1*47dd1d1bSDag-Erling Smørgrav# $OpenBSD: cfgmatch.sh,v 1.11 2017/10/04 18:50:23 djm Exp $ 2ce3adf43SDag-Erling Smørgrav# Placed in the Public Domain. 3ce3adf43SDag-Erling Smørgrav 4ce3adf43SDag-Erling Smørgravtid="sshd_config match" 5ce3adf43SDag-Erling Smørgrav 6ce3adf43SDag-Erling Smørgravpidfile=$OBJ/remote_pid 7ce3adf43SDag-Erling Smørgravfwdport=3301 8ce3adf43SDag-Erling Smørgravfwd="-L $fwdport:127.0.0.1:$PORT" 9ce3adf43SDag-Erling Smørgrav 10ce3adf43SDag-Erling Smørgravecho "ExitOnForwardFailure=yes" >> $OBJ/ssh_config 11ce3adf43SDag-Erling Smørgravecho "ExitOnForwardFailure=yes" >> $OBJ/ssh_proxy 12ce3adf43SDag-Erling Smørgrav 13ce3adf43SDag-Erling Smørgravstart_client() 14ce3adf43SDag-Erling Smørgrav{ 15ce3adf43SDag-Erling Smørgrav rm -f $pidfile 164f52dfbbSDag-Erling Smørgrav ${SSH} -q $fwd "$@" somehost \ 17ce3adf43SDag-Erling Smørgrav exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' \ 18ce3adf43SDag-Erling Smørgrav >>$TEST_REGRESS_LOGFILE 2>&1 & 19ce3adf43SDag-Erling Smørgrav client_pid=$! 20ce3adf43SDag-Erling Smørgrav # Wait for remote end 21ce3adf43SDag-Erling Smørgrav n=0 22ce3adf43SDag-Erling Smørgrav while test ! -f $pidfile ; do 23ce3adf43SDag-Erling Smørgrav sleep 1 24ce3adf43SDag-Erling Smørgrav n=`expr $n + 1` 25ce3adf43SDag-Erling Smørgrav if test $n -gt 60; then 26ce3adf43SDag-Erling Smørgrav kill $client_pid 27ce3adf43SDag-Erling Smørgrav fatal "timeout waiting for background ssh" 28ce3adf43SDag-Erling Smørgrav fi 29ce3adf43SDag-Erling Smørgrav done 30ce3adf43SDag-Erling Smørgrav} 31ce3adf43SDag-Erling Smørgrav 32ce3adf43SDag-Erling Smørgravstop_client() 33ce3adf43SDag-Erling Smørgrav{ 34ce3adf43SDag-Erling Smørgrav pid=`cat $pidfile` 35ce3adf43SDag-Erling Smørgrav if [ ! -z "$pid" ]; then 36ce3adf43SDag-Erling Smørgrav kill $pid 37ce3adf43SDag-Erling Smørgrav fi 38ce3adf43SDag-Erling Smørgrav wait 39ce3adf43SDag-Erling Smørgrav} 40ce3adf43SDag-Erling Smørgrav 41ce3adf43SDag-Erling Smørgravcp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 42ce3adf43SDag-Erling Smørgravecho "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_config 43ce3adf43SDag-Erling Smørgravecho "Match Address 127.0.0.1" >>$OBJ/sshd_config 44*47dd1d1bSDag-Erling Smørgravecho "PermitOpen 127.0.0.1:2 127.0.0.1:3 127.0.0.1:$PORT" >>$OBJ/sshd_config 45ce3adf43SDag-Erling Smørgrav 46ce3adf43SDag-Erling Smørgravgrep -v AuthorizedKeysFile $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy 47ce3adf43SDag-Erling Smørgravecho "AuthorizedKeysFile /dev/null" >>$OBJ/sshd_proxy 48ce3adf43SDag-Erling Smørgravecho "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_proxy 49ce3adf43SDag-Erling Smørgravecho "Match user $USER" >>$OBJ/sshd_proxy 50ce3adf43SDag-Erling Smørgravecho "AuthorizedKeysFile /dev/null $OBJ/authorized_keys_%u" >>$OBJ/sshd_proxy 51ce3adf43SDag-Erling Smørgravecho "Match Address 127.0.0.1" >>$OBJ/sshd_proxy 52*47dd1d1bSDag-Erling Smørgravecho "PermitOpen 127.0.0.1:2 127.0.0.1:3 127.0.0.1:$PORT" >>$OBJ/sshd_proxy 53ce3adf43SDag-Erling Smørgrav 54ce3adf43SDag-Erling Smørgravstart_sshd 55ce3adf43SDag-Erling Smørgrav 56ce3adf43SDag-Erling Smørgrav#set -x 57ce3adf43SDag-Erling Smørgrav 58ce3adf43SDag-Erling Smørgrav# Test Match + PermitOpen in sshd_config. This should be permitted 594f52dfbbSDag-Erling Smørgravtrace "match permitopen localhost" 60ce3adf43SDag-Erling Smørgravstart_client -F $OBJ/ssh_config 614f52dfbbSDag-Erling Smørgrav${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \ 624f52dfbbSDag-Erling Smørgrav fail "match permitopen permit" 63ce3adf43SDag-Erling Smørgravstop_client 64ce3adf43SDag-Erling Smørgrav 65ce3adf43SDag-Erling Smørgrav# Same but from different source. This should not be permitted 664f52dfbbSDag-Erling Smørgravtrace "match permitopen proxy" 67ce3adf43SDag-Erling Smørgravstart_client -F $OBJ/ssh_proxy 684f52dfbbSDag-Erling Smørgrav${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \ 694f52dfbbSDag-Erling Smørgrav fail "match permitopen deny" 70ce3adf43SDag-Erling Smørgravstop_client 71ce3adf43SDag-Erling Smørgrav 72ce3adf43SDag-Erling Smørgrav# Retry previous with key option, should also be denied. 73bc5531deSDag-Erling Smørgravcp /dev/null $OBJ/authorized_keys_$USER 74bc5531deSDag-Erling Smørgravfor t in ${SSH_KEYTYPES}; do 75ce3adf43SDag-Erling Smørgrav printf 'permitopen="127.0.0.1:'$PORT'" ' >> $OBJ/authorized_keys_$USER 76bc5531deSDag-Erling Smørgrav cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER 77bc5531deSDag-Erling Smørgravdone 784f52dfbbSDag-Erling Smørgravtrace "match permitopen proxy w/key opts" 79ce3adf43SDag-Erling Smørgravstart_client -F $OBJ/ssh_proxy 804f52dfbbSDag-Erling Smørgrav${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \ 814f52dfbbSDag-Erling Smørgrav fail "match permitopen deny w/key opt" 82ce3adf43SDag-Erling Smørgravstop_client 83ce3adf43SDag-Erling Smørgrav 84ce3adf43SDag-Erling Smørgrav# Test both sshd_config and key options permitting the same dst/port pair. 85ce3adf43SDag-Erling Smørgrav# Should be permitted. 864f52dfbbSDag-Erling Smørgravtrace "match permitopen localhost" 87ce3adf43SDag-Erling Smørgravstart_client -F $OBJ/ssh_config 884f52dfbbSDag-Erling Smørgrav${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \ 894f52dfbbSDag-Erling Smørgrav fail "match permitopen permit" 90ce3adf43SDag-Erling Smørgravstop_client 91ce3adf43SDag-Erling Smørgrav 92ce3adf43SDag-Erling Smørgravcp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy 93ce3adf43SDag-Erling Smørgravecho "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy 94ce3adf43SDag-Erling Smørgravecho "Match User $USER" >>$OBJ/sshd_proxy 95ce3adf43SDag-Erling Smørgravecho "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy 96ce3adf43SDag-Erling Smørgrav 97ce3adf43SDag-Erling Smørgrav# Test that a Match overrides a PermitOpen in the global section 984f52dfbbSDag-Erling Smørgravtrace "match permitopen proxy w/key opts" 99ce3adf43SDag-Erling Smørgravstart_client -F $OBJ/ssh_proxy 1004f52dfbbSDag-Erling Smørgrav${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \ 1014f52dfbbSDag-Erling Smørgrav fail "match override permitopen" 102ce3adf43SDag-Erling Smørgravstop_client 103ce3adf43SDag-Erling Smørgrav 104ce3adf43SDag-Erling Smørgravcp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy 105ce3adf43SDag-Erling Smørgravecho "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy 106ce3adf43SDag-Erling Smørgravecho "Match User NoSuchUser" >>$OBJ/sshd_proxy 107ce3adf43SDag-Erling Smørgravecho "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy 108ce3adf43SDag-Erling Smørgrav 109ce3adf43SDag-Erling Smørgrav# Test that a rule that doesn't match doesn't override, plus test a 110ce3adf43SDag-Erling Smørgrav# PermitOpen entry that's not at the start of the list 1114f52dfbbSDag-Erling Smørgravtrace "nomatch permitopen proxy w/key opts" 112ce3adf43SDag-Erling Smørgravstart_client -F $OBJ/ssh_proxy 1134f52dfbbSDag-Erling Smørgrav${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \ 1144f52dfbbSDag-Erling Smørgrav fail "nomatch override permitopen" 115ce3adf43SDag-Erling Smørgravstop_client 116