1 # $OpenBSD: forward-control.sh,v 1.7 2018/06/07 14:29:43 djm Exp $
2 # Placed in the Public Domain.
4 tid="sshd control of local and remote forwarding"
11 wait_for_file_to_appear() {
14 while test ! -f $_path ; do
15 test $_n -eq 1 && trace "waiting for $_path to appear"
17 test $_n -ge 20 && return 1
23 wait_for_process_to_exit() {
26 while kill -0 $_pid 2>/dev/null ; do
27 test $_n -eq 1 && trace "waiting for $_pid to exit"
29 test $_n -ge 20 && return 1
35 # usage: check_lfwd Y|N message
40 ${SSH} -F $OBJ/ssh_proxy \
41 -L$LFWD_PORT:127.0.0.1:$PORT \
42 -o ExitOnForwardFailure=yes \
43 -n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \
46 wait_for_file_to_appear $READY || \
47 fatal "check_lfwd ssh fail: $_message"
48 ${SSH} -F $OBJ/ssh_config -p $LFWD_PORT \
49 -oConnectionAttempts=4 host true >/dev/null 2>&1
51 kill $_sshpid `cat $READY` 2>/dev/null
52 wait_for_process_to_exit $_sshpid
53 if test "x$_expected" = "xY" -a $_result -ne 0 ; then
54 fail "check_lfwd failed (expecting success): $_message"
55 elif test "x$_expected" = "xN" -a $_result -eq 0 ; then
56 fail "check_lfwd succeeded (expecting failure): $_message"
57 elif test "x$_expected" != "xY" -a "x$_expected" != "xN" ; then
58 fatal "check_lfwd invalid argument \"$_expected\""
60 verbose "check_lfwd done (expecting $_expected): $_message"
64 # usage: check_rfwd Y|N message
69 ${SSH} -F $OBJ/ssh_proxy \
70 -R127.0.0.1:$RFWD_PORT:127.0.0.1:$PORT \
71 -o ExitOnForwardFailure=yes \
72 -n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \
75 wait_for_file_to_appear $READY
77 if test $_result -eq 0 ; then
78 ${SSH} -F $OBJ/ssh_config -p $RFWD_PORT \
79 -oConnectionAttempts=4 host true >/dev/null 2>&1
81 kill $_sshpid `cat $READY` 2>/dev/null
82 wait_for_process_to_exit $_sshpid
84 if test "x$_expected" = "xY" -a $_result -ne 0 ; then
85 fail "check_rfwd failed (expecting success): $_message"
86 elif test "x$_expected" = "xN" -a $_result -eq 0 ; then
87 fail "check_rfwd succeeded (expecting failure): $_message"
88 elif test "x$_expected" != "xY" -a "x$_expected" != "xN" ; then
89 fatal "check_rfwd invalid argument \"$_expected\""
91 verbose "check_rfwd done (expecting $_expected): $_message"
96 cp ${OBJ}/sshd_proxy ${OBJ}/sshd_proxy.bak
97 cp ${OBJ}/authorized_keys_${USER} ${OBJ}/authorized_keys_${USER}.bak
99 # Sanity check: ensure the default config allows forwarding
100 check_lfwd Y "default configuration"
101 check_rfwd Y "default configuration"
103 # Usage: lperm_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N
112 _badfwd1=127.0.0.1:22
113 _badfwd2=127.0.0.2:22
114 _goodfwd=127.0.0.1:${PORT}
115 cp ${OBJ}/authorized_keys_${USER}.bak ${OBJ}/authorized_keys_${USER}
116 _prefix="AllowTcpForwarding=$_tcpfwd"
119 ( cat ${OBJ}/sshd_proxy.bak ;
120 echo "AllowTcpForwarding $_tcpfwd" ) \
122 check_lfwd $_plain_lfwd "$_prefix"
123 check_rfwd $_plain_rfwd "$_prefix"
125 # PermitOpen via sshd_config that doesn't match
126 ( cat ${OBJ}/sshd_proxy.bak ;
127 echo "AllowTcpForwarding $_tcpfwd" ;
128 echo "PermitOpen $_badfwd1 $_badfwd2" ) \
130 check_lfwd $_nopermit_lfwd "$_prefix, !PermitOpen"
131 check_rfwd $_nopermit_rfwd "$_prefix, !PermitOpen"
132 # PermitOpen via sshd_config that does match
133 ( cat ${OBJ}/sshd_proxy.bak ;
134 echo "AllowTcpForwarding $_tcpfwd" ;
135 echo "PermitOpen $_badfwd1 $_goodfwd $_badfwd2" ) \
137 check_lfwd $_plain_lfwd "$_prefix, PermitOpen"
138 check_rfwd $_plain_rfwd "$_prefix, PermitOpen"
140 # permitopen keys option.
141 # NB. permitopen via authorized_keys should have same
142 # success/fail as via sshd_config
143 # permitopen via authorized_keys that doesn't match
144 sed "s/^/permitopen=\"$_badfwd1\",permitopen=\"$_badfwd2\" /" \
145 < ${OBJ}/authorized_keys_${USER}.bak \
146 > ${OBJ}/authorized_keys_${USER} || fatal "sed 1 fail"
147 ( cat ${OBJ}/sshd_proxy.bak ;
148 echo "AllowTcpForwarding $_tcpfwd" ) \
150 check_lfwd $_nopermit_lfwd "$_prefix, !permitopen"
151 check_rfwd $_nopermit_rfwd "$_prefix, !permitopen"
152 # permitopen via authorized_keys that does match
153 sed "s/^/permitopen=\"$_badfwd1\",permitopen=\"$_goodfwd\" /" \
154 < ${OBJ}/authorized_keys_${USER}.bak \
155 > ${OBJ}/authorized_keys_${USER} || fatal "sed 2 fail"
156 ( cat ${OBJ}/sshd_proxy.bak ;
157 echo "AllowTcpForwarding $_tcpfwd" ) \
159 check_lfwd $_permit_lfwd "$_prefix, permitopen"
160 check_rfwd $_permit_rfwd "$_prefix, permitopen"
162 # Check port-forwarding flags in authorized_keys.
163 # These two should refuse all.
164 sed "s/^/no-port-forwarding /" \
165 < ${OBJ}/authorized_keys_${USER}.bak \
166 > ${OBJ}/authorized_keys_${USER} || fatal "sed 3 fail"
167 ( cat ${OBJ}/sshd_proxy.bak ;
168 echo "AllowTcpForwarding $_tcpfwd" ) \
170 check_lfwd N "$_prefix, no-port-forwarding"
171 check_rfwd N "$_prefix, no-port-forwarding"
172 sed "s/^/restrict /" \
173 < ${OBJ}/authorized_keys_${USER}.bak \
174 > ${OBJ}/authorized_keys_${USER} || fatal "sed 4 fail"
175 ( cat ${OBJ}/sshd_proxy.bak ;
176 echo "AllowTcpForwarding $_tcpfwd" ) \
178 check_lfwd N "$_prefix, restrict"
179 check_rfwd N "$_prefix, restrict"
180 # This should pass the same cases as _nopermit*
181 sed "s/^/restrict,port-forwarding /" \
182 < ${OBJ}/authorized_keys_${USER}.bak \
183 > ${OBJ}/authorized_keys_${USER} || fatal "sed 5 fail"
184 ( cat ${OBJ}/sshd_proxy.bak ;
185 echo "AllowTcpForwarding $_tcpfwd" ) \
187 check_lfwd $_plain_lfwd "$_prefix, restrict,port-forwarding"
188 check_rfwd $_plain_rfwd "$_prefix, restrict,port-forwarding"
191 # permit-open none mismatch match
192 # AllowTcpForwarding local remote local remote local remote
193 lperm_tests yes Y Y N Y Y Y
194 lperm_tests local Y N N N Y N
195 lperm_tests remote N Y N Y N Y
196 lperm_tests no N N N N N N
198 # Usage: rperm_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N
207 _badfwd1=127.0.0.1:22
208 _badfwd2=127.0.0.2:${RFWD_PORT}
209 _goodfwd=127.0.0.1:${RFWD_PORT}
210 cp ${OBJ}/authorized_keys_${USER}.bak ${OBJ}/authorized_keys_${USER}
211 _prefix="AllowTcpForwarding=$_tcpfwd"
213 # PermitListen via sshd_config that doesn't match
214 ( cat ${OBJ}/sshd_proxy.bak ;
215 echo "AllowTcpForwarding $_tcpfwd" ;
216 echo "PermitListen $_badfwd1 $_badfwd2" ) \
218 check_lfwd $_nopermit_lfwd "$_prefix, !PermitListen"
219 check_rfwd $_nopermit_rfwd "$_prefix, !PermitListen"
220 # PermitListen via sshd_config that does match
221 ( cat ${OBJ}/sshd_proxy.bak ;
222 echo "AllowTcpForwarding $_tcpfwd" ;
223 echo "PermitListen $_badfwd1 $_goodfwd $_badfwd2" ) \
225 check_lfwd $_plain_lfwd "$_prefix, PermitListen"
226 check_rfwd $_plain_rfwd "$_prefix, PermitListen"
229 # permit-remote-open none mismatch match
230 # AllowTcpForwarding local remote local remote local remote
231 rperm_tests yes Y Y Y N Y Y
232 rperm_tests local Y N Y N Y N
233 rperm_tests remote N Y N N N Y
234 rperm_tests no N N N N N N