1*ce3adf43SDag-Erling Smørgrav# $OpenBSD: cfgmatch.sh,v 1.8 2013/05/17 00:37:40 dtucker Exp $ 2*ce3adf43SDag-Erling Smørgrav# Placed in the Public Domain. 3*ce3adf43SDag-Erling Smørgrav 4*ce3adf43SDag-Erling Smørgravtid="sshd_config match" 5*ce3adf43SDag-Erling Smørgrav 6*ce3adf43SDag-Erling Smørgravpidfile=$OBJ/remote_pid 7*ce3adf43SDag-Erling Smørgravfwdport=3301 8*ce3adf43SDag-Erling Smørgravfwd="-L $fwdport:127.0.0.1:$PORT" 9*ce3adf43SDag-Erling Smørgrav 10*ce3adf43SDag-Erling Smørgravecho "ExitOnForwardFailure=yes" >> $OBJ/ssh_config 11*ce3adf43SDag-Erling Smørgravecho "ExitOnForwardFailure=yes" >> $OBJ/ssh_proxy 12*ce3adf43SDag-Erling Smørgrav 13*ce3adf43SDag-Erling Smørgravstart_client() 14*ce3adf43SDag-Erling Smørgrav{ 15*ce3adf43SDag-Erling Smørgrav rm -f $pidfile 16*ce3adf43SDag-Erling Smørgrav ${SSH} -q -$p $fwd "$@" somehost \ 17*ce3adf43SDag-Erling Smørgrav exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' \ 18*ce3adf43SDag-Erling Smørgrav >>$TEST_REGRESS_LOGFILE 2>&1 & 19*ce3adf43SDag-Erling Smørgrav client_pid=$! 20*ce3adf43SDag-Erling Smørgrav # Wait for remote end 21*ce3adf43SDag-Erling Smørgrav n=0 22*ce3adf43SDag-Erling Smørgrav while test ! -f $pidfile ; do 23*ce3adf43SDag-Erling Smørgrav sleep 1 24*ce3adf43SDag-Erling Smørgrav n=`expr $n + 1` 25*ce3adf43SDag-Erling Smørgrav if test $n -gt 60; then 26*ce3adf43SDag-Erling Smørgrav kill $client_pid 27*ce3adf43SDag-Erling Smørgrav fatal "timeout waiting for background ssh" 28*ce3adf43SDag-Erling Smørgrav fi 29*ce3adf43SDag-Erling Smørgrav done 30*ce3adf43SDag-Erling Smørgrav} 31*ce3adf43SDag-Erling Smørgrav 32*ce3adf43SDag-Erling Smørgravstop_client() 33*ce3adf43SDag-Erling Smørgrav{ 34*ce3adf43SDag-Erling Smørgrav pid=`cat $pidfile` 35*ce3adf43SDag-Erling Smørgrav if [ ! -z "$pid" ]; then 36*ce3adf43SDag-Erling Smørgrav kill $pid 37*ce3adf43SDag-Erling Smørgrav fi 38*ce3adf43SDag-Erling Smørgrav wait 39*ce3adf43SDag-Erling Smørgrav} 40*ce3adf43SDag-Erling Smørgrav 41*ce3adf43SDag-Erling Smørgravcp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 42*ce3adf43SDag-Erling Smørgravecho "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_config 43*ce3adf43SDag-Erling Smørgravecho "Match Address 127.0.0.1" >>$OBJ/sshd_config 44*ce3adf43SDag-Erling Smørgravecho "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_config 45*ce3adf43SDag-Erling Smørgrav 46*ce3adf43SDag-Erling Smørgravgrep -v AuthorizedKeysFile $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy 47*ce3adf43SDag-Erling Smørgravecho "AuthorizedKeysFile /dev/null" >>$OBJ/sshd_proxy 48*ce3adf43SDag-Erling Smørgravecho "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_proxy 49*ce3adf43SDag-Erling Smørgravecho "Match user $USER" >>$OBJ/sshd_proxy 50*ce3adf43SDag-Erling Smørgravecho "AuthorizedKeysFile /dev/null $OBJ/authorized_keys_%u" >>$OBJ/sshd_proxy 51*ce3adf43SDag-Erling Smørgravecho "Match Address 127.0.0.1" >>$OBJ/sshd_proxy 52*ce3adf43SDag-Erling Smørgravecho "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_proxy 53*ce3adf43SDag-Erling Smørgrav 54*ce3adf43SDag-Erling Smørgravstart_sshd 55*ce3adf43SDag-Erling Smørgrav 56*ce3adf43SDag-Erling Smørgrav#set -x 57*ce3adf43SDag-Erling Smørgrav 58*ce3adf43SDag-Erling Smørgrav# Test Match + PermitOpen in sshd_config. This should be permitted 59*ce3adf43SDag-Erling Smørgravfor p in 1 2; do 60*ce3adf43SDag-Erling Smørgrav trace "match permitopen localhost proto $p" 61*ce3adf43SDag-Erling Smørgrav start_client -F $OBJ/ssh_config 62*ce3adf43SDag-Erling Smørgrav ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ 63*ce3adf43SDag-Erling Smørgrav fail "match permitopen permit proto $p" 64*ce3adf43SDag-Erling Smørgrav stop_client 65*ce3adf43SDag-Erling Smørgravdone 66*ce3adf43SDag-Erling Smørgrav 67*ce3adf43SDag-Erling Smørgrav# Same but from different source. This should not be permitted 68*ce3adf43SDag-Erling Smørgravfor p in 1 2; do 69*ce3adf43SDag-Erling Smørgrav trace "match permitopen proxy proto $p" 70*ce3adf43SDag-Erling Smørgrav start_client -F $OBJ/ssh_proxy 71*ce3adf43SDag-Erling Smørgrav ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ 72*ce3adf43SDag-Erling Smørgrav fail "match permitopen deny proto $p" 73*ce3adf43SDag-Erling Smørgrav stop_client 74*ce3adf43SDag-Erling Smørgravdone 75*ce3adf43SDag-Erling Smørgrav 76*ce3adf43SDag-Erling Smørgrav# Retry previous with key option, should also be denied. 77*ce3adf43SDag-Erling Smørgravprintf 'permitopen="127.0.0.1:'$PORT'" ' >$OBJ/authorized_keys_$USER 78*ce3adf43SDag-Erling Smørgravcat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER 79*ce3adf43SDag-Erling Smørgravprintf 'permitopen="127.0.0.1:'$PORT'" ' >>$OBJ/authorized_keys_$USER 80*ce3adf43SDag-Erling Smørgravcat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER 81*ce3adf43SDag-Erling Smørgravfor p in 1 2; do 82*ce3adf43SDag-Erling Smørgrav trace "match permitopen proxy w/key opts proto $p" 83*ce3adf43SDag-Erling Smørgrav start_client -F $OBJ/ssh_proxy 84*ce3adf43SDag-Erling Smørgrav ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ 85*ce3adf43SDag-Erling Smørgrav fail "match permitopen deny w/key opt proto $p" 86*ce3adf43SDag-Erling Smørgrav stop_client 87*ce3adf43SDag-Erling Smørgravdone 88*ce3adf43SDag-Erling Smørgrav 89*ce3adf43SDag-Erling Smørgrav# Test both sshd_config and key options permitting the same dst/port pair. 90*ce3adf43SDag-Erling Smørgrav# Should be permitted. 91*ce3adf43SDag-Erling Smørgravfor p in 1 2; do 92*ce3adf43SDag-Erling Smørgrav trace "match permitopen localhost proto $p" 93*ce3adf43SDag-Erling Smørgrav start_client -F $OBJ/ssh_config 94*ce3adf43SDag-Erling Smørgrav ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ 95*ce3adf43SDag-Erling Smørgrav fail "match permitopen permit proto $p" 96*ce3adf43SDag-Erling Smørgrav stop_client 97*ce3adf43SDag-Erling Smørgravdone 98*ce3adf43SDag-Erling Smørgrav 99*ce3adf43SDag-Erling Smørgravcp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy 100*ce3adf43SDag-Erling Smørgravecho "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy 101*ce3adf43SDag-Erling Smørgravecho "Match User $USER" >>$OBJ/sshd_proxy 102*ce3adf43SDag-Erling Smørgravecho "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy 103*ce3adf43SDag-Erling Smørgrav 104*ce3adf43SDag-Erling Smørgrav# Test that a Match overrides a PermitOpen in the global section 105*ce3adf43SDag-Erling Smørgravfor p in 1 2; do 106*ce3adf43SDag-Erling Smørgrav trace "match permitopen proxy w/key opts proto $p" 107*ce3adf43SDag-Erling Smørgrav start_client -F $OBJ/ssh_proxy 108*ce3adf43SDag-Erling Smørgrav ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ 109*ce3adf43SDag-Erling Smørgrav fail "match override permitopen proto $p" 110*ce3adf43SDag-Erling Smørgrav stop_client 111*ce3adf43SDag-Erling Smørgravdone 112*ce3adf43SDag-Erling Smørgrav 113*ce3adf43SDag-Erling Smørgravcp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy 114*ce3adf43SDag-Erling Smørgravecho "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy 115*ce3adf43SDag-Erling Smørgravecho "Match User NoSuchUser" >>$OBJ/sshd_proxy 116*ce3adf43SDag-Erling Smørgravecho "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy 117*ce3adf43SDag-Erling Smørgrav 118*ce3adf43SDag-Erling Smørgrav# Test that a rule that doesn't match doesn't override, plus test a 119*ce3adf43SDag-Erling Smørgrav# PermitOpen entry that's not at the start of the list 120*ce3adf43SDag-Erling Smørgravfor p in 1 2; do 121*ce3adf43SDag-Erling Smørgrav trace "nomatch permitopen proxy w/key opts proto $p" 122*ce3adf43SDag-Erling Smørgrav start_client -F $OBJ/ssh_proxy 123*ce3adf43SDag-Erling Smørgrav ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ 124*ce3adf43SDag-Erling Smørgrav fail "nomatch override permitopen proto $p" 125*ce3adf43SDag-Erling Smørgrav stop_client 126*ce3adf43SDag-Erling Smørgravdone 127