xref: /freebsd/crypto/openssh/regress/cfgmatch.sh (revision 1e413cf93298b5b97441a21d9a50fdcd0ee9945e)
1#	$OpenBSD: cfgmatch.sh,v 1.2 2006/07/22 01:50:00 dtucker Exp $
2#	Placed in the Public Domain.
3
4tid="sshd_config match"
5
6pidfile=$OBJ/remote_pid
7fwdport=3301
8fwd="-L $fwdport:127.0.0.1:$PORT"
9
10stop_client()
11{
12	pid=`cat $pidfile`
13	if [ ! -z "$pid" ]; then
14		kill $pid
15		sleep 1
16	fi
17}
18
19cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
20
21echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_config
22echo "Match Address 127.0.0.1" >>$OBJ/sshd_config
23echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_config
24
25echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_proxy
26echo "Match Address 127.0.0.1" >>$OBJ/sshd_proxy
27echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_proxy
28
29start_sshd
30
31#set -x
32
33# Test Match + PermitOpen in sshd_config.  This should be permitted
34for p in 1 2; do
35	rm -f $pidfile
36	trace "match permitopen localhost proto $p"
37	${SSH} -$p $fwd -F $OBJ/ssh_config -f somehost \
38	    "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\
39	    fail "match permitopen proto $p sshd failed"
40	sleep 1;
41	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
42	    fail "match permitopen permit proto $p"
43	stop_client
44done
45
46# Same but from different source.  This should not be permitted
47for p in 1 2; do
48	rm -f $pidfile
49	trace "match permitopen proxy proto $p"
50	${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \
51	    "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\
52	    fail "match permitopen proxy proto $p sshd failed"
53	sleep 1;
54	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
55	    fail "match permitopen deny proto $p"
56	stop_client
57done
58
59# Retry previous with key option, should also be denied.
60echo -n 'permitopen="127.0.0.1:'$PORT'" ' >$OBJ/authorized_keys_$USER
61cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER
62echo -n 'permitopen="127.0.0.1:'$PORT'" ' >>$OBJ/authorized_keys_$USER
63cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER
64for p in 1 2; do
65	rm -f $pidfile
66	trace "match permitopen proxy w/key opts proto $p"
67	${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \
68	    "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\
69	    fail "match permitopen w/key opt proto $p sshd failed"
70	sleep 1;
71	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
72	    fail "match permitopen deny w/key opt proto $p"
73	stop_client
74done
75
76# Test both sshd_config and key options permitting the same dst/port pair.
77# Should be permitted.
78for p in 1 2; do
79	rm -f $pidfile
80	trace "match permitopen localhost proto $p"
81	${SSH} -$p $fwd -F $OBJ/ssh_config -f somehost \
82	    "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\
83	    fail "match permitopen proto $p sshd failed"
84	sleep 1;
85	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
86	    fail "match permitopen permit proto $p"
87	stop_client
88done
89
90cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
91echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy
92echo "Match User $USER" >>$OBJ/sshd_proxy
93echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
94
95# Test that a Match overrides a PermitOpen in the global section
96for p in 1 2; do
97	rm -f $pidfile
98	trace "match permitopen proxy w/key opts proto $p"
99	${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \
100	    "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\
101	    fail "match override permitopen proto $p sshd failed"
102	sleep 1;
103	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
104	    fail "match override permitopen proto $p"
105	stop_client
106done
107