1*19261079SEd Maste# $OpenBSD: cfgmatch.sh,v 1.13 2021/06/08 06:52:43 djm Exp $ 2ce3adf43SDag-Erling Smørgrav# Placed in the Public Domain. 3ce3adf43SDag-Erling Smørgrav 4ce3adf43SDag-Erling Smørgravtid="sshd_config match" 5ce3adf43SDag-Erling Smørgrav 6ce3adf43SDag-Erling Smørgravpidfile=$OBJ/remote_pid 7ce3adf43SDag-Erling Smørgravfwdport=3301 8ce3adf43SDag-Erling Smørgravfwd="-L $fwdport:127.0.0.1:$PORT" 9ce3adf43SDag-Erling Smørgrav 10ce3adf43SDag-Erling Smørgravecho "ExitOnForwardFailure=yes" >> $OBJ/ssh_config 11ce3adf43SDag-Erling Smørgravecho "ExitOnForwardFailure=yes" >> $OBJ/ssh_proxy 12ce3adf43SDag-Erling Smørgrav 13ce3adf43SDag-Erling Smørgravstart_client() 14ce3adf43SDag-Erling Smørgrav{ 15ce3adf43SDag-Erling Smørgrav rm -f $pidfile 164f52dfbbSDag-Erling Smørgrav ${SSH} -q $fwd "$@" somehost \ 17ce3adf43SDag-Erling Smørgrav exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' \ 18ce3adf43SDag-Erling Smørgrav >>$TEST_REGRESS_LOGFILE 2>&1 & 19ce3adf43SDag-Erling Smørgrav client_pid=$! 20ce3adf43SDag-Erling Smørgrav # Wait for remote end 21ce3adf43SDag-Erling Smørgrav n=0 22ce3adf43SDag-Erling Smørgrav while test ! -f $pidfile ; do 23ce3adf43SDag-Erling Smørgrav sleep 1 24ce3adf43SDag-Erling Smørgrav n=`expr $n + 1` 25ce3adf43SDag-Erling Smørgrav if test $n -gt 60; then 26ce3adf43SDag-Erling Smørgrav kill $client_pid 27ce3adf43SDag-Erling Smørgrav fatal "timeout waiting for background ssh" 28ce3adf43SDag-Erling Smørgrav fi 29ce3adf43SDag-Erling Smørgrav done 30ce3adf43SDag-Erling Smørgrav} 31ce3adf43SDag-Erling Smørgrav 32ce3adf43SDag-Erling Smørgravstop_client() 33ce3adf43SDag-Erling Smørgrav{ 34ce3adf43SDag-Erling Smørgrav pid=`cat $pidfile` 35ce3adf43SDag-Erling Smørgrav if [ ! -z "$pid" ]; then 36ce3adf43SDag-Erling Smørgrav kill $pid 37ce3adf43SDag-Erling Smørgrav fi 38ce3adf43SDag-Erling Smørgrav wait 39ce3adf43SDag-Erling Smørgrav} 40ce3adf43SDag-Erling Smørgrav 41ce3adf43SDag-Erling Smørgravcp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 42*19261079SEd Masteecho "PermitOpen 127.0.0.1:1 # comment" >>$OBJ/sshd_config 43ce3adf43SDag-Erling Smørgravecho "Match Address 127.0.0.1" >>$OBJ/sshd_config 4447dd1d1bSDag-Erling Smørgravecho "PermitOpen 127.0.0.1:2 127.0.0.1:3 127.0.0.1:$PORT" >>$OBJ/sshd_config 45ce3adf43SDag-Erling Smørgrav 46ce3adf43SDag-Erling Smørgravgrep -v AuthorizedKeysFile $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy 47*19261079SEd Masteecho "AuthorizedKeysFile /dev/null # comment" >>$OBJ/sshd_proxy 48ce3adf43SDag-Erling Smørgravecho "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_proxy 49ce3adf43SDag-Erling Smørgravecho "Match user $USER" >>$OBJ/sshd_proxy 50ce3adf43SDag-Erling Smørgravecho "AuthorizedKeysFile /dev/null $OBJ/authorized_keys_%u" >>$OBJ/sshd_proxy 51*19261079SEd Masteecho "Match Address 127.0.0.1 # comment" >>$OBJ/sshd_proxy 5247dd1d1bSDag-Erling Smørgravecho "PermitOpen 127.0.0.1:2 127.0.0.1:3 127.0.0.1:$PORT" >>$OBJ/sshd_proxy 53ce3adf43SDag-Erling Smørgrav 54*19261079SEd Maste${SUDO} ${SSHD} -f $OBJ/sshd_config -T >/dev/null || \ 55*19261079SEd Maste fail "config w/match fails config test" 56ce3adf43SDag-Erling Smørgrav 57*19261079SEd Mastestart_sshd 58ce3adf43SDag-Erling Smørgrav 59ce3adf43SDag-Erling Smørgrav# Test Match + PermitOpen in sshd_config. This should be permitted 604f52dfbbSDag-Erling Smørgravtrace "match permitopen localhost" 61ce3adf43SDag-Erling Smørgravstart_client -F $OBJ/ssh_config 624f52dfbbSDag-Erling Smørgrav${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \ 634f52dfbbSDag-Erling Smørgrav fail "match permitopen permit" 64ce3adf43SDag-Erling Smørgravstop_client 65ce3adf43SDag-Erling Smørgrav 66ce3adf43SDag-Erling Smørgrav# Same but from different source. This should not be permitted 674f52dfbbSDag-Erling Smørgravtrace "match permitopen proxy" 68ce3adf43SDag-Erling Smørgravstart_client -F $OBJ/ssh_proxy 694f52dfbbSDag-Erling Smørgrav${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \ 704f52dfbbSDag-Erling Smørgrav fail "match permitopen deny" 71ce3adf43SDag-Erling Smørgravstop_client 72ce3adf43SDag-Erling Smørgrav 73ce3adf43SDag-Erling Smørgrav# Retry previous with key option, should also be denied. 74bc5531deSDag-Erling Smørgravcp /dev/null $OBJ/authorized_keys_$USER 75bc5531deSDag-Erling Smørgravfor t in ${SSH_KEYTYPES}; do 76ce3adf43SDag-Erling Smørgrav printf 'permitopen="127.0.0.1:'$PORT'" ' >> $OBJ/authorized_keys_$USER 77bc5531deSDag-Erling Smørgrav cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER 78bc5531deSDag-Erling Smørgravdone 794f52dfbbSDag-Erling Smørgravtrace "match permitopen proxy w/key opts" 80ce3adf43SDag-Erling Smørgravstart_client -F $OBJ/ssh_proxy 814f52dfbbSDag-Erling Smørgrav${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \ 824f52dfbbSDag-Erling Smørgrav fail "match permitopen deny w/key opt" 83ce3adf43SDag-Erling Smørgravstop_client 84ce3adf43SDag-Erling Smørgrav 85ce3adf43SDag-Erling Smørgrav# Test both sshd_config and key options permitting the same dst/port pair. 86ce3adf43SDag-Erling Smørgrav# Should be permitted. 874f52dfbbSDag-Erling Smørgravtrace "match permitopen localhost" 88ce3adf43SDag-Erling Smørgravstart_client -F $OBJ/ssh_config 894f52dfbbSDag-Erling Smørgrav${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \ 904f52dfbbSDag-Erling Smørgrav fail "match permitopen permit" 91ce3adf43SDag-Erling Smørgravstop_client 92ce3adf43SDag-Erling Smørgrav 93ce3adf43SDag-Erling Smørgravcp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy 94ce3adf43SDag-Erling Smørgravecho "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy 95ce3adf43SDag-Erling Smørgravecho "Match User $USER" >>$OBJ/sshd_proxy 96ce3adf43SDag-Erling Smørgravecho "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy 97ce3adf43SDag-Erling Smørgrav 98ce3adf43SDag-Erling Smørgrav# Test that a Match overrides a PermitOpen in the global section 994f52dfbbSDag-Erling Smørgravtrace "match permitopen proxy w/key opts" 100ce3adf43SDag-Erling Smørgravstart_client -F $OBJ/ssh_proxy 1014f52dfbbSDag-Erling Smørgrav${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \ 1024f52dfbbSDag-Erling Smørgrav fail "match override permitopen" 103ce3adf43SDag-Erling Smørgravstop_client 104ce3adf43SDag-Erling Smørgrav 105ce3adf43SDag-Erling Smørgravcp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy 106ce3adf43SDag-Erling Smørgravecho "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy 107ce3adf43SDag-Erling Smørgravecho "Match User NoSuchUser" >>$OBJ/sshd_proxy 108ce3adf43SDag-Erling Smørgravecho "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy 109ce3adf43SDag-Erling Smørgrav 110ce3adf43SDag-Erling Smørgrav# Test that a rule that doesn't match doesn't override, plus test a 111ce3adf43SDag-Erling Smørgrav# PermitOpen entry that's not at the start of the list 1124f52dfbbSDag-Erling Smørgravtrace "nomatch permitopen proxy w/key opts" 113ce3adf43SDag-Erling Smørgravstart_client -F $OBJ/ssh_proxy 1144f52dfbbSDag-Erling Smørgrav${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \ 1154f52dfbbSDag-Erling Smørgrav fail "nomatch override permitopen" 116ce3adf43SDag-Erling Smørgravstop_client 117*19261079SEd Maste 118*19261079SEd Maste# Test parsing of available Match criteria (with the exception of Group which 119*19261079SEd Maste# requires knowledge of actual group memberships user running the test). 120*19261079SEd Masteparams="user:user:u1 host:host:h1 address:addr:1.2.3.4 \ 121*19261079SEd Maste localaddress:laddr:5.6.7.8 rdomain:rdomain:rdom1" 122*19261079SEd Mastecp $OBJ/sshd_proxy_bak $OBJ/sshd_config 123*19261079SEd Masteecho 'Banner /nomatch' >>$OBJ/sshd_config 124*19261079SEd Mastefor i in $params; do 125*19261079SEd Maste config=`echo $i | cut -f1 -d:` 126*19261079SEd Maste criteria=`echo $i | cut -f2 -d:` 127*19261079SEd Maste value=`echo $i | cut -f3 -d:` 128*19261079SEd Maste cat >>$OBJ/sshd_config <<EOD 129*19261079SEd Maste Match $config $value 130*19261079SEd Maste Banner /$value 131*19261079SEd MasteEOD 132*19261079SEd Mastedone 133*19261079SEd Maste 134*19261079SEd Maste${SUDO} ${SSHD} -f $OBJ/sshd_config -T >/dev/null || \ 135*19261079SEd Maste fail "validate config for w/out spec" 136*19261079SEd Maste 137*19261079SEd Maste# Test matching each criteria. 138*19261079SEd Mastefor i in $params; do 139*19261079SEd Maste testcriteria=`echo $i | cut -f2 -d:` 140*19261079SEd Maste expected=/`echo $i | cut -f3 -d:` 141*19261079SEd Maste spec="" 142*19261079SEd Maste for j in $params; do 143*19261079SEd Maste config=`echo $j | cut -f1 -d:` 144*19261079SEd Maste criteria=`echo $j | cut -f2 -d:` 145*19261079SEd Maste value=`echo $j | cut -f3 -d:` 146*19261079SEd Maste if [ "$criteria" = "$testcriteria" ]; then 147*19261079SEd Maste spec="$criteria=$value,$spec" 148*19261079SEd Maste else 149*19261079SEd Maste spec="$criteria=1$value,$spec" 150*19261079SEd Maste fi 151*19261079SEd Maste done 152*19261079SEd Maste trace "test spec $spec" 153*19261079SEd Maste result=`${SUDO} ${SSHD} -f $OBJ/sshd_config -T -C "$spec" | \ 154*19261079SEd Maste awk '$1=="banner"{print $2}'` 155*19261079SEd Maste if [ "$result" != "$expected" ]; then 156*19261079SEd Maste fail "match $config expected $expected got $result" 157*19261079SEd Maste fi 158*19261079SEd Mastedone 159