1# $OpenBSD: cfgmatch.sh,v 1.2 2006/07/22 01:50:00 dtucker Exp $ 2# Placed in the Public Domain. 3 4tid="sshd_config match" 5 6pidfile=$OBJ/remote_pid 7fwdport=3301 8fwd="-L $fwdport:127.0.0.1:$PORT" 9 10stop_client() 11{ 12 pid=`cat $pidfile` 13 if [ ! -z "$pid" ]; then 14 kill $pid 15 sleep 1 16 fi 17} 18 19cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 20 21echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_config 22echo "Match Address 127.0.0.1" >>$OBJ/sshd_config 23echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_config 24 25echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_proxy 26echo "Match Address 127.0.0.1" >>$OBJ/sshd_proxy 27echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_proxy 28 29start_sshd 30 31#set -x 32 33# Test Match + PermitOpen in sshd_config. This should be permitted 34for p in 1 2; do 35 rm -f $pidfile 36 trace "match permitopen localhost proto $p" 37 ${SSH} -$p $fwd -F $OBJ/ssh_config -f somehost \ 38 "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\ 39 fail "match permitopen proto $p sshd failed" 40 sleep 1; 41 ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ 42 fail "match permitopen permit proto $p" 43 stop_client 44done 45 46# Same but from different source. This should not be permitted 47for p in 1 2; do 48 rm -f $pidfile 49 trace "match permitopen proxy proto $p" 50 ${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \ 51 "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\ 52 fail "match permitopen proxy proto $p sshd failed" 53 sleep 1; 54 ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ 55 fail "match permitopen deny proto $p" 56 stop_client 57done 58 59# Retry previous with key option, should also be denied. 60echo -n 'permitopen="127.0.0.1:'$PORT'" ' >$OBJ/authorized_keys_$USER 61cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER 62echo -n 'permitopen="127.0.0.1:'$PORT'" ' >>$OBJ/authorized_keys_$USER 63cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER 64for p in 1 2; do 65 rm -f $pidfile 66 trace "match permitopen proxy w/key opts proto $p" 67 ${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \ 68 "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\ 69 fail "match permitopen w/key opt proto $p sshd failed" 70 sleep 1; 71 ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ 72 fail "match permitopen deny w/key opt proto $p" 73 stop_client 74done 75 76# Test both sshd_config and key options permitting the same dst/port pair. 77# Should be permitted. 78for p in 1 2; do 79 rm -f $pidfile 80 trace "match permitopen localhost proto $p" 81 ${SSH} -$p $fwd -F $OBJ/ssh_config -f somehost \ 82 "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\ 83 fail "match permitopen proto $p sshd failed" 84 sleep 1; 85 ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ 86 fail "match permitopen permit proto $p" 87 stop_client 88done 89 90cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy 91echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy 92echo "Match User $USER" >>$OBJ/sshd_proxy 93echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy 94 95# Test that a Match overrides a PermitOpen in the global section 96for p in 1 2; do 97 rm -f $pidfile 98 trace "match permitopen proxy w/key opts proto $p" 99 ${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \ 100 "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\ 101 fail "match override permitopen proto $p sshd failed" 102 sleep 1; 103 ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ 104 fail "match override permitopen proto $p" 105 stop_client 106done 107