1295367Sdes# $OpenBSD: cfgmatch.sh,v 1.9 2015/03/03 22:35:19 markus Exp $ 2162852Sdes# Placed in the Public Domain. 3162852Sdes 4162852Sdestid="sshd_config match" 5162852Sdes 6162852Sdespidfile=$OBJ/remote_pid 7162852Sdesfwdport=3301 8162852Sdesfwd="-L $fwdport:127.0.0.1:$PORT" 9162852Sdes 10225825Sdesecho "ExitOnForwardFailure=yes" >> $OBJ/ssh_config 11225825Sdesecho "ExitOnForwardFailure=yes" >> $OBJ/ssh_proxy 12225825Sdes 13225825Sdesstart_client() 14225825Sdes{ 15225825Sdes rm -f $pidfile 16225825Sdes ${SSH} -q -$p $fwd "$@" somehost \ 17225825Sdes exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' \ 18255670Sdes >>$TEST_REGRESS_LOGFILE 2>&1 & 19225825Sdes client_pid=$! 20225825Sdes # Wait for remote end 21225825Sdes n=0 22225825Sdes while test ! -f $pidfile ; do 23225825Sdes sleep 1 24225825Sdes n=`expr $n + 1` 25225825Sdes if test $n -gt 60; then 26225825Sdes kill $client_pid 27225825Sdes fatal "timeout waiting for background ssh" 28225825Sdes fi 29225825Sdes done 30225825Sdes} 31225825Sdes 32162852Sdesstop_client() 33162852Sdes{ 34162852Sdes pid=`cat $pidfile` 35162852Sdes if [ ! -z "$pid" ]; then 36162852Sdes kill $pid 37162852Sdes fi 38225825Sdes wait 39162852Sdes} 40162852Sdes 41162852Sdescp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 42162852Sdesecho "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_config 43162852Sdesecho "Match Address 127.0.0.1" >>$OBJ/sshd_config 44162852Sdesecho "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_config 45162852Sdes 46255670Sdesgrep -v AuthorizedKeysFile $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy 47255670Sdesecho "AuthorizedKeysFile /dev/null" >>$OBJ/sshd_proxy 48162852Sdesecho "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_proxy 49255670Sdesecho "Match user $USER" >>$OBJ/sshd_proxy 50255670Sdesecho "AuthorizedKeysFile /dev/null $OBJ/authorized_keys_%u" >>$OBJ/sshd_proxy 51162852Sdesecho "Match Address 127.0.0.1" >>$OBJ/sshd_proxy 52162852Sdesecho "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_proxy 53162852Sdes 54162852Sdesstart_sshd 55162852Sdes 56162852Sdes#set -x 57162852Sdes 58162852Sdes# Test Match + PermitOpen in sshd_config. This should be permitted 59295367Sdesfor p in ${SSH_PROTOCOLS}; do 60162852Sdes trace "match permitopen localhost proto $p" 61225825Sdes start_client -F $OBJ/ssh_config 62162852Sdes ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ 63162852Sdes fail "match permitopen permit proto $p" 64162852Sdes stop_client 65162852Sdesdone 66162852Sdes 67162852Sdes# Same but from different source. This should not be permitted 68295367Sdesfor p in ${SSH_PROTOCOLS}; do 69162852Sdes trace "match permitopen proxy proto $p" 70225825Sdes start_client -F $OBJ/ssh_proxy 71162852Sdes ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ 72162852Sdes fail "match permitopen deny proto $p" 73162852Sdes stop_client 74162852Sdesdone 75162852Sdes 76162852Sdes# Retry previous with key option, should also be denied. 77295367Sdescp /dev/null $OBJ/authorized_keys_$USER 78295367Sdesfor t in ${SSH_KEYTYPES}; do 79295367Sdes printf 'permitopen="127.0.0.1:'$PORT'" ' >> $OBJ/authorized_keys_$USER 80295367Sdes cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER 81295367Sdesdone 82295367Sdesfor p in ${SSH_PROTOCOLS}; do 83162852Sdes trace "match permitopen proxy w/key opts proto $p" 84225825Sdes start_client -F $OBJ/ssh_proxy 85162852Sdes ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ 86162852Sdes fail "match permitopen deny w/key opt proto $p" 87162852Sdes stop_client 88162852Sdesdone 89162852Sdes 90162852Sdes# Test both sshd_config and key options permitting the same dst/port pair. 91162852Sdes# Should be permitted. 92295367Sdesfor p in ${SSH_PROTOCOLS}; do 93162852Sdes trace "match permitopen localhost proto $p" 94225825Sdes start_client -F $OBJ/ssh_config 95162852Sdes ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ 96162852Sdes fail "match permitopen permit proto $p" 97162852Sdes stop_client 98162852Sdesdone 99162852Sdes 100162852Sdescp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy 101162852Sdesecho "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy 102162852Sdesecho "Match User $USER" >>$OBJ/sshd_proxy 103162852Sdesecho "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy 104162852Sdes 105162852Sdes# Test that a Match overrides a PermitOpen in the global section 106295367Sdesfor p in ${SSH_PROTOCOLS}; do 107162852Sdes trace "match permitopen proxy w/key opts proto $p" 108225825Sdes start_client -F $OBJ/ssh_proxy 109162852Sdes ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ 110162852Sdes fail "match override permitopen proto $p" 111162852Sdes stop_client 112162852Sdesdone 113180746Sdes 114180746Sdescp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy 115180746Sdesecho "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy 116180746Sdesecho "Match User NoSuchUser" >>$OBJ/sshd_proxy 117180746Sdesecho "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy 118180746Sdes 119180746Sdes# Test that a rule that doesn't match doesn't override, plus test a 120180746Sdes# PermitOpen entry that's not at the start of the list 121295367Sdesfor p in ${SSH_PROTOCOLS}; do 122180746Sdes trace "nomatch permitopen proxy w/key opts proto $p" 123225825Sdes start_client -F $OBJ/ssh_proxy 124180746Sdes ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ 125180746Sdes fail "nomatch override permitopen proto $p" 126180746Sdes stop_client 127180746Sdesdone 128