1255670Sdes# $OpenBSD: cfgmatch.sh,v 1.8 2013/05/17 00:37:40 dtucker Exp $ 2162852Sdes# Placed in the Public Domain. 3162852Sdes 4162852Sdestid="sshd_config match" 5162852Sdes 6162852Sdespidfile=$OBJ/remote_pid 7162852Sdesfwdport=3301 8162852Sdesfwd="-L $fwdport:127.0.0.1:$PORT" 9162852Sdes 10225825Sdesecho "ExitOnForwardFailure=yes" >> $OBJ/ssh_config 11225825Sdesecho "ExitOnForwardFailure=yes" >> $OBJ/ssh_proxy 12225825Sdes 13225825Sdesstart_client() 14225825Sdes{ 15225825Sdes rm -f $pidfile 16225825Sdes ${SSH} -q -$p $fwd "$@" somehost \ 17225825Sdes exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' \ 18255670Sdes >>$TEST_REGRESS_LOGFILE 2>&1 & 19225825Sdes client_pid=$! 20225825Sdes # Wait for remote end 21225825Sdes n=0 22225825Sdes while test ! -f $pidfile ; do 23225825Sdes sleep 1 24225825Sdes n=`expr $n + 1` 25225825Sdes if test $n -gt 60; then 26225825Sdes kill $client_pid 27225825Sdes fatal "timeout waiting for background ssh" 28225825Sdes fi 29225825Sdes done 30225825Sdes} 31225825Sdes 32162852Sdesstop_client() 33162852Sdes{ 34162852Sdes pid=`cat $pidfile` 35162852Sdes if [ ! -z "$pid" ]; then 36162852Sdes kill $pid 37162852Sdes fi 38225825Sdes wait 39162852Sdes} 40162852Sdes 41162852Sdescp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 42162852Sdesecho "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_config 43162852Sdesecho "Match Address 127.0.0.1" >>$OBJ/sshd_config 44162852Sdesecho "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_config 45162852Sdes 46255670Sdesgrep -v AuthorizedKeysFile $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy 47255670Sdesecho "AuthorizedKeysFile /dev/null" >>$OBJ/sshd_proxy 48162852Sdesecho "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_proxy 49255670Sdesecho "Match user $USER" >>$OBJ/sshd_proxy 50255670Sdesecho "AuthorizedKeysFile /dev/null $OBJ/authorized_keys_%u" >>$OBJ/sshd_proxy 51162852Sdesecho "Match Address 127.0.0.1" >>$OBJ/sshd_proxy 52162852Sdesecho "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_proxy 53162852Sdes 54162852Sdesstart_sshd 55162852Sdes 56162852Sdes#set -x 57162852Sdes 58162852Sdes# Test Match + PermitOpen in sshd_config. This should be permitted 59162852Sdesfor p in 1 2; do 60162852Sdes trace "match permitopen localhost proto $p" 61225825Sdes start_client -F $OBJ/ssh_config 62162852Sdes ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ 63162852Sdes fail "match permitopen permit proto $p" 64162852Sdes stop_client 65162852Sdesdone 66162852Sdes 67162852Sdes# Same but from different source. This should not be permitted 68162852Sdesfor p in 1 2; do 69162852Sdes trace "match permitopen proxy proto $p" 70225825Sdes start_client -F $OBJ/ssh_proxy 71162852Sdes ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ 72162852Sdes fail "match permitopen deny proto $p" 73162852Sdes stop_client 74162852Sdesdone 75162852Sdes 76162852Sdes# Retry previous with key option, should also be denied. 77255670Sdesprintf 'permitopen="127.0.0.1:'$PORT'" ' >$OBJ/authorized_keys_$USER 78162852Sdescat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER 79255670Sdesprintf 'permitopen="127.0.0.1:'$PORT'" ' >>$OBJ/authorized_keys_$USER 80162852Sdescat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER 81162852Sdesfor p in 1 2; do 82162852Sdes trace "match permitopen proxy w/key opts proto $p" 83225825Sdes start_client -F $OBJ/ssh_proxy 84162852Sdes ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ 85162852Sdes fail "match permitopen deny w/key opt proto $p" 86162852Sdes stop_client 87162852Sdesdone 88162852Sdes 89162852Sdes# Test both sshd_config and key options permitting the same dst/port pair. 90162852Sdes# Should be permitted. 91162852Sdesfor p in 1 2; do 92162852Sdes trace "match permitopen localhost proto $p" 93225825Sdes start_client -F $OBJ/ssh_config 94162852Sdes ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ 95162852Sdes fail "match permitopen permit proto $p" 96162852Sdes stop_client 97162852Sdesdone 98162852Sdes 99162852Sdescp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy 100162852Sdesecho "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy 101162852Sdesecho "Match User $USER" >>$OBJ/sshd_proxy 102162852Sdesecho "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy 103162852Sdes 104162852Sdes# Test that a Match overrides a PermitOpen in the global section 105162852Sdesfor p in 1 2; do 106162852Sdes trace "match permitopen proxy w/key opts proto $p" 107225825Sdes start_client -F $OBJ/ssh_proxy 108162852Sdes ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ 109162852Sdes fail "match override permitopen proto $p" 110162852Sdes stop_client 111162852Sdesdone 112180746Sdes 113180746Sdescp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy 114180746Sdesecho "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy 115180746Sdesecho "Match User NoSuchUser" >>$OBJ/sshd_proxy 116180746Sdesecho "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy 117180746Sdes 118180746Sdes# Test that a rule that doesn't match doesn't override, plus test a 119180746Sdes# PermitOpen entry that's not at the start of the list 120180746Sdesfor p in 1 2; do 121180746Sdes trace "nomatch permitopen proxy w/key opts proto $p" 122225825Sdes start_client -F $OBJ/ssh_proxy 123180746Sdes ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ 124180746Sdes fail "nomatch override permitopen proto $p" 125180746Sdes stop_client 126180746Sdesdone 127