[openssh-commits] [openssh] 01/01: upstream: regress test for PermitOpen
git+noreply at mindrot.org
git+noreply at mindrot.org
Thu Jun 7 04:28:31 AEST 2018
This is an automated email from the git hooks/post-receive script.
djm pushed a commit to branch master
in repository openssh.
commit 392db2bc83215986a91c0b65feb0e40e7619ce7e
Author: djm at openbsd.org <djm at openbsd.org>
Date: Wed Jun 6 18:25:33 2018 +0000
upstream: regress test for PermitOpen
OpenBSD-Regress-ID: ce8b5f28fc039f09bb297fc4a92319e65982ddaf
---
regress/forward-control.sh | 77 +++++++++++++++++++++++++++++++++++++---------
1 file changed, 62 insertions(+), 15 deletions(-)
diff --git a/regress/forward-control.sh b/regress/forward-control.sh
index 93d05cf6..c22ca223 100644
--- a/regress/forward-control.sh
+++ b/regress/forward-control.sh
@@ -1,4 +1,4 @@
-# $OpenBSD: forward-control.sh,v 1.5 2018/03/02 02:51:55 djm Exp $
+# $OpenBSD: forward-control.sh,v 1.6 2018/06/06 18:25:33 djm Exp $
# Placed in the Public Domain.
tid="sshd control of local and remote forwarding"
@@ -67,7 +67,7 @@ check_rfwd() {
_message=$2
rm -f $READY
${SSH} -F $OBJ/ssh_proxy \
- -R$RFWD_PORT:127.0.0.1:$PORT \
+ -R127.0.0.1:$RFWD_PORT:127.0.0.1:$PORT \
-o ExitOnForwardFailure=yes \
-n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \
>/dev/null 2>&1 &
@@ -100,8 +100,8 @@ cp ${OBJ}/authorized_keys_${USER} ${OBJ}/authorized_keys_${USER}.bak
check_lfwd Y "default configuration"
check_rfwd Y "default configuration"
-# Usage: all_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N
-all_tests() {
+# Usage: lperm_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N
+lperm_tests() {
_tcpfwd=$1
_plain_lfwd=$2
_plain_rfwd=$3
@@ -109,32 +109,39 @@ all_tests() {
_nopermit_rfwd=$5
_permit_lfwd=$6
_permit_rfwd=$7
- _badfwd=127.0.0.1:22
+ _badfwd1=127.0.0.1:22
+ _badfwd2=127.0.0.2:22
_goodfwd=127.0.0.1:${PORT}
cp ${OBJ}/authorized_keys_${USER}.bak ${OBJ}/authorized_keys_${USER}
_prefix="AllowTcpForwarding=$_tcpfwd"
+
# No PermitOpen
( cat ${OBJ}/sshd_proxy.bak ;
echo "AllowTcpForwarding $_tcpfwd" ) \
> ${OBJ}/sshd_proxy
check_lfwd $_plain_lfwd "$_prefix"
check_rfwd $_plain_rfwd "$_prefix"
+
# PermitOpen via sshd_config that doesn't match
( cat ${OBJ}/sshd_proxy.bak ;
echo "AllowTcpForwarding $_tcpfwd" ;
- echo "PermitOpen $_badfwd" ) \
+ echo "PermitOpen $_badfwd1 $_badfwd2" ) \
> ${OBJ}/sshd_proxy
check_lfwd $_nopermit_lfwd "$_prefix, !PermitOpen"
check_rfwd $_nopermit_rfwd "$_prefix, !PermitOpen"
# PermitOpen via sshd_config that does match
( cat ${OBJ}/sshd_proxy.bak ;
echo "AllowTcpForwarding $_tcpfwd" ;
- echo "PermitOpen $_badfwd $_goodfwd" ) \
+ echo "PermitOpen $_badfwd1 $_goodfwd $_badfwd2" ) \
> ${OBJ}/sshd_proxy
+ check_lfwd $_plain_lfwd "$_prefix, PermitOpen"
+ check_rfwd $_plain_rfwd "$_prefix, PermitOpen"
+
+ # permitopen keys option.
# NB. permitopen via authorized_keys should have same
# success/fail as via sshd_config
# permitopen via authorized_keys that doesn't match
- sed "s/^/permitopen=\"$_badfwd\" /" \
+ sed "s/^/permitopen=\"$_badfwd1\",permitopen=\"$_badfwd2\" /" \
< ${OBJ}/authorized_keys_${USER}.bak \
> ${OBJ}/authorized_keys_${USER} || fatal "sed 1 fail"
( cat ${OBJ}/sshd_proxy.bak ;
@@ -143,7 +150,7 @@ all_tests() {
check_lfwd $_nopermit_lfwd "$_prefix, !permitopen"
check_rfwd $_nopermit_rfwd "$_prefix, !permitopen"
# permitopen via authorized_keys that does match
- sed "s/^/permitopen=\"$_badfwd\",permitopen=\"$_goodfwd\" /" \
+ sed "s/^/permitopen=\"$_badfwd1\",permitopen=\"$_goodfwd\" /" \
< ${OBJ}/authorized_keys_${USER}.bak \
> ${OBJ}/authorized_keys_${USER} || fatal "sed 2 fail"
( cat ${OBJ}/sshd_proxy.bak ;
@@ -151,6 +158,7 @@ all_tests() {
> ${OBJ}/sshd_proxy
check_lfwd $_permit_lfwd "$_prefix, permitopen"
check_rfwd $_permit_rfwd "$_prefix, permitopen"
+
# Check port-forwarding flags in authorized_keys.
# These two should refuse all.
sed "s/^/no-port-forwarding /" \
@@ -180,9 +188,48 @@ all_tests() {
check_rfwd $_plain_rfwd "$_prefix, restrict,port-forwarding"
}
-# no-permitopen mismatch-permitopen match-permitopen
-# AllowTcpForwarding local remote local remote local remote
-all_tests yes Y Y N Y Y Y
-all_tests local Y N N N Y N
-all_tests remote N Y N Y N Y
-all_tests no N N N N N N
+# permit-open none mismatch match
+# AllowTcpForwarding local remote local remote local remote
+lperm_tests yes Y Y N Y Y Y
+lperm_tests local Y N N N Y N
+lperm_tests remote N Y N Y N Y
+lperm_tests no N N N N N N
+
+# Usage: rperm_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N
+rperm_tests() {
+ _tcpfwd=$1
+ _plain_lfwd=$2
+ _plain_rfwd=$3
+ _nopermit_lfwd=$4
+ _nopermit_rfwd=$5
+ _permit_lfwd=$6
+ _permit_rfwd=$7
+ _badfwd1=127.0.0.1:22
+ _badfwd2=127.0.0.2:${RFWD_PORT}
+ _goodfwd=127.0.0.1:${RFWD_PORT}
+ cp ${OBJ}/authorized_keys_${USER}.bak ${OBJ}/authorized_keys_${USER}
+ _prefix="AllowTcpForwarding=$_tcpfwd"
+
+ # PermitRemoteOpen via sshd_config that doesn't match
+ ( cat ${OBJ}/sshd_proxy.bak ;
+ echo "AllowTcpForwarding $_tcpfwd" ;
+ echo "PermitRemoteOpen $_badfwd1 $_badfwd2" ) \
+ > ${OBJ}/sshd_proxy
+ check_lfwd $_nopermit_lfwd "$_prefix, !PermitRemoteOpen"
+ check_rfwd $_nopermit_rfwd "$_prefix, !PermitRemoteOpen"
+ # PermitRemoteOpen via sshd_config that does match
+ ( cat ${OBJ}/sshd_proxy.bak ;
+ echo "AllowTcpForwarding $_tcpfwd" ;
+ echo "PermitRemoteOpen $_badfwd1 $_goodfwd $_badfwd2" ) \
+ > ${OBJ}/sshd_proxy
+ check_lfwd $_plain_lfwd "$_prefix, PermitRemoteOpen"
+ check_rfwd $_plain_rfwd "$_prefix, PermitRemoteOpen"
+}
+
+# permit-remote-open none mismatch match
+# AllowTcpForwarding local remote local remote local remote
+rperm_tests yes Y Y Y N Y Y
+rperm_tests local Y N Y N Y N
+rperm_tests remote N Y N N N Y
+rperm_tests no N N N N N N
+
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list