[openssh-commits] [openssh] 01/01: upstream: regress test for PermitOpen

git+noreply at mindrot.org git+noreply at mindrot.org
Thu Jun 7 04:28:31 AEST 2018


This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit 392db2bc83215986a91c0b65feb0e40e7619ce7e
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Wed Jun 6 18:25:33 2018 +0000

    upstream: regress test for PermitOpen
    
    OpenBSD-Regress-ID: ce8b5f28fc039f09bb297fc4a92319e65982ddaf
---
 regress/forward-control.sh | 77 +++++++++++++++++++++++++++++++++++++---------
 1 file changed, 62 insertions(+), 15 deletions(-)

diff --git a/regress/forward-control.sh b/regress/forward-control.sh
index 93d05cf6..c22ca223 100644
--- a/regress/forward-control.sh
+++ b/regress/forward-control.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: forward-control.sh,v 1.5 2018/03/02 02:51:55 djm Exp $
+#	$OpenBSD: forward-control.sh,v 1.6 2018/06/06 18:25:33 djm Exp $
 #	Placed in the Public Domain.
 
 tid="sshd control of local and remote forwarding"
@@ -67,7 +67,7 @@ check_rfwd() {
 	_message=$2
 	rm -f $READY
 	${SSH} -F $OBJ/ssh_proxy \
-	    -R$RFWD_PORT:127.0.0.1:$PORT \
+	    -R127.0.0.1:$RFWD_PORT:127.0.0.1:$PORT \
 	    -o ExitOnForwardFailure=yes \
 	    -n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \
 	    >/dev/null 2>&1 &
@@ -100,8 +100,8 @@ cp ${OBJ}/authorized_keys_${USER} ${OBJ}/authorized_keys_${USER}.bak
 check_lfwd Y "default configuration"
 check_rfwd Y "default configuration"
 
-# Usage: all_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N
-all_tests() {
+# Usage: lperm_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N
+lperm_tests() {
 	_tcpfwd=$1
 	_plain_lfwd=$2
 	_plain_rfwd=$3
@@ -109,32 +109,39 @@ all_tests() {
 	_nopermit_rfwd=$5
 	_permit_lfwd=$6
 	_permit_rfwd=$7
-	_badfwd=127.0.0.1:22
+	_badfwd1=127.0.0.1:22
+	_badfwd2=127.0.0.2:22
 	_goodfwd=127.0.0.1:${PORT}
 	cp ${OBJ}/authorized_keys_${USER}.bak  ${OBJ}/authorized_keys_${USER}
 	_prefix="AllowTcpForwarding=$_tcpfwd"
+
 	# No PermitOpen
 	( cat ${OBJ}/sshd_proxy.bak ;
 	  echo "AllowTcpForwarding $_tcpfwd" ) \
 	    > ${OBJ}/sshd_proxy
 	check_lfwd $_plain_lfwd "$_prefix"
 	check_rfwd $_plain_rfwd "$_prefix"
+
 	# PermitOpen via sshd_config that doesn't match
 	( cat ${OBJ}/sshd_proxy.bak ;
 	  echo "AllowTcpForwarding $_tcpfwd" ;
-	  echo "PermitOpen $_badfwd" ) \
+	  echo "PermitOpen $_badfwd1 $_badfwd2" ) \
 	    > ${OBJ}/sshd_proxy
 	check_lfwd $_nopermit_lfwd "$_prefix, !PermitOpen"
 	check_rfwd $_nopermit_rfwd "$_prefix, !PermitOpen"
 	# PermitOpen via sshd_config that does match
 	( cat ${OBJ}/sshd_proxy.bak ;
 	  echo "AllowTcpForwarding $_tcpfwd" ;
-	  echo "PermitOpen $_badfwd $_goodfwd" ) \
+	  echo "PermitOpen $_badfwd1 $_goodfwd $_badfwd2" ) \
 	    > ${OBJ}/sshd_proxy
+	check_lfwd $_plain_lfwd "$_prefix, PermitOpen"
+	check_rfwd $_plain_rfwd "$_prefix, PermitOpen"
+
+	# permitopen keys option.
 	# NB. permitopen via authorized_keys should have same
 	# success/fail as via sshd_config
 	# permitopen via authorized_keys that doesn't match
-	sed "s/^/permitopen=\"$_badfwd\" /" \
+	sed "s/^/permitopen=\"$_badfwd1\",permitopen=\"$_badfwd2\" /" \
 	    < ${OBJ}/authorized_keys_${USER}.bak \
 	    > ${OBJ}/authorized_keys_${USER} || fatal "sed 1 fail"
 	( cat ${OBJ}/sshd_proxy.bak ;
@@ -143,7 +150,7 @@ all_tests() {
 	check_lfwd $_nopermit_lfwd "$_prefix, !permitopen"
 	check_rfwd $_nopermit_rfwd "$_prefix, !permitopen"
 	# permitopen via authorized_keys that does match
-	sed "s/^/permitopen=\"$_badfwd\",permitopen=\"$_goodfwd\" /" \
+	sed "s/^/permitopen=\"$_badfwd1\",permitopen=\"$_goodfwd\" /" \
 	    < ${OBJ}/authorized_keys_${USER}.bak \
 	    > ${OBJ}/authorized_keys_${USER} || fatal "sed 2 fail"
 	( cat ${OBJ}/sshd_proxy.bak ;
@@ -151,6 +158,7 @@ all_tests() {
 	    > ${OBJ}/sshd_proxy
 	check_lfwd $_permit_lfwd "$_prefix, permitopen"
 	check_rfwd $_permit_rfwd "$_prefix, permitopen"
+
 	# Check port-forwarding flags in authorized_keys.
 	# These two should refuse all.
 	sed "s/^/no-port-forwarding /" \
@@ -180,9 +188,48 @@ all_tests() {
 	check_rfwd $_plain_rfwd "$_prefix, restrict,port-forwarding"
 }
 
-#                      no-permitopen mismatch-permitopen match-permitopen
-#   AllowTcpForwarding  local remote        local remote     local remote
-all_tests          yes      Y      Y            N      Y         Y      Y
-all_tests        local      Y      N            N      N         Y      N
-all_tests       remote      N      Y            N      Y         N      Y
-all_tests           no      N      N            N      N         N      N
+#          permit-open      none          mismatch         match
+#   AllowTcpForwarding  local remote    local remote    local remote
+lperm_tests     yes     Y     Y         N     Y         Y     Y
+lperm_tests   local     Y     N         N     N         Y     N
+lperm_tests  remote     N     Y         N     Y         N     Y
+lperm_tests      no     N     N         N     N         N     N
+
+# Usage: rperm_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N
+rperm_tests() {
+	_tcpfwd=$1
+	_plain_lfwd=$2
+	_plain_rfwd=$3
+	_nopermit_lfwd=$4
+	_nopermit_rfwd=$5
+	_permit_lfwd=$6
+	_permit_rfwd=$7
+	_badfwd1=127.0.0.1:22
+	_badfwd2=127.0.0.2:${RFWD_PORT}
+	_goodfwd=127.0.0.1:${RFWD_PORT}
+	cp ${OBJ}/authorized_keys_${USER}.bak  ${OBJ}/authorized_keys_${USER}
+	_prefix="AllowTcpForwarding=$_tcpfwd"
+
+	# PermitRemoteOpen via sshd_config that doesn't match
+	( cat ${OBJ}/sshd_proxy.bak ;
+	  echo "AllowTcpForwarding $_tcpfwd" ;
+	  echo "PermitRemoteOpen $_badfwd1 $_badfwd2" ) \
+	    > ${OBJ}/sshd_proxy
+	check_lfwd $_nopermit_lfwd "$_prefix, !PermitRemoteOpen"
+	check_rfwd $_nopermit_rfwd "$_prefix, !PermitRemoteOpen"
+	# PermitRemoteOpen via sshd_config that does match
+	( cat ${OBJ}/sshd_proxy.bak ;
+	  echo "AllowTcpForwarding $_tcpfwd" ;
+	  echo "PermitRemoteOpen $_badfwd1 $_goodfwd $_badfwd2" ) \
+	    > ${OBJ}/sshd_proxy
+	check_lfwd $_plain_lfwd "$_prefix, PermitRemoteOpen"
+	check_rfwd $_plain_rfwd "$_prefix, PermitRemoteOpen"
+}
+
+#   permit-remote-open      none          mismatch         match
+#   AllowTcpForwarding  local remote    local remote    local remote
+rperm_tests     yes     Y     Y         Y     N         Y     Y
+rperm_tests   local     Y     N         Y     N         Y     N
+rperm_tests  remote     N     Y         N     N         N     Y
+rperm_tests      no     N     N         N     N         N     N
+

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.


More information about the openssh-commits mailing list