[openssh-commits] [openssh] 08/08: upstream: regression test for PermitRemoteOpen
git+noreply at mindrot.org
git+noreply at mindrot.org
Tue Jan 3 17:53:47 AEDT 2023
This is an automated email from the git hooks/post-receive script.
dtucker pushed a commit to branch master
in repository openssh.
commit 845ceecea2ac311b0c267f9ecbd34862e1876fc6
Author: djm at openbsd.org <djm at openbsd.org>
Date: Mon Jan 2 07:03:57 2023 +0000
upstream: regression test for PermitRemoteOpen
OpenBSD-Regress-ID: 8271aafbf5c21950cd5bf966f08e585cebfe630c
---
regress/dynamic-forward.sh | 84 ++++++++++++++++++++++++++++++++++++----------
1 file changed, 66 insertions(+), 18 deletions(-)
diff --git a/regress/dynamic-forward.sh b/regress/dynamic-forward.sh
index 84f8ee19..f6c2393d 100644
--- a/regress/dynamic-forward.sh
+++ b/regress/dynamic-forward.sh
@@ -1,10 +1,12 @@
-# $OpenBSD: dynamic-forward.sh,v 1.13 2017/09/21 19:18:12 markus Exp $
+# $OpenBSD: dynamic-forward.sh,v 1.14 2023/01/02 07:03:57 djm Exp $
# Placed in the Public Domain.
tid="dynamic forwarding"
FWDPORT=`expr $PORT + 1`
+cp $OBJ/ssh_config $OBJ/ssh_config.orig
+
if have_prog nc && nc -h 2>&1 | grep "proxy address" >/dev/null; then
proxycmd="nc -x 127.0.0.1:$FWDPORT -X"
elif have_prog connect; then
@@ -15,16 +17,16 @@ else
fi
trace "will use ProxyCommand $proxycmd"
-start_sshd
-
-for d in D R; do
+start_ssh() {
+ direction="$1"
+ arg="$2"
n=0
error="1"
- trace "start dynamic forwarding, fork to background"
-
+ trace "start dynamic -$direction forwarding, fork to background"
+ (cat $OBJ/ssh_config.orig ; echo "$arg") > $OBJ/ssh_config
while [ "$error" -ne 0 -a "$n" -lt 3 ]; do
n=`expr $n + 1`
- ${SSH} -F $OBJ/ssh_config -f -$d $FWDPORT -q \
+ ${SSH} -F $OBJ/ssh_config -f -$direction $FWDPORT -q \
-oExitOnForwardFailure=yes somehost exec sh -c \
\'"echo \$\$ > $OBJ/remote_pid; exec sleep 444"\'
error=$?
@@ -36,18 +38,9 @@ for d in D R; do
if [ "$error" -ne 0 ]; then
fatal "failed to start dynamic forwarding"
fi
+}
- for s in 4 5; do
- for h in 127.0.0.1 localhost; do
- trace "testing ssh socks version $s host $h (-$d)"
- ${SSH} -F $OBJ/ssh_config \
- -o "ProxyCommand ${proxycmd}${s} $h $PORT" \
- somehost cat ${DATA} > ${COPY}
- test -f ${COPY} || fail "failed copy ${DATA}"
- cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}"
- done
- done
-
+stop_ssh() {
if [ -f $OBJ/remote_pid ]; then
remote=`cat $OBJ/remote_pid`
trace "terminate remote shell, pid $remote"
@@ -57,5 +50,60 @@ for d in D R; do
else
fail "no pid file: $OBJ/remote_pid"
fi
+}
+
+check_socks() {
+ direction=$1
+ expect_success=$2
+ for s in 4 5; do
+ for h in 127.0.0.1 localhost; do
+ trace "testing ssh socks version $s host $h (-$direction)"
+ ${SSH} -F $OBJ/ssh_config \
+ -o "ProxyCommand ${proxycmd}${s} $h $PORT 2>/dev/null" \
+ somehost cat ${DATA} > ${COPY}
+ r=$?
+ if [ "x$expect_success" = "xY" ] ; then
+ if [ $r -ne 0 ] ; then
+ fail "ssh failed with exit status $r"
+ fi
+ test -f ${COPY} || fail "failed copy ${DATA}"
+ cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}"
+ elif [ $r -eq 0 ] ; then
+ fail "ssh unexpectedly succeeded"
+ fi
+ done
+ done
+}
+
+start_sshd
+
+for d in D R; do
+ verbose "test -$d forwarding"
+ start_ssh $d
+ check_socks $d Y
+ stop_ssh
+ test "x$d" = "xR" || continue
+
+ # Test PermitRemoteOpen
+ verbose "PermitRemoteOpen=any"
+ start_ssh $d PermitRemoteOpen=any
+ check_socks $d Y
+ stop_ssh
+
+ verbose "PermitRemoteOpen=none"
+ start_ssh $d PermitRemoteOpen=none
+ check_socks $d N
+ stop_ssh
+
+ verbose "PermitRemoteOpen=explicit"
+ start_ssh $d \
+ PermitRemoteOpen="127.0.0.1:$PORT [::1]:$PORT localhost:$PORT"
+ check_socks $d Y
+ stop_ssh
+ verbose "PermitRemoteOpen=disallowed"
+ start_ssh $d \
+ PermitRemoteOpen="127.0.0.1:1 [::1]:1 localhost:1"
+ check_socks $d N
+ stop_ssh
done
--
To stop receiving notification emails like this one, please contact
djm at mindrot.org.
More information about the openssh-commits
mailing list