|
1 | 1 | # $OpenBSD: cfgmatch.sh,v 1.13 2021/06/08 06:52:43 djm Exp $ |
2 | 2 | # Placed in the Public Domain. |
3 | 3 |
|
4 | | -tid="sshd_config match" |
5 | | - |
6 | | -pidfile=$OBJ/remote_pid |
7 | | -fwdport=3301 |
8 | | -fwd="-L $fwdport:127.0.0.1:$PORT" |
9 | | - |
10 | | -echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_config |
11 | | -echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_proxy |
12 | | - |
13 | | -start_client() |
14 | | -{ |
15 | | - rm -f $pidfile |
16 | | - ${SSH} -q $fwd "$@" somehost \ |
17 | | - exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' \ |
18 | | - >>$TEST_REGRESS_LOGFILE 2>&1 & |
19 | | - client_pid=$! |
20 | | - # Wait for remote end |
21 | | - n=0 |
22 | | - while test ! -f $pidfile ; do |
23 | | - sleep 1 |
24 | | - n=`expr $n + 1` |
25 | | - if test $n -gt 60; then |
26 | | - if [ "$os" == "windows" ]; then |
27 | | - # We can't kill windows process from cygwin / wsl so use "stop-process" |
28 | | - powershell.exe /c "stop-process -id $client_pid -Force" >/dev/null 2>&1 |
29 | | - else |
30 | | - kill $client_pid |
31 | | - fi |
32 | | - fatal "timeout waiting for background ssh" |
33 | | - fi |
34 | | - done |
35 | | -} |
36 | | - |
37 | | -stop_client() |
38 | | -{ |
39 | | - pid=`cat $pidfile` |
40 | | - if [ "$os" == "windows" ]; then |
41 | | - # We can't kill windows process from cygwin / wsl so use "stop-process" |
42 | | - powershell.exe /c "stop-process -id $pid -Force" >/dev/null 2>&1 |
43 | | - powershell.exe /c "stop-process -name sleep -Force" >/dev/null 2>&1 |
44 | | - else |
45 | | - if [ ! -z "$pid" ]; then |
46 | | - kill $pid |
47 | | - fi |
48 | | - wait |
49 | | - fi |
50 | | -} |
51 | | - |
52 | | -cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak |
53 | | -echo "PermitOpen 127.0.0.1:1 # comment" >>$OBJ/sshd_config |
54 | | -echo "Match Address 127.0.0.1" >>$OBJ/sshd_config |
55 | | -echo "PermitOpen 127.0.0.1:2 127.0.0.1:3 127.0.0.1:$PORT" >>$OBJ/sshd_config |
56 | | - |
57 | | -grep -v AuthorizedKeysFile $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy |
58 | | -echo "AuthorizedKeysFile /dev/null # comment" >>$OBJ/sshd_proxy |
59 | | -echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_proxy |
60 | | -if [ "$os" == "windows" ]; then |
61 | | - # If User is domainuser then it will be in "domain/user" so convert it to "domain\user" |
62 | | - echo "Match user ${USER//\//\\}" >>$OBJ/sshd_proxy |
63 | | -else |
64 | | - echo "Match user $USER" >>$OBJ/sshd_proxy |
65 | | -fi |
66 | | - |
67 | | -echo "AuthorizedKeysFile /dev/null $OBJ/authorized_keys_%u" >>$OBJ/sshd_proxy |
68 | | -echo "Match Address 127.0.0.1 # comment" >>$OBJ/sshd_proxy |
69 | | -echo "PermitOpen 127.0.0.1:2 127.0.0.1:3 127.0.0.1:$PORT" >>$OBJ/sshd_proxy |
70 | | - |
71 | | -${SUDO} ${SSHD} -f $OBJ/sshd_config -T >/dev/null || \ |
72 | | - fail "config w/match fails config test" |
73 | | - |
74 | | -start_sshd |
75 | | - |
76 | | -# Test Match + PermitOpen in sshd_config. This should be permitted |
77 | | -trace "match permitopen localhost" |
78 | | -start_client -F $OBJ/ssh_config |
79 | | -${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \ |
80 | | - fail "match permitopen permit" |
81 | | -stop_client |
82 | | - |
83 | | -# Same but from different source. This should not be permitted |
84 | | -trace "match permitopen proxy" |
85 | | -start_client -F $OBJ/ssh_proxy |
86 | | -${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \ |
87 | | - fail "match permitopen deny" |
88 | | -stop_client |
89 | | - |
90 | | -# Retry previous with key option, should also be denied. |
91 | | -cp /dev/null $OBJ/authorized_keys_$USER |
92 | | -for t in ${SSH_KEYTYPES}; do |
93 | | - printf 'permitopen="127.0.0.1:'$PORT'" ' >> $OBJ/authorized_keys_$USER |
94 | | - cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER |
95 | | -done |
96 | | -trace "match permitopen proxy w/key opts" |
97 | | -start_client -F $OBJ/ssh_proxy |
98 | | -${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \ |
99 | | - fail "match permitopen deny w/key opt" |
100 | | -stop_client |
101 | | - |
102 | | -# Test both sshd_config and key options permitting the same dst/port pair. |
103 | | -# Should be permitted. |
104 | | -trace "match permitopen localhost" |
105 | | -start_client -F $OBJ/ssh_config |
106 | | -${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \ |
107 | | - fail "match permitopen permit" |
108 | | -stop_client |
109 | | - |
110 | | -cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy |
111 | | -echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy |
112 | | -if [ "$os" == "windows" ]; then |
113 | | - # If User is domainuser then it will be in "domain/user" so convert it to "domain\user" |
114 | | - echo "Match user ${USER//\//\\}" >>$OBJ/sshd_proxy |
115 | | -else |
116 | | - echo "Match user $USER" >>$OBJ/sshd_proxy |
117 | | -fi |
118 | | -echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy |
119 | | - |
120 | | -# Test that a Match overrides a PermitOpen in the global section |
121 | | -trace "match permitopen proxy w/key opts" |
122 | | -start_client -F $OBJ/ssh_proxy |
123 | | -${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \ |
124 | | - fail "match override permitopen" |
125 | | -stop_client |
126 | | - |
127 | | -cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy |
128 | | -echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy |
129 | | -echo "Match User NoSuchUser" >>$OBJ/sshd_proxy |
130 | | -echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy |
131 | | - |
132 | | -# Test that a rule that doesn't match doesn't override, plus test a |
133 | | -# PermitOpen entry that's not at the start of the list |
134 | | -trace "nomatch permitopen proxy w/key opts" |
135 | | -start_client -F $OBJ/ssh_proxy |
136 | | -${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \ |
137 | | - fail "nomatch override permitopen" |
138 | | -stop_client |
139 | | - |
140 | | -# Test parsing of available Match criteria (with the exception of Group which |
141 | | -# requires knowledge of actual group memberships user running the test). |
142 | | -params="user:user:u1 host:host:h1 address:addr:1.2.3.4 \ |
143 | | - localaddress:laddr:5.6.7.8 rdomain:rdomain:rdom1" |
144 | | -cp $OBJ/sshd_proxy_bak $OBJ/sshd_config |
145 | | -echo 'Banner /nomatch' >>$OBJ/sshd_config |
146 | | -for i in $params; do |
147 | | - config=`echo $i | cut -f1 -d:` |
148 | | - criteria=`echo $i | cut -f2 -d:` |
149 | | - value=`echo $i | cut -f3 -d:` |
150 | | - cat >>$OBJ/sshd_config <<EOD |
151 | | - Match $config $value |
152 | | - Banner /$value |
153 | | -EOD |
154 | | -done |
155 | | - |
156 | | -${SUDO} ${SSHD} -f $OBJ/sshd_config -T >/dev/null || \ |
157 | | - fail "validate config for w/out spec" |
158 | | - |
159 | | -# Test matching each criteria. |
160 | | -for i in $params; do |
161 | | - testcriteria=`echo $i | cut -f2 -d:` |
162 | | - expected=/`echo $i | cut -f3 -d:` |
163 | | - spec="" |
164 | | - for j in $params; do |
165 | | - config=`echo $j | cut -f1 -d:` |
166 | | - criteria=`echo $j | cut -f2 -d:` |
167 | | - value=`echo $j | cut -f3 -d:` |
168 | | - if [ "$criteria" = "$testcriteria" ]; then |
169 | | - spec="$criteria=$value,$spec" |
170 | | - else |
171 | | - spec="$criteria=1$value,$spec" |
172 | | - fi |
173 | | - done |
174 | | - trace "test spec $spec" |
175 | | - result=`${SUDO} ${SSHD} -f $OBJ/sshd_config -T -C "$spec" | \ |
176 | | - awk '$1=="banner"{print $2}'` |
177 | | - if [ "$os" == "windows" ]; then |
178 | | - result=${result/$'\r'/} # remove CR (carriage return) |
179 | | - fi |
180 | | - if [ "$result" != "$expected" ]; then |
181 | | - fail "match $config expected $expected got $result" |
182 | | - fi |
183 | | -done |
| 4 | +# tid="sshd_config match" |
| 5 | + |
| 6 | +# pidfile=$OBJ/remote_pid |
| 7 | +# fwdport=3301 |
| 8 | +# fwd="-L $fwdport:127.0.0.1:$PORT" |
| 9 | + |
| 10 | +# echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_config |
| 11 | +# echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_proxy |
| 12 | + |
| 13 | +# start_client() |
| 14 | +# { |
| 15 | +# rm -f $pidfile |
| 16 | +# ${SSH} -q $fwd "$@" somehost \ |
| 17 | +# exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' \ |
| 18 | +# >>$TEST_REGRESS_LOGFILE 2>&1 & |
| 19 | +# client_pid=$! |
| 20 | +# # Wait for remote end |
| 21 | +# n=0 |
| 22 | +# while test ! -f $pidfile ; do |
| 23 | +# sleep 1 |
| 24 | +# n=`expr $n + 1` |
| 25 | +# if test $n -gt 60; then |
| 26 | +# if [ "$os" == "windows" ]; then |
| 27 | +# # We can't kill windows process from cygwin / wsl so use "stop-process" |
| 28 | +# powershell.exe /c "stop-process -id $client_pid -Force" >/dev/null 2>&1 |
| 29 | +# else |
| 30 | +# kill $client_pid |
| 31 | +# fi |
| 32 | +# fatal "timeout waiting for background ssh" |
| 33 | +# fi |
| 34 | +# done |
| 35 | +# } |
| 36 | + |
| 37 | +# stop_client() |
| 38 | +# { |
| 39 | +# pid=`cat $pidfile` |
| 40 | +# if [ "$os" == "windows" ]; then |
| 41 | +# # We can't kill windows process from cygwin / wsl so use "stop-process" |
| 42 | +# powershell.exe /c "stop-process -id $pid -Force" >/dev/null 2>&1 |
| 43 | +# powershell.exe /c "stop-process -name sleep -Force" >/dev/null 2>&1 |
| 44 | +# else |
| 45 | +# if [ ! -z "$pid" ]; then |
| 46 | +# kill $pid |
| 47 | +# fi |
| 48 | +# wait |
| 49 | +# fi |
| 50 | +# } |
| 51 | + |
| 52 | +# cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak |
| 53 | +# echo "PermitOpen 127.0.0.1:1 # comment" >>$OBJ/sshd_config |
| 54 | +# echo "Match Address 127.0.0.1" >>$OBJ/sshd_config |
| 55 | +# echo "PermitOpen 127.0.0.1:2 127.0.0.1:3 127.0.0.1:$PORT" >>$OBJ/sshd_config |
| 56 | + |
| 57 | +# grep -v AuthorizedKeysFile $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy |
| 58 | +# echo "AuthorizedKeysFile /dev/null # comment" >>$OBJ/sshd_proxy |
| 59 | +# echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_proxy |
| 60 | +# if [ "$os" == "windows" ]; then |
| 61 | +# # If User is domainuser then it will be in "domain/user" so convert it to "domain\user" |
| 62 | +# echo "Match user ${USER//\//\\}" >>$OBJ/sshd_proxy |
| 63 | +# else |
| 64 | +# echo "Match user $USER" >>$OBJ/sshd_proxy |
| 65 | +# fi |
| 66 | + |
| 67 | +# echo "AuthorizedKeysFile /dev/null $OBJ/authorized_keys_%u" >>$OBJ/sshd_proxy |
| 68 | +# echo "Match Address 127.0.0.1 # comment" >>$OBJ/sshd_proxy |
| 69 | +# echo "PermitOpen 127.0.0.1:2 127.0.0.1:3 127.0.0.1:$PORT" >>$OBJ/sshd_proxy |
| 70 | + |
| 71 | +# ${SUDO} ${SSHD} -f $OBJ/sshd_config -T >/dev/null || \ |
| 72 | +# fail "config w/match fails config test" |
| 73 | + |
| 74 | +# start_sshd |
| 75 | + |
| 76 | +# # Test Match + PermitOpen in sshd_config. This should be permitted |
| 77 | +# trace "match permitopen localhost" |
| 78 | +# start_client -F $OBJ/ssh_config |
| 79 | +# ${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \ |
| 80 | +# fail "match permitopen permit" |
| 81 | +# stop_client |
| 82 | + |
| 83 | +# # Same but from different source. This should not be permitted |
| 84 | +# trace "match permitopen proxy" |
| 85 | +# start_client -F $OBJ/ssh_proxy |
| 86 | +# ${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \ |
| 87 | +# fail "match permitopen deny" |
| 88 | +# stop_client |
| 89 | + |
| 90 | +# # Retry previous with key option, should also be denied. |
| 91 | +# cp /dev/null $OBJ/authorized_keys_$USER |
| 92 | +# for t in ${SSH_KEYTYPES}; do |
| 93 | +# printf 'permitopen="127.0.0.1:'$PORT'" ' >> $OBJ/authorized_keys_$USER |
| 94 | +# cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER |
| 95 | +# done |
| 96 | +# trace "match permitopen proxy w/key opts" |
| 97 | +# start_client -F $OBJ/ssh_proxy |
| 98 | +# ${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \ |
| 99 | +# fail "match permitopen deny w/key opt" |
| 100 | +# stop_client |
| 101 | + |
| 102 | +# # Test both sshd_config and key options permitting the same dst/port pair. |
| 103 | +# # Should be permitted. |
| 104 | +# trace "match permitopen localhost" |
| 105 | +# start_client -F $OBJ/ssh_config |
| 106 | +# ${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \ |
| 107 | +# fail "match permitopen permit" |
| 108 | +# stop_client |
| 109 | + |
| 110 | +# cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy |
| 111 | +# echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy |
| 112 | +# if [ "$os" == "windows" ]; then |
| 113 | +# # If User is domainuser then it will be in "domain/user" so convert it to "domain\user" |
| 114 | +# echo "Match user ${USER//\//\\}" >>$OBJ/sshd_proxy |
| 115 | +# else |
| 116 | +# echo "Match user $USER" >>$OBJ/sshd_proxy |
| 117 | +# fi |
| 118 | +# echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy |
| 119 | + |
| 120 | +# # Test that a Match overrides a PermitOpen in the global section |
| 121 | +# trace "match permitopen proxy w/key opts" |
| 122 | +# start_client -F $OBJ/ssh_proxy |
| 123 | +# ${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \ |
| 124 | +# fail "match override permitopen" |
| 125 | +# stop_client |
| 126 | + |
| 127 | +# cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy |
| 128 | +# echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy |
| 129 | +# echo "Match User NoSuchUser" >>$OBJ/sshd_proxy |
| 130 | +# echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy |
| 131 | + |
| 132 | +# # Test that a rule that doesn't match doesn't override, plus test a |
| 133 | +# # PermitOpen entry that's not at the start of the list |
| 134 | +# trace "nomatch permitopen proxy w/key opts" |
| 135 | +# start_client -F $OBJ/ssh_proxy |
| 136 | +# ${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \ |
| 137 | +# fail "nomatch override permitopen" |
| 138 | +# stop_client |
| 139 | + |
| 140 | +# # Test parsing of available Match criteria (with the exception of Group which |
| 141 | +# # requires knowledge of actual group memberships user running the test). |
| 142 | +# params="user:user:u1 host:host:h1 address:addr:1.2.3.4 \ |
| 143 | +# localaddress:laddr:5.6.7.8 rdomain:rdomain:rdom1" |
| 144 | +# cp $OBJ/sshd_proxy_bak $OBJ/sshd_config |
| 145 | +# echo 'Banner /nomatch' >>$OBJ/sshd_config |
| 146 | +# for i in $params; do |
| 147 | +# config=`echo $i | cut -f1 -d:` |
| 148 | +# criteria=`echo $i | cut -f2 -d:` |
| 149 | +# value=`echo $i | cut -f3 -d:` |
| 150 | +# cat >>$OBJ/sshd_config <<EOD |
| 151 | +# Match $config $value |
| 152 | +# Banner /$value |
| 153 | +# EOD |
| 154 | +# done |
| 155 | + |
| 156 | +# ${SUDO} ${SSHD} -f $OBJ/sshd_config -T >/dev/null || \ |
| 157 | +# fail "validate config for w/out spec" |
| 158 | + |
| 159 | +# # Test matching each criteria. |
| 160 | +# for i in $params; do |
| 161 | +# testcriteria=`echo $i | cut -f2 -d:` |
| 162 | +# expected=/`echo $i | cut -f3 -d:` |
| 163 | +# spec="" |
| 164 | +# for j in $params; do |
| 165 | +# config=`echo $j | cut -f1 -d:` |
| 166 | +# criteria=`echo $j | cut -f2 -d:` |
| 167 | +# value=`echo $j | cut -f3 -d:` |
| 168 | +# if [ "$criteria" = "$testcriteria" ]; then |
| 169 | +# spec="$criteria=$value,$spec" |
| 170 | +# else |
| 171 | +# spec="$criteria=1$value,$spec" |
| 172 | +# fi |
| 173 | +# done |
| 174 | +# trace "test spec $spec" |
| 175 | +# result=`${SUDO} ${SSHD} -f $OBJ/sshd_config -T -C "$spec" | \ |
| 176 | +# awk '$1=="banner"{print $2}'` |
| 177 | +# if [ "$os" == "windows" ]; then |
| 178 | +# result=${result/$'\r'/} # remove CR (carriage return) |
| 179 | +# fi |
| 180 | +# if [ "$result" != "$expected" ]; then |
| 181 | +# fail "match $config expected $expected got $result" |
| 182 | +# fi |
| 183 | +# done |
0 commit comments