|
1 | | -# $OpenBSD: cfgmatch.sh,v 1.13 2021/06/08 06:52:43 djm Exp $ |
2 | | -# Placed in the Public Domain. |
3 | | - |
4 | | -# tid="sshd_config match" |
5 | | - |
6 | | -# pidfile=$OBJ/remote_pid |
7 | | -# fwdport=3301 |
8 | | -# fwd="-L $fwdport:127.0.0.1:$PORT" |
9 | | - |
10 | | -# echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_config |
11 | | -# echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_proxy |
12 | | - |
13 | | -# start_client() |
14 | | -# { |
15 | | -# rm -f $pidfile |
16 | | -# ${SSH} -q $fwd "$@" somehost \ |
17 | | -# exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' \ |
18 | | -# >>$TEST_REGRESS_LOGFILE 2>&1 & |
19 | | -# client_pid=$! |
20 | | -# # Wait for remote end |
21 | | -# n=0 |
22 | | -# while test ! -f $pidfile ; do |
23 | | -# sleep 1 |
24 | | -# n=`expr $n + 1` |
25 | | -# if test $n -gt 60; then |
26 | | -# if [ "$os" == "windows" ]; then |
27 | | -# # We can't kill windows process from cygwin / wsl so use "stop-process" |
28 | | -# powershell.exe /c "stop-process -id $client_pid -Force" >/dev/null 2>&1 |
29 | | -# else |
30 | | -# kill $client_pid |
31 | | -# fi |
32 | | -# fatal "timeout waiting for background ssh" |
33 | | -# fi |
34 | | -# done |
35 | | -# } |
36 | | - |
37 | | -# stop_client() |
38 | | -# { |
39 | | -# pid=`cat $pidfile` |
40 | | -# if [ "$os" == "windows" ]; then |
41 | | -# # We can't kill windows process from cygwin / wsl so use "stop-process" |
42 | | -# powershell.exe /c "stop-process -id $pid -Force" >/dev/null 2>&1 |
43 | | -# powershell.exe /c "stop-process -name sleep -Force" >/dev/null 2>&1 |
44 | | -# else |
45 | | -# if [ ! -z "$pid" ]; then |
46 | | -# kill $pid |
47 | | -# fi |
48 | | -# wait |
49 | | -# fi |
50 | | -# } |
51 | | - |
52 | | -# cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak |
53 | | -# echo "PermitOpen 127.0.0.1:1 # comment" >>$OBJ/sshd_config |
54 | | -# echo "Match Address 127.0.0.1" >>$OBJ/sshd_config |
55 | | -# echo "PermitOpen 127.0.0.1:2 127.0.0.1:3 127.0.0.1:$PORT" >>$OBJ/sshd_config |
56 | | - |
57 | | -# grep -v AuthorizedKeysFile $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy |
58 | | -# echo "AuthorizedKeysFile /dev/null # comment" >>$OBJ/sshd_proxy |
59 | | -# echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_proxy |
60 | | -# if [ "$os" == "windows" ]; then |
61 | | -# # If User is domainuser then it will be in "domain/user" so convert it to "domain\user" |
62 | | -# echo "Match user ${USER//\//\\}" >>$OBJ/sshd_proxy |
63 | | -# else |
64 | | -# echo "Match user $USER" >>$OBJ/sshd_proxy |
65 | | -# fi |
66 | | - |
67 | | -# echo "AuthorizedKeysFile /dev/null $OBJ/authorized_keys_%u" >>$OBJ/sshd_proxy |
68 | | -# echo "Match Address 127.0.0.1 # comment" >>$OBJ/sshd_proxy |
69 | | -# echo "PermitOpen 127.0.0.1:2 127.0.0.1:3 127.0.0.1:$PORT" >>$OBJ/sshd_proxy |
70 | | - |
71 | | -# ${SUDO} ${SSHD} -f $OBJ/sshd_config -T >/dev/null || \ |
72 | | -# fail "config w/match fails config test" |
73 | | - |
74 | | -# start_sshd |
75 | | - |
76 | | -# # Test Match + PermitOpen in sshd_config. This should be permitted |
77 | | -# trace "match permitopen localhost" |
78 | | -# start_client -F $OBJ/ssh_config |
79 | | -# ${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \ |
80 | | -# fail "match permitopen permit" |
81 | | -# stop_client |
82 | | - |
83 | | -# # Same but from different source. This should not be permitted |
84 | | -# trace "match permitopen proxy" |
85 | | -# start_client -F $OBJ/ssh_proxy |
86 | | -# ${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \ |
87 | | -# fail "match permitopen deny" |
88 | | -# stop_client |
89 | | - |
90 | | -# # Retry previous with key option, should also be denied. |
91 | | -# cp /dev/null $OBJ/authorized_keys_$USER |
92 | | -# for t in ${SSH_KEYTYPES}; do |
93 | | -# printf 'permitopen="127.0.0.1:'$PORT'" ' >> $OBJ/authorized_keys_$USER |
94 | | -# cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER |
95 | | -# done |
96 | | -# trace "match permitopen proxy w/key opts" |
97 | | -# start_client -F $OBJ/ssh_proxy |
98 | | -# ${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \ |
99 | | -# fail "match permitopen deny w/key opt" |
100 | | -# stop_client |
101 | | - |
102 | | -# # Test both sshd_config and key options permitting the same dst/port pair. |
103 | | -# # Should be permitted. |
104 | | -# trace "match permitopen localhost" |
105 | | -# start_client -F $OBJ/ssh_config |
106 | | -# ${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \ |
107 | | -# fail "match permitopen permit" |
108 | | -# stop_client |
109 | | - |
110 | | -# cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy |
111 | | -# echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy |
112 | | -# if [ "$os" == "windows" ]; then |
113 | | -# # If User is domainuser then it will be in "domain/user" so convert it to "domain\user" |
114 | | -# echo "Match user ${USER//\//\\}" >>$OBJ/sshd_proxy |
115 | | -# else |
116 | | -# echo "Match user $USER" >>$OBJ/sshd_proxy |
117 | | -# fi |
118 | | -# echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy |
119 | | - |
120 | | -# # Test that a Match overrides a PermitOpen in the global section |
121 | | -# trace "match permitopen proxy w/key opts" |
122 | | -# start_client -F $OBJ/ssh_proxy |
123 | | -# ${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \ |
124 | | -# fail "match override permitopen" |
125 | | -# stop_client |
126 | | - |
127 | | -# cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy |
128 | | -# echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy |
129 | | -# echo "Match User NoSuchUser" >>$OBJ/sshd_proxy |
130 | | -# echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy |
131 | | - |
132 | | -# # Test that a rule that doesn't match doesn't override, plus test a |
133 | | -# # PermitOpen entry that's not at the start of the list |
134 | | -# trace "nomatch permitopen proxy w/key opts" |
135 | | -# start_client -F $OBJ/ssh_proxy |
136 | | -# ${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \ |
137 | | -# fail "nomatch override permitopen" |
138 | | -# stop_client |
139 | | - |
140 | | -# # Test parsing of available Match criteria (with the exception of Group which |
141 | | -# # requires knowledge of actual group memberships user running the test). |
142 | | -# params="user:user:u1 host:host:h1 address:addr:1.2.3.4 \ |
143 | | -# localaddress:laddr:5.6.7.8 rdomain:rdomain:rdom1" |
144 | | -# cp $OBJ/sshd_proxy_bak $OBJ/sshd_config |
145 | | -# echo 'Banner /nomatch' >>$OBJ/sshd_config |
146 | | -# for i in $params; do |
147 | | -# config=`echo $i | cut -f1 -d:` |
148 | | -# criteria=`echo $i | cut -f2 -d:` |
149 | | -# value=`echo $i | cut -f3 -d:` |
150 | | -# cat >>$OBJ/sshd_config <<EOD |
151 | | -# Match $config $value |
152 | | -# Banner /$value |
153 | | -# EOD |
154 | | -# done |
155 | | - |
156 | | -# ${SUDO} ${SSHD} -f $OBJ/sshd_config -T >/dev/null || \ |
157 | | -# fail "validate config for w/out spec" |
158 | | - |
159 | | -# # Test matching each criteria. |
160 | | -# for i in $params; do |
161 | | -# testcriteria=`echo $i | cut -f2 -d:` |
162 | | -# expected=/`echo $i | cut -f3 -d:` |
163 | | -# spec="" |
164 | | -# for j in $params; do |
165 | | -# config=`echo $j | cut -f1 -d:` |
166 | | -# criteria=`echo $j | cut -f2 -d:` |
167 | | -# value=`echo $j | cut -f3 -d:` |
168 | | -# if [ "$criteria" = "$testcriteria" ]; then |
169 | | -# spec="$criteria=$value,$spec" |
170 | | -# else |
171 | | -# spec="$criteria=1$value,$spec" |
172 | | -# fi |
173 | | -# done |
174 | | -# trace "test spec $spec" |
175 | | -# result=`${SUDO} ${SSHD} -f $OBJ/sshd_config -T -C "$spec" | \ |
176 | | -# awk '$1=="banner"{print $2}'` |
177 | | -# if [ "$os" == "windows" ]; then |
178 | | -# result=${result/$'\r'/} # remove CR (carriage return) |
179 | | -# fi |
180 | | -# if [ "$result" != "$expected" ]; then |
181 | | -# fail "match $config expected $expected got $result" |
182 | | -# fi |
183 | | -# done |
| 1 | + $OpenBSD: cfgmatch.sh,v 1.13 2021/06/08 06:52:43 djm Exp $ |
| 2 | + Placed in the Public Domain. |
| 3 | + |
| 4 | +tid="sshd_config match" |
| 5 | + |
| 6 | +pidfile=$OBJ/remote_pid |
| 7 | +fwdport=3301 |
| 8 | +fwd="-L $fwdport:127.0.0.1:$PORT" |
| 9 | + |
| 10 | +echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_config |
| 11 | +echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_proxy |
| 12 | + |
| 13 | +start_client() |
| 14 | +{ |
| 15 | + rm -f $pidfile |
| 16 | + ${SSH} -q $fwd "$@" somehost \ |
| 17 | + exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' \ |
| 18 | + >>$TEST_REGRESS_LOGFILE 2>&1 & |
| 19 | + client_pid=$! |
| 20 | + # Wait for remote end |
| 21 | + n=0 |
| 22 | + while test ! -f $pidfile ; do |
| 23 | + sleep 1 |
| 24 | + n=`expr $n + 1` |
| 25 | + if test $n -gt 60; then |
| 26 | + if [ "$os" == "windows" ]; then |
| 27 | + # We can't kill windows process from cygwin / wsl so use "stop-process" |
| 28 | + powershell.exe /c "stop-process -id $client_pid -Force" >/dev/null 2>&1 |
| 29 | + else |
| 30 | + kill $client_pid |
| 31 | + fi |
| 32 | + fatal "timeout waiting for background ssh" |
| 33 | + fi |
| 34 | + done |
| 35 | +} |
| 36 | + |
| 37 | +stop_client() |
| 38 | +{ |
| 39 | + pid=`cat $pidfile` |
| 40 | + if [ "$os" == "windows" ]; then |
| 41 | + # We can't kill windows process from cygwin / wsl so use "stop-process" |
| 42 | + powershell.exe /c "stop-process -id $pid -Force" >/dev/null 2>&1 |
| 43 | + powershell.exe /c "stop-process -name sleep -Force" >/dev/null 2>&1 |
| 44 | + else |
| 45 | + if [ ! -z "$pid" ]; then |
| 46 | + kill $pid |
| 47 | + fi |
| 48 | + wait |
| 49 | + fi |
| 50 | +} |
| 51 | + |
| 52 | +cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak |
| 53 | +echo "PermitOpen 127.0.0.1:1 # comment" >>$OBJ/sshd_config |
| 54 | +echo "Match Address 127.0.0.1" >>$OBJ/sshd_config |
| 55 | +echo "PermitOpen 127.0.0.1:2 127.0.0.1:3 127.0.0.1:$PORT" >>$OBJ/sshd_config |
| 56 | + |
| 57 | +grep -v AuthorizedKeysFile $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy |
| 58 | +echo "AuthorizedKeysFile /dev/null # comment" >>$OBJ/sshd_proxy |
| 59 | +echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_proxy |
| 60 | +if [ "$os" == "windows" ]; then |
| 61 | + # If User is domainuser then it will be in "domain/user" so convert it to "domain\user" |
| 62 | + echo "Match user ${USER//\//\\}" >>$OBJ/sshd_proxy |
| 63 | +else |
| 64 | + echo "Match user $USER" >>$OBJ/sshd_proxy |
| 65 | +fi |
| 66 | + |
| 67 | +echo "AuthorizedKeysFile /dev/null $OBJ/authorized_keys_%u" >>$OBJ/sshd_proxy |
| 68 | +echo "Match Address 127.0.0.1 # comment" >>$OBJ/sshd_proxy |
| 69 | +echo "PermitOpen 127.0.0.1:2 127.0.0.1:3 127.0.0.1:$PORT" >>$OBJ/sshd_proxy |
| 70 | + |
| 71 | +${SUDO} ${SSHD} -f $OBJ/sshd_config -T >/dev/null || \ |
| 72 | + fail "config w/match fails config test" |
| 73 | + |
| 74 | +start_sshd |
| 75 | + |
| 76 | +# Test Match + PermitOpen in sshd_config. This should be permitted |
| 77 | +trace "match permitopen localhost" |
| 78 | +start_client -F $OBJ/ssh_config |
| 79 | +${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \ |
| 80 | + fail "match permitopen permit" |
| 81 | +stop_client |
| 82 | + |
| 83 | +# Same but from different source. This should not be permitted |
| 84 | +trace "match permitopen proxy" |
| 85 | +start_client -F $OBJ/ssh_proxy |
| 86 | +${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \ |
| 87 | + fail "match permitopen deny" |
| 88 | +stop_client |
| 89 | + |
| 90 | +# Retry previous with key option, should also be denied. |
| 91 | +cp /dev/null $OBJ/authorized_keys_$USER |
| 92 | +for t in ${SSH_KEYTYPES}; do |
| 93 | + printf 'permitopen="127.0.0.1:'$PORT'" ' >> $OBJ/authorized_keys_$USER |
| 94 | + cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER |
| 95 | +done |
| 96 | +trace "match permitopen proxy w/key opts" |
| 97 | +start_client -F $OBJ/ssh_proxy |
| 98 | +${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \ |
| 99 | + fail "match permitopen deny w/key opt" |
| 100 | +stop_client |
| 101 | + |
| 102 | +# Test both sshd_config and key options permitting the same dst/port pair. |
| 103 | +# Should be permitted. |
| 104 | +trace "match permitopen localhost" |
| 105 | +start_client -F $OBJ/ssh_config |
| 106 | +${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \ |
| 107 | + fail "match permitopen permit" |
| 108 | +stop_client |
| 109 | + |
| 110 | +cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy |
| 111 | +echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy |
| 112 | +if [ "$os" == "windows" ]; then |
| 113 | + # If User is domainuser then it will be in "domain/user" so convert it to "domain\user" |
| 114 | + echo "Match user ${USER//\//\\}" >>$OBJ/sshd_proxy |
| 115 | +else |
| 116 | + echo "Match user $USER" >>$OBJ/sshd_proxy |
| 117 | +fi |
| 118 | +echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy |
| 119 | + |
| 120 | +# Test that a Match overrides a PermitOpen in the global section |
| 121 | +trace "match permitopen proxy w/key opts" |
| 122 | +start_client -F $OBJ/ssh_proxy |
| 123 | +${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \ |
| 124 | + fail "match override permitopen" |
| 125 | +stop_client |
| 126 | + |
| 127 | +cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy |
| 128 | +echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy |
| 129 | +echo "Match User NoSuchUser" >>$OBJ/sshd_proxy |
| 130 | +echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy |
| 131 | + |
| 132 | +# Test that a rule that doesn't match doesn't override, plus test a |
| 133 | +# PermitOpen entry that's not at the start of the list |
| 134 | +trace "nomatch permitopen proxy w/key opts" |
| 135 | +start_client -F $OBJ/ssh_proxy |
| 136 | +${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \ |
| 137 | + fail "nomatch override permitopen" |
| 138 | +stop_client |
| 139 | + |
| 140 | +# Test parsing of available Match criteria (with the exception of Group which |
| 141 | +# requires knowledge of actual group memberships user running the test). |
| 142 | +params="user:user:u1 host:host:h1 address:addr:1.2.3.4 \ |
| 143 | + localaddress:laddr:5.6.7.8 rdomain:rdomain:rdom1" |
| 144 | +cp $OBJ/sshd_proxy_bak $OBJ/sshd_config |
| 145 | +echo 'Banner /nomatch' >>$OBJ/sshd_config |
| 146 | +for i in $params; do |
| 147 | + config=`echo $i | cut -f1 -d:` |
| 148 | + criteria=`echo $i | cut -f2 -d:` |
| 149 | + value=`echo $i | cut -f3 -d:` |
| 150 | + cat >>$OBJ/sshd_config <<EOD |
| 151 | + Match $config $value |
| 152 | + Banner /$value |
| 153 | +EOD |
| 154 | +done |
| 155 | + |
| 156 | +${SUDO} ${SSHD} -f $OBJ/sshd_config -T >/dev/null || \ |
| 157 | + fail "validate config for w/out spec" |
| 158 | + |
| 159 | +# Test matching each criteria. |
| 160 | +for i in $params; do |
| 161 | + testcriteria=`echo $i | cut -f2 -d:` |
| 162 | + expected=/`echo $i | cut -f3 -d:` |
| 163 | + spec="" |
| 164 | + for j in $params; do |
| 165 | + config=`echo $j | cut -f1 -d:` |
| 166 | + criteria=`echo $j | cut -f2 -d:` |
| 167 | + value=`echo $j | cut -f3 -d:` |
| 168 | + if [ "$criteria" = "$testcriteria" ]; then |
| 169 | + spec="$criteria=$value,$spec" |
| 170 | + else |
| 171 | + spec="$criteria=1$value,$spec" |
| 172 | + fi |
| 173 | + done |
| 174 | + trace "test spec $spec" |
| 175 | + result=`${SUDO} ${SSHD} -f $OBJ/sshd_config -T -C "$spec" | \ |
| 176 | + awk '$1=="banner"{print $2}'` |
| 177 | + if [ "$os" == "windows" ]; then |
| 178 | + result=${result/$'\r'/} # remove CR (carriage return) |
| 179 | + fi |
| 180 | + if [ "$result" != "$expected" ]; then |
| 181 | + fail "match $config expected $expected got $result" |
| 182 | + fi |
| 183 | +done |
0 commit comments