xref: /freebsd/crypto/openssh/regress/cfgmatch.sh (revision 7ef62cebc2f965b0f640263e179276928885e33d)
1#	$OpenBSD: cfgmatch.sh,v 1.13 2021/06/08 06:52:43 djm Exp $
2#	Placed in the Public Domain.
3
4tid="sshd_config match"
5
6pidfile=$OBJ/remote_pid
7fwdport=3301
8fwd="-L $fwdport:127.0.0.1:$PORT"
9
10echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_config
11echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_proxy
12
13start_client()
14{
15	rm -f $pidfile
16	${SSH} -q $fwd "$@" somehost \
17	    exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' \
18	    >>$TEST_REGRESS_LOGFILE 2>&1 &
19	client_pid=$!
20	# Wait for remote end
21	n=0
22	while test ! -f $pidfile ; do
23		sleep 1
24		n=`expr $n + 1`
25		if test $n -gt 60; then
26			kill $client_pid
27			fatal "timeout waiting for background ssh"
28		fi
29	done
30}
31
32stop_client()
33{
34	pid=`cat $pidfile`
35	if [ ! -z "$pid" ]; then
36		kill $pid
37	fi
38	wait
39}
40
41cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
42echo "PermitOpen 127.0.0.1:1 # comment" >>$OBJ/sshd_config
43echo "Match Address 127.0.0.1" >>$OBJ/sshd_config
44echo "PermitOpen 127.0.0.1:2 127.0.0.1:3 127.0.0.1:$PORT" >>$OBJ/sshd_config
45
46grep -v AuthorizedKeysFile $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
47echo "AuthorizedKeysFile /dev/null # comment" >>$OBJ/sshd_proxy
48echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_proxy
49echo "Match user $USER" >>$OBJ/sshd_proxy
50echo "AuthorizedKeysFile /dev/null $OBJ/authorized_keys_%u" >>$OBJ/sshd_proxy
51echo "Match Address 127.0.0.1 # comment" >>$OBJ/sshd_proxy
52echo "PermitOpen 127.0.0.1:2 127.0.0.1:3 127.0.0.1:$PORT" >>$OBJ/sshd_proxy
53
54${SUDO} ${SSHD} -f $OBJ/sshd_config -T >/dev/null || \
55    fail "config w/match fails config test"
56
57start_sshd
58
59# Test Match + PermitOpen in sshd_config.  This should be permitted
60trace "match permitopen localhost"
61start_client -F $OBJ/ssh_config
62${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \
63    fail "match permitopen permit"
64stop_client
65
66# Same but from different source.  This should not be permitted
67trace "match permitopen proxy"
68start_client -F $OBJ/ssh_proxy
69${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \
70    fail "match permitopen deny"
71stop_client
72
73# Retry previous with key option, should also be denied.
74cp /dev/null $OBJ/authorized_keys_$USER
75for t in ${SSH_KEYTYPES}; do
76	printf 'permitopen="127.0.0.1:'$PORT'" ' >> $OBJ/authorized_keys_$USER
77	cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
78done
79trace "match permitopen proxy w/key opts"
80start_client -F $OBJ/ssh_proxy
81${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \
82    fail "match permitopen deny w/key opt"
83stop_client
84
85# Test both sshd_config and key options permitting the same dst/port pair.
86# Should be permitted.
87trace "match permitopen localhost"
88start_client -F $OBJ/ssh_config
89${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \
90    fail "match permitopen permit"
91stop_client
92
93cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
94echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy
95echo "Match User $USER" >>$OBJ/sshd_proxy
96echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
97
98# Test that a Match overrides a PermitOpen in the global section
99trace "match permitopen proxy w/key opts"
100start_client -F $OBJ/ssh_proxy
101${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \
102    fail "match override permitopen"
103stop_client
104
105cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
106echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy
107echo "Match User NoSuchUser" >>$OBJ/sshd_proxy
108echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
109
110# Test that a rule that doesn't match doesn't override, plus test a
111# PermitOpen entry that's not at the start of the list
112trace "nomatch permitopen proxy w/key opts"
113start_client -F $OBJ/ssh_proxy
114${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \
115    fail "nomatch override permitopen"
116stop_client
117
118# Test parsing of available Match criteria (with the exception of Group which
119# requires knowledge of actual group memberships user running the test).
120params="user:user:u1 host:host:h1 address:addr:1.2.3.4 \
121    localaddress:laddr:5.6.7.8 rdomain:rdomain:rdom1"
122cp $OBJ/sshd_proxy_bak $OBJ/sshd_config
123echo 'Banner /nomatch' >>$OBJ/sshd_config
124for i in $params; do
125	config=`echo $i | cut -f1 -d:`
126	criteria=`echo $i | cut -f2 -d:`
127	value=`echo $i | cut -f3 -d:`
128	cat >>$OBJ/sshd_config <<EOD
129	    Match $config $value
130	      Banner /$value
131EOD
132done
133
134${SUDO} ${SSHD} -f $OBJ/sshd_config -T >/dev/null || \
135    fail "validate config for w/out spec"
136
137# Test matching each criteria.
138for i in $params; do
139	testcriteria=`echo $i | cut -f2 -d:`
140	expected=/`echo $i | cut -f3 -d:`
141	spec=""
142	for j in $params; do
143		config=`echo $j | cut -f1 -d:`
144		criteria=`echo $j | cut -f2 -d:`
145		value=`echo $j | cut -f3 -d:`
146		if [ "$criteria" = "$testcriteria" ]; then
147			spec="$criteria=$value,$spec"
148		else
149			spec="$criteria=1$value,$spec"
150		fi
151	done
152	trace "test spec $spec"
153	result=`${SUDO} ${SSHD} -f $OBJ/sshd_config -T -C "$spec" | \
154	    awk '$1=="banner"{print $2}'`
155	if [ "$result" != "$expected" ]; then
156		fail "match $config expected $expected got $result"
157	fi
158done
159