1# $OpenBSD: forward-control.sh,v 1.2 2013/11/18 05:09:32 naddy Exp $ 2# Placed in the Public Domain. 3 4tid="sshd control of local and remote forwarding" 5 6LFWD_PORT=3320 7RFWD_PORT=3321 8CTL=$OBJ/ctl-sock 9READY=$OBJ/ready 10 11wait_for_file_to_appear() { 12 _path=$1 13 _n=0 14 while test ! -f $_path ; do 15 test $_n -eq 1 && trace "waiting for $_path to appear" 16 _n=`expr $_n + 1` 17 test $_n -ge 20 && return 1 18 sleep 1 19 done 20 return 0 21} 22 23wait_for_process_to_exit() { 24 _pid=$1 25 _n=0 26 while kill -0 $_pid 2>/dev/null ; do 27 test $_n -eq 1 && trace "waiting for $_pid to exit" 28 _n=`expr $_n + 1` 29 test $_n -ge 20 && return 1 30 sleep 1 31 done 32 return 0 33} 34 35# usage: check_lfwd protocol Y|N message 36check_lfwd() { 37 _proto=$1 38 _expected=$2 39 _message=$3 40 rm -f $READY 41 ${SSH} -oProtocol=$_proto -F $OBJ/ssh_proxy \ 42 -L$LFWD_PORT:127.0.0.1:$PORT \ 43 -o ExitOnForwardFailure=yes \ 44 -n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \ 45 >/dev/null 2>&1 & 46 _sshpid=$! 47 wait_for_file_to_appear $READY || \ 48 fatal "check_lfwd ssh fail: $_message" 49 ${SSH} -F $OBJ/ssh_config -p $LFWD_PORT \ 50 -oConnectionAttempts=4 host true >/dev/null 2>&1 51 _result=$? 52 kill $_sshpid `cat $READY` 2>/dev/null 53 wait_for_process_to_exit $_sshpid 54 if test "x$_expected" = "xY" -a $_result -ne 0 ; then 55 fail "check_lfwd failed (expecting success): $_message" 56 elif test "x$_expected" = "xN" -a $_result -eq 0 ; then 57 fail "check_lfwd succeeded (expecting failure): $_message" 58 elif test "x$_expected" != "xY" -a "x$_expected" != "xN" ; then 59 fatal "check_lfwd invalid argument \"$_expected\"" 60 else 61 verbose "check_lfwd done (expecting $_expected): $_message" 62 fi 63} 64 65# usage: check_rfwd protocol Y|N message 66check_rfwd() { 67 _proto=$1 68 _expected=$2 69 _message=$3 70 rm -f $READY 71 ${SSH} -oProtocol=$_proto -F $OBJ/ssh_proxy \ 72 -R$RFWD_PORT:127.0.0.1:$PORT \ 73 -o ExitOnForwardFailure=yes \ 74 -n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \ 75 >/dev/null 2>&1 & 76 _sshpid=$! 77 wait_for_file_to_appear $READY 78 _result=$? 79 if test $_result -eq 0 ; then 80 ${SSH} -F $OBJ/ssh_config -p $RFWD_PORT \ 81 -oConnectionAttempts=4 host true >/dev/null 2>&1 82 _result=$? 83 kill $_sshpid `cat $READY` 2>/dev/null 84 wait_for_process_to_exit $_sshpid 85 fi 86 if test "x$_expected" = "xY" -a $_result -ne 0 ; then 87 fail "check_rfwd failed (expecting success): $_message" 88 elif test "x$_expected" = "xN" -a $_result -eq 0 ; then 89 fail "check_rfwd succeeded (expecting failure): $_message" 90 elif test "x$_expected" != "xY" -a "x$_expected" != "xN" ; then 91 fatal "check_rfwd invalid argument \"$_expected\"" 92 else 93 verbose "check_rfwd done (expecting $_expected): $_message" 94 fi 95} 96 97start_sshd 98cp ${OBJ}/sshd_proxy ${OBJ}/sshd_proxy.bak 99cp ${OBJ}/authorized_keys_${USER} ${OBJ}/authorized_keys_${USER}.bak 100 101# Sanity check: ensure the default config allows forwarding 102for p in 1 2 ; do 103 check_lfwd $p Y "proto $p, default configuration" 104 check_rfwd $p Y "proto $p, default configuration" 105done 106 107# Usage: all_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N 108all_tests() { 109 _tcpfwd=$1 110 _plain_lfwd=$2 111 _plain_rfwd=$3 112 _nopermit_lfwd=$4 113 _nopermit_rfwd=$5 114 _permit_lfwd=$6 115 _permit_rfwd=$7 116 _badfwd=127.0.0.1:22 117 _goodfwd=127.0.0.1:${PORT} 118 for _proto in 1 2 ; do 119 cp ${OBJ}/authorized_keys_${USER}.bak \ 120 ${OBJ}/authorized_keys_${USER} 121 _prefix="proto $_proto, AllowTcpForwarding=$_tcpfwd" 122 # No PermitOpen 123 ( cat ${OBJ}/sshd_proxy.bak ; 124 echo "AllowTcpForwarding $_tcpfwd" ) \ 125 > ${OBJ}/sshd_proxy 126 check_lfwd $_proto $_plain_lfwd "$_prefix" 127 check_rfwd $_proto $_plain_rfwd "$_prefix" 128 # PermitOpen via sshd_config that doesn't match 129 ( cat ${OBJ}/sshd_proxy.bak ; 130 echo "AllowTcpForwarding $_tcpfwd" ; 131 echo "PermitOpen $_badfwd" ) \ 132 > ${OBJ}/sshd_proxy 133 check_lfwd $_proto $_nopermit_lfwd "$_prefix, !PermitOpen" 134 check_rfwd $_proto $_nopermit_rfwd "$_prefix, !PermitOpen" 135 # PermitOpen via sshd_config that does match 136 ( cat ${OBJ}/sshd_proxy.bak ; 137 echo "AllowTcpForwarding $_tcpfwd" ; 138 echo "PermitOpen $_badfwd $_goodfwd" ) \ 139 > ${OBJ}/sshd_proxy 140 # NB. permitopen via authorized_keys should have same 141 # success/fail as via sshd_config 142 # permitopen via authorized_keys that doesn't match 143 sed "s/^/permitopen=\"$_badfwd\" /" \ 144 < ${OBJ}/authorized_keys_${USER}.bak \ 145 > ${OBJ}/authorized_keys_${USER} || fatal "sed 1 fail" 146 ( cat ${OBJ}/sshd_proxy.bak ; 147 echo "AllowTcpForwarding $_tcpfwd" ) \ 148 > ${OBJ}/sshd_proxy 149 check_lfwd $_proto $_nopermit_lfwd "$_prefix, !permitopen" 150 check_rfwd $_proto $_nopermit_rfwd "$_prefix, !permitopen" 151 # permitopen via authorized_keys that does match 152 sed "s/^/permitopen=\"$_badfwd\",permitopen=\"$_goodfwd\" /" \ 153 < ${OBJ}/authorized_keys_${USER}.bak \ 154 > ${OBJ}/authorized_keys_${USER} || fatal "sed 2 fail" 155 ( cat ${OBJ}/sshd_proxy.bak ; 156 echo "AllowTcpForwarding $_tcpfwd" ) \ 157 > ${OBJ}/sshd_proxy 158 check_lfwd $_proto $_permit_lfwd "$_prefix, permitopen" 159 check_rfwd $_proto $_permit_rfwd "$_prefix, permitopen" 160 done 161} 162 163# no-permitopen mismatch-permitopen match-permitopen 164# AllowTcpForwarding local remote local remote local remote 165all_tests yes Y Y N Y Y Y 166all_tests local Y N N N Y N 167all_tests remote N Y N Y N Y 168all_tests no N N N N N N 169