upstream commit

Add regression test for AllowUsers and DenyUsers.  Patch from
Zev Weiss <zev at bewilderbeest.net>

Upstream-Regress-ID: 8f1aac24d52728398871dac14ad26ea38b533fb9

regress/Makefile

@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.93 2016/11/01 13:43:27 tb Exp $
+#	$OpenBSD: Makefile,v 1.94 2016/12/16 03:51:19 dtucker Exp $
 
 REGRESS_TARGETS=	unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t-exec
 tests:		prep $(REGRESS_TARGETS)
@@ -78,7 +78,8 @@ LTESTS= 	connect \
 		hostkey-rotate \
 		principals-command \
 		cert-file \
-		cfginclude
+		cfginclude \
+		allow-deny-users
 
 
 #		dhgex \

regress/allow-deny-users.sh

@@ -0,0 +1,37 @@
+# Public Domain
+# Zev Weiss, 2016
+
+tid="AllowUsers/DenyUsers"
+
+me=`whoami`
+other="nobody"
+
+test_auth()
+{
+	deny="$1"
+	allow="$2"
+	should_succeed="$3"
+	failmsg="$4"
+
+	start_sshd -oDenyUsers="$deny" -oAllowUsers="$allow"
+
+	${SSH} -F $OBJ/ssh_config "$me@somehost" true
+	status=$?
+
+	if (test $status -eq 0 && ! $should_succeed) \
+	    || (test $status -ne 0 && $should_succeed); then
+		fail "$failmsg"
+	fi
+
+	stop_sshd
+}
+
+#         DenyUsers     AllowUsers    should_succeed  failure_message
+test_auth ""            ""            true            "user in neither DenyUsers nor AllowUsers denied"
+test_auth "$other $me"  ""            false           "user in DenyUsers allowed"
+test_auth "$me $other"  ""            false           "user in DenyUsers allowed"
+test_auth ""            "$other"      false           "user not in AllowUsers allowed"
+test_auth ""            "$other $me"  true            "user in AllowUsers denied"
+test_auth ""            "$me $other"  true            "user in AllowUsers denied"
+test_auth "$me $other"  "$me $other"  false           "user in both DenyUsers and AllowUsers allowed"
+test_auth "$other $me"  "$other $me"  false           "user in both DenyUsers and AllowUsers allowed"