From 49a649241ed4c6f3373c5a1752e0e635e1fb7a99 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Sat, 21 Dec 2019 02:33:08 +0000 Subject: unit tests for ForwardAgent=/path; from Eric Chiang --- regress/usr.bin/ssh/agent.sh | 45 ++++++++++++++++++++++++++++++++++++-- regress/usr.bin/ssh/sshcfgparse.sh | 12 +++++++++- 2 files changed, 54 insertions(+), 3 deletions(-) (limited to 'regress') diff --git a/regress/usr.bin/ssh/agent.sh b/regress/usr.bin/ssh/agent.sh index 922d8436e81..39403653c34 100644 --- a/regress/usr.bin/ssh/agent.sh +++ b/regress/usr.bin/ssh/agent.sh @@ -1,4 +1,4 @@ -# $OpenBSD: agent.sh,v 1.16 2019/11/26 23:43:10 djm Exp $ +# $OpenBSD: agent.sh,v 1.17 2019/12/21 02:33:07 djm Exp $ # Placed in the Public Domain. tid="simple agent test" @@ -15,6 +15,12 @@ if [ $r -ne 0 ]; then fatal "could not start ssh-agent: exit code $r" fi +eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s | sed 's/SSH_/FW_SSH_/g'` > /dev/null +r=$? +if [ $r -ne 0 ]; then + fatal "could not start second ssh-agent: exit code $r" +fi + ${SSHADD} -l > /dev/null 2>&1 if [ $? -ne 1 ]; then fail "ssh-add -l did not fail with exit code 1" @@ -38,11 +44,16 @@ for t in ${SSH_KEYTYPES}; do # add to authorized keys cat $OBJ/$t-agent.pub >> $OBJ/authorized_keys_$USER - # add privat key to agent + # add private key to agent ${SSHADD} $OBJ/$t-agent #> /dev/null 2>&1 if [ $? -ne 0 ]; then fail "ssh-add failed exit code $?" fi + # add private key to second agent + SSH_AUTH_SOCK=$FW_SSH_AUTH_SOCK ${SSHADD} $OBJ/$t-agent #> /dev/null 2>&1 + if [ $? -ne 0 ]; then + fail "ssh-add failed exit code $?" + fi # Remove private key to ensure that we aren't accidentally using it. rm -f $OBJ/$t-agent done @@ -90,6 +101,11 @@ r=$? if [ $r -ne 0 ]; then fail "ssh-add -l via agent fwd failed (exit code $r)" fi +${SSH} "-oForwardAgent=$SSH_AUTH_SOCK" -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1 +r=$? +if [ $r -ne 0 ]; then + fail "ssh-add -l via agent path fwd failed (exit code $r)" +fi ${SSH} -A -F $OBJ/ssh_proxy somehost \ "${SSH} -F $OBJ/ssh_proxy somehost exit 52" r=$? @@ -97,6 +113,30 @@ if [ $r -ne 52 ]; then fail "agent fwd failed (exit code $r)" fi +trace "agent forwarding different agent" +${SSH} "-oForwardAgent=$FW_SSH_AUTH_SOCK" -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1 +r=$? +if [ $r -ne 0 ]; then + fail "ssh-add -l via agent path fwd of different agent failed (exit code $r)" +fi +${SSH} '-oForwardAgent=$FW_SSH_AUTH_SOCK' -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1 +r=$? +if [ $r -ne 0 ]; then + fail "ssh-add -l via agent path env fwd of different agent failed (exit code $r)" +fi + +# Remove keys from forwarded agent, ssh-add on remote machine should now fail. +SSH_AUTH_SOCK=$FW_SSH_AUTH_SOCK ${SSHADD} -D > /dev/null 2>&1 +r=$? +if [ $r -ne 0 ]; then + fail "ssh-add -D failed: exit code $r" +fi +${SSH} '-oForwardAgent=$FW_SSH_AUTH_SOCK' -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1 +r=$? +if [ $r -ne 1 ]; then + fail "ssh-add -l with different agent did not fail with exit code 1 (exit code $r)" +fi + (printf 'cert-authority,principals="estragon" '; cat $OBJ/user_ca_key.pub) \ > $OBJ/authorized_keys_$USER for t in ${SSH_KEYTYPES}; do @@ -121,3 +161,4 @@ fi trace "kill agent" ${SSHAGENT} -k > /dev/null +SSH_AGENT_PID=$FW_SSH_AGENT_PID ${SSHAGENT} -k > /dev/null diff --git a/regress/usr.bin/ssh/sshcfgparse.sh b/regress/usr.bin/ssh/sshcfgparse.sh index 2c00b64efc0..fc72a0a7184 100644 --- a/regress/usr.bin/ssh/sshcfgparse.sh +++ b/regress/usr.bin/ssh/sshcfgparse.sh @@ -1,4 +1,4 @@ -# $OpenBSD: sshcfgparse.sh,v 1.5 2019/07/23 13:32:48 dtucker Exp $ +# $OpenBSD: sshcfgparse.sh,v 1.6 2019/12/21 02:33:07 djm Exp $ # Placed in the Public Domain. tid="ssh config parse" @@ -94,5 +94,15 @@ if [ "$dsa" = "1" ]; then expect_result_absent "$f" "ssh-dss-cert-v01.*" fi +verbose "agentforwarding" +f=`${SSH} -GF none host | awk '/^forwardagent /{print$2}'` +expect_result_present "$f" "no" +f=`${SSH} -GF none -oforwardagent=no host | awk '/^forwardagent /{print$2}'` +expect_result_present "$f" "no" +f=`${SSH} -GF none -oforwardagent=yes host | awk '/^forwardagent /{print$2}'` +expect_result_present "$f" "yes" +f=`${SSH} -GF none '-oforwardagent=SSH_AUTH_SOCK.forward' host | awk '/^forwardagent /{print$2}'` +expect_result_present "$f" "SSH_AUTH_SOCK.forward" + # cleanup rm -f $OBJ/ssh_config.[012] -- cgit v1.2.3