssh_config ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ fail "match permitopen permit proto $p" stop_client @@ -93,12 +103,8 @@ echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy # Test that a Match overrides a PermitOpen in the global section for p in 1 2; do - rm -f $pidfile trace "match permitopen proxy w/key opts proto $p" - ${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \ - exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 ||\ - fail "match override permitopen proto $p sshd failed" - sleep 1; + start_client -F $OBJ/ssh_proxy ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ fail "match override permitopen proto $p" stop_client @@ -112,12 +118,8 @@ echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy # Test that a rule that doesn't match doesn't override, plus test a # PermitOpen entry that's not at the start of the list for p in 1 2; do - rm -f $pidfile trace "nomatch permitopen proxy w/key opts proto $p" - ${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \ - exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 ||\ - fail "nomatch override permitopen proto $p sshd failed" - sleep 1; + start_client -F $OBJ/ssh_proxy ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ fail "nomatch override permitopen proto $p" stop_client |