xref: /freebsd/crypto/openssh/regress/cfgmatch.sh (revision 47dd1d1b619cc035b82b49a91a25544309ff95ae)
1*47dd1d1bSDag-Erling Smørgrav#	$OpenBSD: cfgmatch.sh,v 1.11 2017/10/04 18:50:23 djm Exp $
2ce3adf43SDag-Erling Smørgrav#	Placed in the Public Domain.
3ce3adf43SDag-Erling Smørgrav
4ce3adf43SDag-Erling Smørgravtid="sshd_config match"
5ce3adf43SDag-Erling Smørgrav
6ce3adf43SDag-Erling Smørgravpidfile=$OBJ/remote_pid
7ce3adf43SDag-Erling Smørgravfwdport=3301
8ce3adf43SDag-Erling Smørgravfwd="-L $fwdport:127.0.0.1:$PORT"
9ce3adf43SDag-Erling Smørgrav
10ce3adf43SDag-Erling Smørgravecho "ExitOnForwardFailure=yes" >> $OBJ/ssh_config
11ce3adf43SDag-Erling Smørgravecho "ExitOnForwardFailure=yes" >> $OBJ/ssh_proxy
12ce3adf43SDag-Erling Smørgrav
13ce3adf43SDag-Erling Smørgravstart_client()
14ce3adf43SDag-Erling Smørgrav{
15ce3adf43SDag-Erling Smørgrav	rm -f $pidfile
164f52dfbbSDag-Erling Smørgrav	${SSH} -q $fwd "$@" somehost \
17ce3adf43SDag-Erling Smørgrav	    exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' \
18ce3adf43SDag-Erling Smørgrav	    >>$TEST_REGRESS_LOGFILE 2>&1 &
19ce3adf43SDag-Erling Smørgrav	client_pid=$!
20ce3adf43SDag-Erling Smørgrav	# Wait for remote end
21ce3adf43SDag-Erling Smørgrav	n=0
22ce3adf43SDag-Erling Smørgrav	while test ! -f $pidfile ; do
23ce3adf43SDag-Erling Smørgrav		sleep 1
24ce3adf43SDag-Erling Smørgrav		n=`expr $n + 1`
25ce3adf43SDag-Erling Smørgrav		if test $n -gt 60; then
26ce3adf43SDag-Erling Smørgrav			kill $client_pid
27ce3adf43SDag-Erling Smørgrav			fatal "timeout waiting for background ssh"
28ce3adf43SDag-Erling Smørgrav		fi
29ce3adf43SDag-Erling Smørgrav	done
30ce3adf43SDag-Erling Smørgrav}
31ce3adf43SDag-Erling Smørgrav
32ce3adf43SDag-Erling Smørgravstop_client()
33ce3adf43SDag-Erling Smørgrav{
34ce3adf43SDag-Erling Smørgrav	pid=`cat $pidfile`
35ce3adf43SDag-Erling Smørgrav	if [ ! -z "$pid" ]; then
36ce3adf43SDag-Erling Smørgrav		kill $pid
37ce3adf43SDag-Erling Smørgrav	fi
38ce3adf43SDag-Erling Smørgrav	wait
39ce3adf43SDag-Erling Smørgrav}
40ce3adf43SDag-Erling Smørgrav
41ce3adf43SDag-Erling Smørgravcp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
42ce3adf43SDag-Erling Smørgravecho "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_config
43ce3adf43SDag-Erling Smørgravecho "Match Address 127.0.0.1" >>$OBJ/sshd_config
44*47dd1d1bSDag-Erling Smørgravecho "PermitOpen 127.0.0.1:2 127.0.0.1:3 127.0.0.1:$PORT" >>$OBJ/sshd_config
45ce3adf43SDag-Erling Smørgrav
46ce3adf43SDag-Erling Smørgravgrep -v AuthorizedKeysFile $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
47ce3adf43SDag-Erling Smørgravecho "AuthorizedKeysFile /dev/null" >>$OBJ/sshd_proxy
48ce3adf43SDag-Erling Smørgravecho "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_proxy
49ce3adf43SDag-Erling Smørgravecho "Match user $USER" >>$OBJ/sshd_proxy
50ce3adf43SDag-Erling Smørgravecho "AuthorizedKeysFile /dev/null $OBJ/authorized_keys_%u" >>$OBJ/sshd_proxy
51ce3adf43SDag-Erling Smørgravecho "Match Address 127.0.0.1" >>$OBJ/sshd_proxy
52*47dd1d1bSDag-Erling Smørgravecho "PermitOpen 127.0.0.1:2 127.0.0.1:3 127.0.0.1:$PORT" >>$OBJ/sshd_proxy
53ce3adf43SDag-Erling Smørgrav
54ce3adf43SDag-Erling Smørgravstart_sshd
55ce3adf43SDag-Erling Smørgrav
56ce3adf43SDag-Erling Smørgrav#set -x
57ce3adf43SDag-Erling Smørgrav
58ce3adf43SDag-Erling Smørgrav# Test Match + PermitOpen in sshd_config.  This should be permitted
594f52dfbbSDag-Erling Smørgravtrace "match permitopen localhost"
60ce3adf43SDag-Erling Smørgravstart_client -F $OBJ/ssh_config
614f52dfbbSDag-Erling Smørgrav${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \
624f52dfbbSDag-Erling Smørgrav    fail "match permitopen permit"
63ce3adf43SDag-Erling Smørgravstop_client
64ce3adf43SDag-Erling Smørgrav
65ce3adf43SDag-Erling Smørgrav# Same but from different source.  This should not be permitted
664f52dfbbSDag-Erling Smørgravtrace "match permitopen proxy"
67ce3adf43SDag-Erling Smørgravstart_client -F $OBJ/ssh_proxy
684f52dfbbSDag-Erling Smørgrav${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \
694f52dfbbSDag-Erling Smørgrav    fail "match permitopen deny"
70ce3adf43SDag-Erling Smørgravstop_client
71ce3adf43SDag-Erling Smørgrav
72ce3adf43SDag-Erling Smørgrav# Retry previous with key option, should also be denied.
73bc5531deSDag-Erling Smørgravcp /dev/null $OBJ/authorized_keys_$USER
74bc5531deSDag-Erling Smørgravfor t in ${SSH_KEYTYPES}; do
75ce3adf43SDag-Erling Smørgrav	printf 'permitopen="127.0.0.1:'$PORT'" ' >> $OBJ/authorized_keys_$USER
76bc5531deSDag-Erling Smørgrav	cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
77bc5531deSDag-Erling Smørgravdone
784f52dfbbSDag-Erling Smørgravtrace "match permitopen proxy w/key opts"
79ce3adf43SDag-Erling Smørgravstart_client -F $OBJ/ssh_proxy
804f52dfbbSDag-Erling Smørgrav${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \
814f52dfbbSDag-Erling Smørgrav    fail "match permitopen deny w/key opt"
82ce3adf43SDag-Erling Smørgravstop_client
83ce3adf43SDag-Erling Smørgrav
84ce3adf43SDag-Erling Smørgrav# Test both sshd_config and key options permitting the same dst/port pair.
85ce3adf43SDag-Erling Smørgrav# Should be permitted.
864f52dfbbSDag-Erling Smørgravtrace "match permitopen localhost"
87ce3adf43SDag-Erling Smørgravstart_client -F $OBJ/ssh_config
884f52dfbbSDag-Erling Smørgrav${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \
894f52dfbbSDag-Erling Smørgrav    fail "match permitopen permit"
90ce3adf43SDag-Erling Smørgravstop_client
91ce3adf43SDag-Erling Smørgrav
92ce3adf43SDag-Erling Smørgravcp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
93ce3adf43SDag-Erling Smørgravecho "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy
94ce3adf43SDag-Erling Smørgravecho "Match User $USER" >>$OBJ/sshd_proxy
95ce3adf43SDag-Erling Smørgravecho "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
96ce3adf43SDag-Erling Smørgrav
97ce3adf43SDag-Erling Smørgrav# Test that a Match overrides a PermitOpen in the global section
984f52dfbbSDag-Erling Smørgravtrace "match permitopen proxy w/key opts"
99ce3adf43SDag-Erling Smørgravstart_client -F $OBJ/ssh_proxy
1004f52dfbbSDag-Erling Smørgrav${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \
1014f52dfbbSDag-Erling Smørgrav    fail "match override permitopen"
102ce3adf43SDag-Erling Smørgravstop_client
103ce3adf43SDag-Erling Smørgrav
104ce3adf43SDag-Erling Smørgravcp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
105ce3adf43SDag-Erling Smørgravecho "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy
106ce3adf43SDag-Erling Smørgravecho "Match User NoSuchUser" >>$OBJ/sshd_proxy
107ce3adf43SDag-Erling Smørgravecho "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
108ce3adf43SDag-Erling Smørgrav
109ce3adf43SDag-Erling Smørgrav# Test that a rule that doesn't match doesn't override, plus test a
110ce3adf43SDag-Erling Smørgrav# PermitOpen entry that's not at the start of the list
1114f52dfbbSDag-Erling Smørgravtrace "nomatch permitopen proxy w/key opts"
112ce3adf43SDag-Erling Smørgravstart_client -F $OBJ/ssh_proxy
1134f52dfbbSDag-Erling Smørgrav${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \
1144f52dfbbSDag-Erling Smørgrav    fail "nomatch override permitopen"
115ce3adf43SDag-Erling Smørgravstop_client
116