1# $OpenBSD: cfgmatch.sh,v 1.13 2021/06/08 06:52:43 djm Exp $ 2# Placed in the Public Domain. 3 4tid="sshd_config match" 5 6pidfile=$OBJ/remote_pid 7fwdport=3301 8fwd="-L $fwdport:127.0.0.1:$PORT" 9 10echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_config 11echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_proxy 12 13start_client() 14{ 15 rm -f $pidfile 16 ${SSH} -q $fwd "$@" somehost \ 17 exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' \ 18 >>$TEST_REGRESS_LOGFILE 2>&1 & 19 client_pid=$! 20 # Wait for remote end 21 n=0 22 while test ! -f $pidfile ; do 23 sleep 1 24 n=`expr $n + 1` 25 if test $n -gt 60; then 26 kill $client_pid 27 fatal "timeout waiting for background ssh" 28 fi 29 done 30} 31 32stop_client() 33{ 34 pid=`cat $pidfile` 35 if [ ! -z "$pid" ]; then 36 kill $pid 37 fi 38 wait 39} 40 41cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 42echo "PermitOpen 127.0.0.1:1 # comment" >>$OBJ/sshd_config 43echo "Match Address 127.0.0.1" >>$OBJ/sshd_config 44echo "PermitOpen 127.0.0.1:2 127.0.0.1:3 127.0.0.1:$PORT" >>$OBJ/sshd_config 45 46grep -v AuthorizedKeysFile $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy 47echo "AuthorizedKeysFile /dev/null # comment" >>$OBJ/sshd_proxy 48echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_proxy 49echo "Match user $USER" >>$OBJ/sshd_proxy 50echo "AuthorizedKeysFile /dev/null $OBJ/authorized_keys_%u" >>$OBJ/sshd_proxy 51echo "Match Address 127.0.0.1 # comment" >>$OBJ/sshd_proxy 52echo "PermitOpen 127.0.0.1:2 127.0.0.1:3 127.0.0.1:$PORT" >>$OBJ/sshd_proxy 53 54${SUDO} ${SSHD} -f $OBJ/sshd_config -T >/dev/null || \ 55 fail "config w/match fails config test" 56 57start_sshd 58 59# Test Match + PermitOpen in sshd_config. This should be permitted 60trace "match permitopen localhost" 61start_client -F $OBJ/ssh_config 62${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \ 63 fail "match permitopen permit" 64stop_client 65 66# Same but from different source. This should not be permitted 67trace "match permitopen proxy" 68start_client -F $OBJ/ssh_proxy 69${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \ 70 fail "match permitopen deny" 71stop_client 72 73# Retry previous with key option, should also be denied. 74cp /dev/null $OBJ/authorized_keys_$USER 75for t in ${SSH_KEYTYPES}; do 76 printf 'permitopen="127.0.0.1:'$PORT'" ' >> $OBJ/authorized_keys_$USER 77 cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER 78done 79trace "match permitopen proxy w/key opts" 80start_client -F $OBJ/ssh_proxy 81${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \ 82 fail "match permitopen deny w/key opt" 83stop_client 84 85# Test both sshd_config and key options permitting the same dst/port pair. 86# Should be permitted. 87trace "match permitopen localhost" 88start_client -F $OBJ/ssh_config 89${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \ 90 fail "match permitopen permit" 91stop_client 92 93cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy 94echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy 95echo "Match User $USER" >>$OBJ/sshd_proxy 96echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy 97 98# Test that a Match overrides a PermitOpen in the global section 99trace "match permitopen proxy w/key opts" 100start_client -F $OBJ/ssh_proxy 101${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \ 102 fail "match override permitopen" 103stop_client 104 105cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy 106echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy 107echo "Match User NoSuchUser" >>$OBJ/sshd_proxy 108echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy 109 110# Test that a rule that doesn't match doesn't override, plus test a 111# PermitOpen entry that's not at the start of the list 112trace "nomatch permitopen proxy w/key opts" 113start_client -F $OBJ/ssh_proxy 114${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \ 115 fail "nomatch override permitopen" 116stop_client 117 118# Test parsing of available Match criteria (with the exception of Group which 119# requires knowledge of actual group memberships user running the test). 120params="user:user:u1 host:host:h1 address:addr:1.2.3.4 \ 121 localaddress:laddr:5.6.7.8 rdomain:rdomain:rdom1" 122cp $OBJ/sshd_proxy_bak $OBJ/sshd_config 123echo 'Banner /nomatch' >>$OBJ/sshd_config 124for i in $params; do 125 config=`echo $i | cut -f1 -d:` 126 criteria=`echo $i | cut -f2 -d:` 127 value=`echo $i | cut -f3 -d:` 128 cat >>$OBJ/sshd_config <<EOD 129 Match $config $value 130 Banner /$value 131EOD 132done 133 134${SUDO} ${SSHD} -f $OBJ/sshd_config -T >/dev/null || \ 135 fail "validate config for w/out spec" 136 137# Test matching each criteria. 138for i in $params; do 139 testcriteria=`echo $i | cut -f2 -d:` 140 expected=/`echo $i | cut -f3 -d:` 141 spec="" 142 for j in $params; do 143 config=`echo $j | cut -f1 -d:` 144 criteria=`echo $j | cut -f2 -d:` 145 value=`echo $j | cut -f3 -d:` 146 if [ "$criteria" = "$testcriteria" ]; then 147 spec="$criteria=$value,$spec" 148 else 149 spec="$criteria=1$value,$spec" 150 fi 151 done 152 trace "test spec $spec" 153 result=`${SUDO} ${SSHD} -f $OBJ/sshd_config -T -C "$spec" | \ 154 awk '$1=="banner"{print $2}'` 155 if [ "$result" != "$expected" ]; then 156 fail "match $config expected $expected got $result" 157 fi 158done 159