xref: /freebsd/crypto/openssh/regress/cfgmatch.sh (revision f39bffc62c1395bde25d152c7f68fdf7cbaab414) 
1#	$OpenBSD: cfgmatch.sh,v 1.11 2017/10/04 18:50:23 djm Exp $
2#	Placed in the Public Domain.
3
4tid="sshd_config match"
5
6pidfile=$OBJ/remote_pid
7fwdport=3301
8fwd="-L $fwdport:127.0.0.1:$PORT"
9
10echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_config
11echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_proxy
12
13start_client()
14{
15	rm -f $pidfile
16	${SSH} -q $fwd "$@" somehost \
17	    exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' \
18	    >>$TEST_REGRESS_LOGFILE 2>&1 &
19	client_pid=$!
20	# Wait for remote end
21	n=0
22	while test ! -f $pidfile ; do
23		sleep 1
24		n=`expr $n + 1`
25		if test $n -gt 60; then
26			kill $client_pid
27			fatal "timeout waiting for background ssh"
28		fi
29	done
30}
31
32stop_client()
33{
34	pid=`cat $pidfile`
35	if [ ! -z "$pid" ]; then
36		kill $pid
37	fi
38	wait
39}
40
41cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
42echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_config
43echo "Match Address 127.0.0.1" >>$OBJ/sshd_config
44echo "PermitOpen 127.0.0.1:2 127.0.0.1:3 127.0.0.1:$PORT" >>$OBJ/sshd_config
45
46grep -v AuthorizedKeysFile $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
47echo "AuthorizedKeysFile /dev/null" >>$OBJ/sshd_proxy
48echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_proxy
49echo "Match user $USER" >>$OBJ/sshd_proxy
50echo "AuthorizedKeysFile /dev/null $OBJ/authorized_keys_%u" >>$OBJ/sshd_proxy
51echo "Match Address 127.0.0.1" >>$OBJ/sshd_proxy
52echo "PermitOpen 127.0.0.1:2 127.0.0.1:3 127.0.0.1:$PORT" >>$OBJ/sshd_proxy
53
54start_sshd
55
56#set -x
57
58# Test Match + PermitOpen in sshd_config.  This should be permitted
59trace "match permitopen localhost"
60start_client -F $OBJ/ssh_config
61${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \
62    fail "match permitopen permit"
63stop_client
64
65# Same but from different source.  This should not be permitted
66trace "match permitopen proxy"
67start_client -F $OBJ/ssh_proxy
68${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \
69    fail "match permitopen deny"
70stop_client
71
72# Retry previous with key option, should also be denied.
73cp /dev/null $OBJ/authorized_keys_$USER
74for t in ${SSH_KEYTYPES}; do
75	printf 'permitopen="127.0.0.1:'$PORT'" ' >> $OBJ/authorized_keys_$USER
76	cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
77done
78trace "match permitopen proxy w/key opts"
79start_client -F $OBJ/ssh_proxy
80${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \
81    fail "match permitopen deny w/key opt"
82stop_client
83
84# Test both sshd_config and key options permitting the same dst/port pair.
85# Should be permitted.
86trace "match permitopen localhost"
87start_client -F $OBJ/ssh_config
88${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \
89    fail "match permitopen permit"
90stop_client
91
92cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
93echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy
94echo "Match User $USER" >>$OBJ/sshd_proxy
95echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
96
97# Test that a Match overrides a PermitOpen in the global section
98trace "match permitopen proxy w/key opts"
99start_client -F $OBJ/ssh_proxy
100${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \
101    fail "match override permitopen"
102stop_client
103
104cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
105echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy
106echo "Match User NoSuchUser" >>$OBJ/sshd_proxy
107echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
108
109# Test that a rule that doesn't match doesn't override, plus test a
110# PermitOpen entry that's not at the start of the list
111trace "nomatch permitopen proxy w/key opts"
112start_client -F $OBJ/ssh_proxy
113${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \
114    fail "nomatch override permitopen"
115stop_client
116