cfgmatch.sh revision 1.3 
1#	$OpenBSD: cfgmatch.sh,v 1.3 2006/11/06 09:27:43 markus Exp $
2#	Placed in the Public Domain.
3
4tid="sshd_config match"
5
6pidfile=$OBJ/remote_pid
7fwdport=3301
8fwd="-L $fwdport:127.0.0.1:$PORT"
9
10stop_client()
11{
12	pid=`cat $pidfile`
13	if [ ! -z "$pid" ]; then
14		kill $pid
15	fi
16}
17
18cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
19
20echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_config
21echo "Match Address 127.0.0.1" >>$OBJ/sshd_config
22echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_config
23
24echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_proxy
25echo "Match Address 127.0.0.1" >>$OBJ/sshd_proxy
26echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_proxy
27
28start_sshd
29
30#set -x
31
32# Test Match + PermitOpen in sshd_config.  This should be permitted
33for p in 1 2; do
34	rm -f $pidfile
35	trace "match permitopen localhost proto $p"
36	${SSH} -$p $fwd -F $OBJ/ssh_config -f somehost \
37	    exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 ||\
38	    fail "match permitopen proto $p sshd failed"
39	sleep 1;
40	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
41	    fail "match permitopen permit proto $p"
42	stop_client
43done
44
45# Same but from different source.  This should not be permitted
46for p in 1 2; do
47	rm -f $pidfile
48	trace "match permitopen proxy proto $p"
49	${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \
50	    exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 ||\
51	    fail "match permitopen proxy proto $p sshd failed"
52	sleep 1;
53	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
54	    fail "match permitopen deny proto $p"
55	stop_client
56done
57
58# Retry previous with key option, should also be denied.
59echo -n 'permitopen="127.0.0.1:'$PORT'" ' >$OBJ/authorized_keys_$USER
60cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER
61echo -n 'permitopen="127.0.0.1:'$PORT'" ' >>$OBJ/authorized_keys_$USER
62cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER
63for p in 1 2; do
64	rm -f $pidfile
65	trace "match permitopen proxy w/key opts proto $p"
66	${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \
67	    exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 ||\
68	    fail "match permitopen w/key opt proto $p sshd failed"
69	sleep 1;
70	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
71	    fail "match permitopen deny w/key opt proto $p"
72	stop_client
73done
74
75# Test both sshd_config and key options permitting the same dst/port pair.
76# Should be permitted.
77for p in 1 2; do
78	rm -f $pidfile
79	trace "match permitopen localhost proto $p"
80	${SSH} -$p $fwd -F $OBJ/ssh_config -f somehost \
81	    exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 ||\
82	    fail "match permitopen proto $p sshd failed"
83	sleep 1;
84	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
85	    fail "match permitopen permit proto $p"
86	stop_client
87done
88
89cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
90echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy
91echo "Match User $USER" >>$OBJ/sshd_proxy
92echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
93
94# Test that a Match overrides a PermitOpen in the global section
95for p in 1 2; do
96	rm -f $pidfile
97	trace "match permitopen proxy w/key opts proto $p"
98	${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \
99	    exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' >>$TEST_SSH_LOGFILE 2>&1 ||\
100	    fail "match override permitopen proto $p sshd failed"
101	sleep 1;
102	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
103	    fail "match override permitopen proto $p"
104	stop_client
105done
106