upstream: regress test for PermitOpen

OpenBSD-Regress-ID: ce8b5f28fc039f09bb297fc4a92319e65982ddaf
2018-06-06 18:25:33 +00:00 · 2018-06-06 18:25:33 +00:00 · 392db2bc83
parent 803d896ef3
commit 392db2bc83
1 changed files with 62 additions and 15 deletions
--- a/regress/forward-control.sh
+++ b/regress/forward-control.sh
@ -1,4 +1,4 @@
-#	$OpenBSD: forward-control.sh,v 1.5 2018/03/02 02:51:55 djm Exp $
+#	$OpenBSD: forward-control.sh,v 1.6 2018/06/06 18:25:33 djm Exp $
 #	Placed in the Public Domain.

 tid="sshd control of local and remote forwarding"
@ -67,7 +67,7 @@ check_rfwd() {
 	_message=$2
 	rm -f $READY
 	${SSH} -F $OBJ/ssh_proxy \
-	    -R$RFWD_PORT:127.0.0.1:$PORT \
+	    -R127.0.0.1:$RFWD_PORT:127.0.0.1:$PORT \
 	    -o ExitOnForwardFailure=yes \
 	    -n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \
 	    >/dev/null 2>&1 &
@ -100,8 +100,8 @@ cp ${OBJ}/authorized_keys_${USER} ${OBJ}/authorized_keys_${USER}.bak
 check_lfwd Y "default configuration"
 check_rfwd Y "default configuration"

-# Usage: all_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N
-all_tests() {
+# Usage: lperm_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N
+lperm_tests() {
 	_tcpfwd=$1
 	_plain_lfwd=$2
 	_plain_rfwd=$3
@ -109,32 +109,39 @@ all_tests() {
 	_nopermit_rfwd=$5
 	_permit_lfwd=$6
 	_permit_rfwd=$7
-	_badfwd=127.0.0.1:22
+	_badfwd1=127.0.0.1:22
+	_badfwd2=127.0.0.2:22
 	_goodfwd=127.0.0.1:${PORT}
 	cp ${OBJ}/authorized_keys_${USER}.bak  ${OBJ}/authorized_keys_${USER}
 	_prefix="AllowTcpForwarding=$_tcpfwd"
+
 	# No PermitOpen
 	( cat ${OBJ}/sshd_proxy.bak ;
 	  echo "AllowTcpForwarding $_tcpfwd" ) \
 	    > ${OBJ}/sshd_proxy
 	check_lfwd $_plain_lfwd "$_prefix"
 	check_rfwd $_plain_rfwd "$_prefix"
+
 	# PermitOpen via sshd_config that doesn't match
 	( cat ${OBJ}/sshd_proxy.bak ;
 	  echo "AllowTcpForwarding $_tcpfwd" ;
-	  echo "PermitOpen $_badfwd" ) \
+	  echo "PermitOpen $_badfwd1 $_badfwd2" ) \
 	    > ${OBJ}/sshd_proxy
 	check_lfwd $_nopermit_lfwd "$_prefix, !PermitOpen"
 	check_rfwd $_nopermit_rfwd "$_prefix, !PermitOpen"
 	# PermitOpen via sshd_config that does match
 	( cat ${OBJ}/sshd_proxy.bak ;
 	  echo "AllowTcpForwarding $_tcpfwd" ;
-	  echo "PermitOpen $_badfwd $_goodfwd" ) \
+	  echo "PermitOpen $_badfwd1 $_goodfwd $_badfwd2" ) \
 	    > ${OBJ}/sshd_proxy
+	check_lfwd $_plain_lfwd "$_prefix, PermitOpen"
+	check_rfwd $_plain_rfwd "$_prefix, PermitOpen"
+
+	# permitopen keys option.
 	# NB. permitopen via authorized_keys should have same
 	# success/fail as via sshd_config
 	# permitopen via authorized_keys that doesn't match
-	sed "s/^/permitopen=\"$_badfwd\" /" \
+	sed "s/^/permitopen=\"$_badfwd1\",permitopen=\"$_badfwd2\" /" \
 	    < ${OBJ}/authorized_keys_${USER}.bak \
 	    > ${OBJ}/authorized_keys_${USER} || fatal "sed 1 fail"
 	( cat ${OBJ}/sshd_proxy.bak ;
@ -143,7 +150,7 @@ all_tests() {
 	check_lfwd $_nopermit_lfwd "$_prefix, !permitopen"
 	check_rfwd $_nopermit_rfwd "$_prefix, !permitopen"
 	# permitopen via authorized_keys that does match
-	sed "s/^/permitopen=\"$_badfwd\",permitopen=\"$_goodfwd\" /" \
+	sed "s/^/permitopen=\"$_badfwd1\",permitopen=\"$_goodfwd\" /" \
 	    < ${OBJ}/authorized_keys_${USER}.bak \
 	    > ${OBJ}/authorized_keys_${USER} || fatal "sed 2 fail"
 	( cat ${OBJ}/sshd_proxy.bak ;
@ -151,6 +158,7 @@ all_tests() {
 	    > ${OBJ}/sshd_proxy
 	check_lfwd $_permit_lfwd "$_prefix, permitopen"
 	check_rfwd $_permit_rfwd "$_prefix, permitopen"
+
 	# Check port-forwarding flags in authorized_keys.
 	# These two should refuse all.
 	sed "s/^/no-port-forwarding /" \
@ -180,9 +188,48 @@ all_tests() {
 	check_rfwd $_plain_rfwd "$_prefix, restrict,port-forwarding"
 }

-#                      no-permitopen mismatch-permitopen match-permitopen
+#          permit-open      none          mismatch         match
 #   AllowTcpForwarding  local remote    local remote    local remote
-all_tests          yes      Y      Y            N      Y         Y      Y
-all_tests        local      Y      N            N      N         Y      N
-all_tests       remote      N      Y            N      Y         N      Y
-all_tests           no      N      N            N      N         N      N
+lperm_tests     yes     Y     Y         N     Y         Y     Y
+lperm_tests   local     Y     N         N     N         Y     N
+lperm_tests  remote     N     Y         N     Y         N     Y
+lperm_tests      no     N     N         N     N         N     N
+
+# Usage: rperm_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N
+rperm_tests() {
+	_tcpfwd=$1
+	_plain_lfwd=$2
+	_plain_rfwd=$3
+	_nopermit_lfwd=$4
+	_nopermit_rfwd=$5
+	_permit_lfwd=$6
+	_permit_rfwd=$7
+	_badfwd1=127.0.0.1:22
+	_badfwd2=127.0.0.2:${RFWD_PORT}
+	_goodfwd=127.0.0.1:${RFWD_PORT}
+	cp ${OBJ}/authorized_keys_${USER}.bak  ${OBJ}/authorized_keys_${USER}
+	_prefix="AllowTcpForwarding=$_tcpfwd"
+
+	# PermitRemoteOpen via sshd_config that doesn't match
+	( cat ${OBJ}/sshd_proxy.bak ;
+	  echo "AllowTcpForwarding $_tcpfwd" ;
+	  echo "PermitRemoteOpen $_badfwd1 $_badfwd2" ) \
+	    > ${OBJ}/sshd_proxy
+	check_lfwd $_nopermit_lfwd "$_prefix, !PermitRemoteOpen"
+	check_rfwd $_nopermit_rfwd "$_prefix, !PermitRemoteOpen"
+	# PermitRemoteOpen via sshd_config that does match
+	( cat ${OBJ}/sshd_proxy.bak ;
+	  echo "AllowTcpForwarding $_tcpfwd" ;
+	  echo "PermitRemoteOpen $_badfwd1 $_goodfwd $_badfwd2" ) \
+	    > ${OBJ}/sshd_proxy
+	check_lfwd $_plain_lfwd "$_prefix, PermitRemoteOpen"
+	check_rfwd $_plain_rfwd "$_prefix, PermitRemoteOpen"
+}
+
+#   permit-remote-open      none          mismatch         match
+#   AllowTcpForwarding  local remote    local remote    local remote
+rperm_tests     yes     Y     Y         Y     N         Y     Y
+rperm_tests   local     Y     N         Y     N         Y     N
+rperm_tests  remote     N     Y         N     N         N     Y
+rperm_tests      no     N     N         N     N         N     N
+