From 845ceecea2ac311b0c267f9ecbd34862e1876fc6 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Mon, 2 Jan 2023 07:03:57 +0000 Subject: [PATCH] upstream: regression test for PermitRemoteOpen OpenBSD-Regress-ID: 8271aafbf5c21950cd5bf966f08e585cebfe630c --- regress/dynamic-forward.sh | 84 ++++++++++++++++++++++++++++++-------- 1 file changed, 66 insertions(+), 18 deletions(-) diff --git a/regress/dynamic-forward.sh b/regress/dynamic-forward.sh index 84f8ee192..f6c2393d2 100644 --- a/regress/dynamic-forward.sh +++ b/regress/dynamic-forward.sh @@ -1,10 +1,12 @@ -# $OpenBSD: dynamic-forward.sh,v 1.13 2017/09/21 19:18:12 markus Exp $ +# $OpenBSD: dynamic-forward.sh,v 1.14 2023/01/02 07:03:57 djm Exp $ # Placed in the Public Domain. tid="dynamic forwarding" FWDPORT=`expr $PORT + 1` +cp $OBJ/ssh_config $OBJ/ssh_config.orig + if have_prog nc && nc -h 2>&1 | grep "proxy address" >/dev/null; then proxycmd="nc -x 127.0.0.1:$FWDPORT -X" elif have_prog connect; then @@ -15,16 +17,16 @@ else fi trace "will use ProxyCommand $proxycmd" -start_sshd - -for d in D R; do +start_ssh() { + direction="$1" + arg="$2" n=0 error="1" - trace "start dynamic forwarding, fork to background" - + trace "start dynamic -$direction forwarding, fork to background" + (cat $OBJ/ssh_config.orig ; echo "$arg") > $OBJ/ssh_config while [ "$error" -ne 0 -a "$n" -lt 3 ]; do n=`expr $n + 1` - ${SSH} -F $OBJ/ssh_config -f -$d $FWDPORT -q \ + ${SSH} -F $OBJ/ssh_config -f -$direction $FWDPORT -q \ -oExitOnForwardFailure=yes somehost exec sh -c \ \'"echo \$\$ > $OBJ/remote_pid; exec sleep 444"\' error=$? @@ -36,18 +38,9 @@ for d in D R; do if [ "$error" -ne 0 ]; then fatal "failed to start dynamic forwarding" fi +} - for s in 4 5; do - for h in 127.0.0.1 localhost; do - trace "testing ssh socks version $s host $h (-$d)" - ${SSH} -F $OBJ/ssh_config \ - -o "ProxyCommand ${proxycmd}${s} $h $PORT" \ - somehost cat ${DATA} > ${COPY} - test -f ${COPY} || fail "failed copy ${DATA}" - cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}" - done - done - +stop_ssh() { if [ -f $OBJ/remote_pid ]; then remote=`cat $OBJ/remote_pid` trace "terminate remote shell, pid $remote" @@ -57,5 +50,60 @@ for d in D R; do else fail "no pid file: $OBJ/remote_pid" fi +} +check_socks() { + direction=$1 + expect_success=$2 + for s in 4 5; do + for h in 127.0.0.1 localhost; do + trace "testing ssh socks version $s host $h (-$direction)" + ${SSH} -F $OBJ/ssh_config \ + -o "ProxyCommand ${proxycmd}${s} $h $PORT 2>/dev/null" \ + somehost cat ${DATA} > ${COPY} + r=$? + if [ "x$expect_success" = "xY" ] ; then + if [ $r -ne 0 ] ; then + fail "ssh failed with exit status $r" + fi + test -f ${COPY} || fail "failed copy ${DATA}" + cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}" + elif [ $r -eq 0 ] ; then + fail "ssh unexpectedly succeeded" + fi + done + done +} + +start_sshd + +for d in D R; do + verbose "test -$d forwarding" + start_ssh $d + check_socks $d Y + stop_ssh + test "x$d" = "xR" || continue + + # Test PermitRemoteOpen + verbose "PermitRemoteOpen=any" + start_ssh $d PermitRemoteOpen=any + check_socks $d Y + stop_ssh + + verbose "PermitRemoteOpen=none" + start_ssh $d PermitRemoteOpen=none + check_socks $d N + stop_ssh + + verbose "PermitRemoteOpen=explicit" + start_ssh $d \ + PermitRemoteOpen="127.0.0.1:$PORT [::1]:$PORT localhost:$PORT" + check_socks $d Y + stop_ssh + + verbose "PermitRemoteOpen=disallowed" + start_ssh $d \ + PermitRemoteOpen="127.0.0.1:1 [::1]:1 localhost:1" + check_socks $d N + stop_ssh done