1295367Sdes#	$OpenBSD: cfgmatch.sh,v 1.9 2015/03/03 22:35:19 markus Exp $
2162852Sdes#	Placed in the Public Domain.
3162852Sdes
4162852Sdestid="sshd_config match"
5162852Sdes
6162852Sdespidfile=$OBJ/remote_pid
7162852Sdesfwdport=3301
8162852Sdesfwd="-L $fwdport:127.0.0.1:$PORT"
9162852Sdes
10225825Sdesecho "ExitOnForwardFailure=yes" >> $OBJ/ssh_config
11225825Sdesecho "ExitOnForwardFailure=yes" >> $OBJ/ssh_proxy
12225825Sdes
13225825Sdesstart_client()
14225825Sdes{
15225825Sdes	rm -f $pidfile
16225825Sdes	${SSH} -q -$p $fwd "$@" somehost \
17225825Sdes	    exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' \
18255670Sdes	    >>$TEST_REGRESS_LOGFILE 2>&1 &
19225825Sdes	client_pid=$!
20225825Sdes	# Wait for remote end
21225825Sdes	n=0
22225825Sdes	while test ! -f $pidfile ; do
23225825Sdes		sleep 1
24225825Sdes		n=`expr $n + 1`
25225825Sdes		if test $n -gt 60; then
26225825Sdes			kill $client_pid
27225825Sdes			fatal "timeout waiting for background ssh"
28225825Sdes		fi
29225825Sdes	done	
30225825Sdes}
31225825Sdes
32162852Sdesstop_client()
33162852Sdes{
34162852Sdes	pid=`cat $pidfile`
35162852Sdes	if [ ! -z "$pid" ]; then
36162852Sdes		kill $pid
37162852Sdes	fi
38225825Sdes	wait
39162852Sdes}
40162852Sdes
41162852Sdescp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
42162852Sdesecho "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_config
43162852Sdesecho "Match Address 127.0.0.1" >>$OBJ/sshd_config
44162852Sdesecho "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_config
45162852Sdes
46255670Sdesgrep -v AuthorizedKeysFile $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
47255670Sdesecho "AuthorizedKeysFile /dev/null" >>$OBJ/sshd_proxy
48162852Sdesecho "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_proxy
49255670Sdesecho "Match user $USER" >>$OBJ/sshd_proxy
50255670Sdesecho "AuthorizedKeysFile /dev/null $OBJ/authorized_keys_%u" >>$OBJ/sshd_proxy
51162852Sdesecho "Match Address 127.0.0.1" >>$OBJ/sshd_proxy
52162852Sdesecho "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_proxy
53162852Sdes
54162852Sdesstart_sshd
55162852Sdes
56162852Sdes#set -x
57162852Sdes
58162852Sdes# Test Match + PermitOpen in sshd_config.  This should be permitted
59295367Sdesfor p in ${SSH_PROTOCOLS}; do
60162852Sdes	trace "match permitopen localhost proto $p"
61225825Sdes	start_client -F $OBJ/ssh_config
62162852Sdes	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
63162852Sdes	    fail "match permitopen permit proto $p"
64162852Sdes	stop_client
65162852Sdesdone
66162852Sdes
67162852Sdes# Same but from different source.  This should not be permitted
68295367Sdesfor p in ${SSH_PROTOCOLS}; do
69162852Sdes	trace "match permitopen proxy proto $p"
70225825Sdes	start_client -F $OBJ/ssh_proxy
71162852Sdes	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
72162852Sdes	    fail "match permitopen deny proto $p"
73162852Sdes	stop_client
74162852Sdesdone
75162852Sdes
76162852Sdes# Retry previous with key option, should also be denied.
77295367Sdescp /dev/null $OBJ/authorized_keys_$USER
78295367Sdesfor t in ${SSH_KEYTYPES}; do
79295367Sdes	printf 'permitopen="127.0.0.1:'$PORT'" ' >> $OBJ/authorized_keys_$USER
80295367Sdes	cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
81295367Sdesdone
82295367Sdesfor p in ${SSH_PROTOCOLS}; do
83162852Sdes	trace "match permitopen proxy w/key opts proto $p"
84225825Sdes	start_client -F $OBJ/ssh_proxy
85162852Sdes	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
86162852Sdes	    fail "match permitopen deny w/key opt proto $p"
87162852Sdes	stop_client
88162852Sdesdone
89162852Sdes
90162852Sdes# Test both sshd_config and key options permitting the same dst/port pair.
91162852Sdes# Should be permitted.
92295367Sdesfor p in ${SSH_PROTOCOLS}; do
93162852Sdes	trace "match permitopen localhost proto $p"
94225825Sdes	start_client -F $OBJ/ssh_config
95162852Sdes	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
96162852Sdes	    fail "match permitopen permit proto $p"
97162852Sdes	stop_client
98162852Sdesdone
99162852Sdes
100162852Sdescp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
101162852Sdesecho "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy
102162852Sdesecho "Match User $USER" >>$OBJ/sshd_proxy
103162852Sdesecho "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
104162852Sdes
105162852Sdes# Test that a Match overrides a PermitOpen in the global section
106295367Sdesfor p in ${SSH_PROTOCOLS}; do
107162852Sdes	trace "match permitopen proxy w/key opts proto $p"
108225825Sdes	start_client -F $OBJ/ssh_proxy
109162852Sdes	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
110162852Sdes	    fail "match override permitopen proto $p"
111162852Sdes	stop_client
112162852Sdesdone
113180746Sdes
114180746Sdescp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
115180746Sdesecho "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy
116180746Sdesecho "Match User NoSuchUser" >>$OBJ/sshd_proxy
117180746Sdesecho "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
118180746Sdes
119180746Sdes# Test that a rule that doesn't match doesn't override, plus test a
120180746Sdes# PermitOpen entry that's not at the start of the list
121295367Sdesfor p in ${SSH_PROTOCOLS}; do
122180746Sdes	trace "nomatch permitopen proxy w/key opts proto $p"
123225825Sdes	start_client -F $OBJ/ssh_proxy
124180746Sdes	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
125180746Sdes	    fail "nomatch override permitopen proto $p"
126180746Sdes	stop_client
127180746Sdesdone
128