1 # $OpenBSD: forward-control.sh,v 1.2 2013/11/18 05:09:32 naddy Exp $
2 # Placed in the Public Domain.
4 tid="sshd control of local and remote forwarding"
11 wait_for_file_to_appear() {
14 while test ! -f $_path ; do
15 test $_n -eq 1 && trace "waiting for $_path to appear"
17 test $_n -ge 20 && return 1
23 wait_for_process_to_exit() {
26 while kill -0 $_pid 2>/dev/null ; do
27 test $_n -eq 1 && trace "waiting for $_pid to exit"
29 test $_n -ge 20 && return 1
35 # usage: check_lfwd protocol Y|N message
41 ${SSH} -oProtocol=$_proto -F $OBJ/ssh_proxy \
42 -L$LFWD_PORT:127.0.0.1:$PORT \
43 -o ExitOnForwardFailure=yes \
44 -n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \
47 wait_for_file_to_appear $READY || \
48 fatal "check_lfwd ssh fail: $_message"
49 ${SSH} -F $OBJ/ssh_config -p $LFWD_PORT \
50 -oConnectionAttempts=4 host true >/dev/null 2>&1
52 kill $_sshpid `cat $READY` 2>/dev/null
53 wait_for_process_to_exit $_sshpid
54 if test "x$_expected" = "xY" -a $_result -ne 0 ; then
55 fail "check_lfwd failed (expecting success): $_message"
56 elif test "x$_expected" = "xN" -a $_result -eq 0 ; then
57 fail "check_lfwd succeeded (expecting failure): $_message"
58 elif test "x$_expected" != "xY" -a "x$_expected" != "xN" ; then
59 fatal "check_lfwd invalid argument \"$_expected\""
61 verbose "check_lfwd done (expecting $_expected): $_message"
65 # usage: check_rfwd protocol Y|N message
71 ${SSH} -oProtocol=$_proto -F $OBJ/ssh_proxy \
72 -R$RFWD_PORT:127.0.0.1:$PORT \
73 -o ExitOnForwardFailure=yes \
74 -n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \
77 wait_for_file_to_appear $READY
79 if test $_result -eq 0 ; then
80 ${SSH} -F $OBJ/ssh_config -p $RFWD_PORT \
81 -oConnectionAttempts=4 host true >/dev/null 2>&1
83 kill $_sshpid `cat $READY` 2>/dev/null
84 wait_for_process_to_exit $_sshpid
86 if test "x$_expected" = "xY" -a $_result -ne 0 ; then
87 fail "check_rfwd failed (expecting success): $_message"
88 elif test "x$_expected" = "xN" -a $_result -eq 0 ; then
89 fail "check_rfwd succeeded (expecting failure): $_message"
90 elif test "x$_expected" != "xY" -a "x$_expected" != "xN" ; then
91 fatal "check_rfwd invalid argument \"$_expected\""
93 verbose "check_rfwd done (expecting $_expected): $_message"
98 cp ${OBJ}/sshd_proxy ${OBJ}/sshd_proxy.bak
99 cp ${OBJ}/authorized_keys_${USER} ${OBJ}/authorized_keys_${USER}.bak
101 # Sanity check: ensure the default config allows forwarding
103 check_lfwd $p Y "proto $p, default configuration"
104 check_rfwd $p Y "proto $p, default configuration"
107 # Usage: all_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N
117 _goodfwd=127.0.0.1:${PORT}
118 for _proto in 1 2 ; do
119 cp ${OBJ}/authorized_keys_${USER}.bak \
120 ${OBJ}/authorized_keys_${USER}
121 _prefix="proto $_proto, AllowTcpForwarding=$_tcpfwd"
123 ( cat ${OBJ}/sshd_proxy.bak ;
124 echo "AllowTcpForwarding $_tcpfwd" ) \
126 check_lfwd $_proto $_plain_lfwd "$_prefix"
127 check_rfwd $_proto $_plain_rfwd "$_prefix"
128 # PermitOpen via sshd_config that doesn't match
129 ( cat ${OBJ}/sshd_proxy.bak ;
130 echo "AllowTcpForwarding $_tcpfwd" ;
131 echo "PermitOpen $_badfwd" ) \
133 check_lfwd $_proto $_nopermit_lfwd "$_prefix, !PermitOpen"
134 check_rfwd $_proto $_nopermit_rfwd "$_prefix, !PermitOpen"
135 # PermitOpen via sshd_config that does match
136 ( cat ${OBJ}/sshd_proxy.bak ;
137 echo "AllowTcpForwarding $_tcpfwd" ;
138 echo "PermitOpen $_badfwd $_goodfwd" ) \
140 # NB. permitopen via authorized_keys should have same
141 # success/fail as via sshd_config
142 # permitopen via authorized_keys that doesn't match
143 sed "s/^/permitopen=\"$_badfwd\" /" \
144 < ${OBJ}/authorized_keys_${USER}.bak \
145 > ${OBJ}/authorized_keys_${USER} || fatal "sed 1 fail"
146 ( cat ${OBJ}/sshd_proxy.bak ;
147 echo "AllowTcpForwarding $_tcpfwd" ) \
149 check_lfwd $_proto $_nopermit_lfwd "$_prefix, !permitopen"
150 check_rfwd $_proto $_nopermit_rfwd "$_prefix, !permitopen"
151 # permitopen via authorized_keys that does match
152 sed "s/^/permitopen=\"$_badfwd\",permitopen=\"$_goodfwd\" /" \
153 < ${OBJ}/authorized_keys_${USER}.bak \
154 > ${OBJ}/authorized_keys_${USER} || fatal "sed 2 fail"
155 ( cat ${OBJ}/sshd_proxy.bak ;
156 echo "AllowTcpForwarding $_tcpfwd" ) \
158 check_lfwd $_proto $_permit_lfwd "$_prefix, permitopen"
159 check_rfwd $_proto $_permit_rfwd "$_prefix, permitopen"
163 # no-permitopen mismatch-permitopen match-permitopen
164 # AllowTcpForwarding local remote local remote local remote
165 all_tests yes Y Y N Y Y Y
166 all_tests local Y N N N Y N
167 all_tests remote N Y N Y N Y
168 all_tests no N N N N N N