cfgmatch.sh revision 1.2
1# $OpenBSD: cfgmatch.sh,v 1.2 2006/07/22 01:50:00 dtucker Exp $ 2# Placed in the Public Domain. 3 4tid="sshd_config match" 5 6pidfile=$OBJ/remote_pid 7fwdport=3301 8fwd="-L $fwdport:127.0.0.1:$PORT" 9 10stop_client() 11{ 12 pid=`cat $pidfile` 13 if [ ! -z "$pid" ]; then 14 kill $pid 15 fi 16} 17 18cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 19 20echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_config 21echo "Match Address 127.0.0.1" >>$OBJ/sshd_config 22echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_config 23 24echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_proxy 25echo "Match Address 127.0.0.1" >>$OBJ/sshd_proxy 26echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_proxy 27 28start_sshd 29 30#set -x 31 32# Test Match + PermitOpen in sshd_config. This should be permitted 33for p in 1 2; do 34 rm -f $pidfile 35 trace "match permitopen localhost proto $p" 36 ${SSH} -$p $fwd -F $OBJ/ssh_config -f somehost \ 37 "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\ 38 fail "match permitopen proto $p sshd failed" 39 sleep 1; 40 ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ 41 fail "match permitopen permit proto $p" 42 stop_client 43done 44 45# Same but from different source. This should not be permitted 46for p in 1 2; do 47 rm -f $pidfile 48 trace "match permitopen proxy proto $p" 49 ${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \ 50 "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\ 51 fail "match permitopen proxy proto $p sshd failed" 52 sleep 1; 53 ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ 54 fail "match permitopen deny proto $p" 55 stop_client 56done 57 58# Retry previous with key option, should also be denied. 59echo -n 'permitopen="127.0.0.1:'$PORT'" ' >$OBJ/authorized_keys_$USER 60cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER 61echo -n 'permitopen="127.0.0.1:'$PORT'" ' >>$OBJ/authorized_keys_$USER 62cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER 63for p in 1 2; do 64 rm -f $pidfile 65 trace "match permitopen proxy w/key opts proto $p" 66 ${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \ 67 "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\ 68 fail "match permitopen w/key opt proto $p sshd failed" 69 sleep 1; 70 ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ 71 fail "match permitopen deny w/key opt proto $p" 72 stop_client 73done 74 75# Test both sshd_config and key options permitting the same dst/port pair. 76# Should be permitted. 77for p in 1 2; do 78 rm -f $pidfile 79 trace "match permitopen localhost proto $p" 80 ${SSH} -$p $fwd -F $OBJ/ssh_config -f somehost \ 81 "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\ 82 fail "match permitopen proto $p sshd failed" 83 sleep 1; 84 ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \ 85 fail "match permitopen permit proto $p" 86 stop_client 87done 88 89cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy 90echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy 91echo "Match User $USER" >>$OBJ/sshd_proxy 92echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy 93 94# Test that a Match overrides a PermitOpen in the global section 95for p in 1 2; do 96 rm -f $pidfile 97 trace "match permitopen proxy w/key opts proto $p" 98 ${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \ 99 "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\ 100 fail "match override permitopen proto $p sshd failed" 101 sleep 1; 102 ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \ 103 fail "match override permitopen proto $p" 104 stop_client 105done 106