1 # $OpenBSD: cfgmatch.sh,v 1.9 2015/03/03 22:35:19 markus Exp $
2 # Placed in the Public Domain.
4 tid="sshd_config match"
6 pidfile=$OBJ/remote_pid
8 fwd="-L $fwdport:127.0.0.1:$PORT"
10 echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_config
11 echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_proxy
16 ${SSH} -q -$p $fwd "$@" somehost \
17 exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' \
18 >>$TEST_REGRESS_LOGFILE 2>&1 &
22 while test ! -f $pidfile ; do
25 if test $n -gt 60; then
27 fatal "timeout waiting for background ssh"
35 if [ ! -z "$pid" ]; then
41 cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
42 echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_config
43 echo "Match Address 127.0.0.1" >>$OBJ/sshd_config
44 echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_config
46 grep -v AuthorizedKeysFile $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
47 echo "AuthorizedKeysFile /dev/null" >>$OBJ/sshd_proxy
48 echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_proxy
49 echo "Match user $USER" >>$OBJ/sshd_proxy
50 echo "AuthorizedKeysFile /dev/null $OBJ/authorized_keys_%u" >>$OBJ/sshd_proxy
51 echo "Match Address 127.0.0.1" >>$OBJ/sshd_proxy
52 echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_proxy
58 # Test Match + PermitOpen in sshd_config. This should be permitted
59 for p in ${SSH_PROTOCOLS}; do
60 trace "match permitopen localhost proto $p"
61 start_client -F $OBJ/ssh_config
62 ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
63 fail "match permitopen permit proto $p"
67 # Same but from different source. This should not be permitted
68 for p in ${SSH_PROTOCOLS}; do
69 trace "match permitopen proxy proto $p"
70 start_client -F $OBJ/ssh_proxy
71 ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
72 fail "match permitopen deny proto $p"
76 # Retry previous with key option, should also be denied.
77 cp /dev/null $OBJ/authorized_keys_$USER
78 for t in ${SSH_KEYTYPES}; do
79 printf 'permitopen="127.0.0.1:'$PORT'" ' >> $OBJ/authorized_keys_$USER
80 cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
82 for p in ${SSH_PROTOCOLS}; do
83 trace "match permitopen proxy w/key opts proto $p"
84 start_client -F $OBJ/ssh_proxy
85 ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
86 fail "match permitopen deny w/key opt proto $p"
90 # Test both sshd_config and key options permitting the same dst/port pair.
91 # Should be permitted.
92 for p in ${SSH_PROTOCOLS}; do
93 trace "match permitopen localhost proto $p"
94 start_client -F $OBJ/ssh_config
95 ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
96 fail "match permitopen permit proto $p"
100 cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
101 echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy
102 echo "Match User $USER" >>$OBJ/sshd_proxy
103 echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
105 # Test that a Match overrides a PermitOpen in the global section
106 for p in ${SSH_PROTOCOLS}; do
107 trace "match permitopen proxy w/key opts proto $p"
108 start_client -F $OBJ/ssh_proxy
109 ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
110 fail "match override permitopen proto $p"
114 cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
115 echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy
116 echo "Match User NoSuchUser" >>$OBJ/sshd_proxy
117 echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
119 # Test that a rule that doesn't match doesn't override, plus test a
120 # PermitOpen entry that's not at the start of the list
121 for p in ${SSH_PROTOCOLS}; do
122 trace "nomatch permitopen proxy w/key opts proto $p"
123 start_client -F $OBJ/ssh_proxy
124 ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
125 fail "nomatch override permitopen proto $p"
projects / FreeBSD / releng / 10.3.git / blob