1 # $OpenBSD: cfgmatch.sh,v 1.8 2013/05/17 00:37:40 dtucker Exp $
2 # Placed in the Public Domain.
4 tid="sshd_config match"
6 pidfile=$OBJ/remote_pid
8 fwd="-L $fwdport:127.0.0.1:$PORT"
10 echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_config
11 echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_proxy
16 ${SSH} -q -$p $fwd "$@" somehost \
17 exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' \
18 >>$TEST_REGRESS_LOGFILE 2>&1 &
22 while test ! -f $pidfile ; do
25 if test $n -gt 60; then
27 fatal "timeout waiting for background ssh"
35 if [ ! -z "$pid" ]; then
41 cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
42 echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_config
43 echo "Match Address 127.0.0.1" >>$OBJ/sshd_config
44 echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_config
46 grep -v AuthorizedKeysFile $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
47 echo "AuthorizedKeysFile /dev/null" >>$OBJ/sshd_proxy
48 echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_proxy
49 echo "Match user $USER" >>$OBJ/sshd_proxy
50 echo "AuthorizedKeysFile /dev/null $OBJ/authorized_keys_%u" >>$OBJ/sshd_proxy
51 echo "Match Address 127.0.0.1" >>$OBJ/sshd_proxy
52 echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_proxy
58 # Test Match + PermitOpen in sshd_config. This should be permitted
60 trace "match permitopen localhost proto $p"
61 start_client -F $OBJ/ssh_config
62 ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
63 fail "match permitopen permit proto $p"
67 # Same but from different source. This should not be permitted
69 trace "match permitopen proxy proto $p"
70 start_client -F $OBJ/ssh_proxy
71 ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
72 fail "match permitopen deny proto $p"
76 # Retry previous with key option, should also be denied.
77 printf 'permitopen="127.0.0.1:'$PORT'" ' >$OBJ/authorized_keys_$USER
78 cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER
79 printf 'permitopen="127.0.0.1:'$PORT'" ' >>$OBJ/authorized_keys_$USER
80 cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER
82 trace "match permitopen proxy w/key opts proto $p"
83 start_client -F $OBJ/ssh_proxy
84 ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
85 fail "match permitopen deny w/key opt proto $p"
89 # Test both sshd_config and key options permitting the same dst/port pair.
90 # Should be permitted.
92 trace "match permitopen localhost proto $p"
93 start_client -F $OBJ/ssh_config
94 ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
95 fail "match permitopen permit proto $p"
99 cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
100 echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy
101 echo "Match User $USER" >>$OBJ/sshd_proxy
102 echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
104 # Test that a Match overrides a PermitOpen in the global section
106 trace "match permitopen proxy w/key opts proto $p"
107 start_client -F $OBJ/ssh_proxy
108 ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
109 fail "match override permitopen proto $p"
113 cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
114 echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy
115 echo "Match User NoSuchUser" >>$OBJ/sshd_proxy
116 echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
118 # Test that a rule that doesn't match doesn't override, plus test a
119 # PermitOpen entry that's not at the start of the list
121 trace "nomatch permitopen proxy w/key opts proto $p"
122 start_client -F $OBJ/ssh_proxy
123 ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
124 fail "nomatch override permitopen proto $p"