tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

upstream commit 

eliminate explicit specification of protocol in tests and
loops over protocol. We only support SSHv2 now.

Upstream-Regress-ID: 0082838a9b8a382b7ee9cbf0c1b9db727784fadd
This commit is contained in:
djm@openbsd.org 2017-04-30 23:34:55 +00:00 committed by Damien Miller
parent 557f921aad
commit dd369320d2
39 changed files with 471 additions and 638 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
regress/agent-pkcs11.sh
View File

@ -1,4 +1,4 @@
# $OpenBSD: agent-pkcs11.sh,v 1.2 2015/01/12 11:46:32 djm Exp $
# $OpenBSD: agent-pkcs11.sh,v 1.3 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="pkcs11 agent test"
@ -53,7 +53,7 @@ else
fi
trace "pkcs11 connect via agent"
${SSH} -2 -F $OBJ/ssh_proxy somehost exit 5
${SSH} -F $OBJ/ssh_proxy somehost exit 5
r=$?
if [ $r -ne 5 ]; then
fail "ssh connect failed (exit code $r)"

38
regress/agent.sh
View File

@ -1,4 +1,4 @@
# $OpenBSD: agent.sh,v 1.11 2015/03/03 22:35:19 markus Exp $
# $OpenBSD: agent.sh,v 1.12 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="simple agent test"
@ -46,28 +46,24 @@ else
fi
trace "simple connect via agent"
for p in ${SSH_PROTOCOLS}; do
${SSH} -$p -F $OBJ/ssh_proxy somehost exit 5$p
r=$?
if [ $r -ne 5$p ]; then
fail "ssh connect with protocol $p failed (exit code $r)"
fi
done
${SSH} -F $OBJ/ssh_proxy somehost exit 52
r=$?
if [ $r -ne 52 ]; then
fail "ssh connect with failed (exit code $r)"
fi
trace "agent forwarding"
for p in ${SSH_PROTOCOLS}; do
${SSH} -A -$p -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1
r=$?
if [ $r -ne 0 ]; then
fail "ssh-add -l via agent fwd proto $p failed (exit code $r)"
fi
${SSH} -A -$p -F $OBJ/ssh_proxy somehost \
"${SSH} -$p -F $OBJ/ssh_proxy somehost exit 5$p"
r=$?
if [ $r -ne 5$p ]; then
fail "agent fwd proto $p failed (exit code $r)"
fi
done
${SSH} -A -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1
r=$?
if [ $r -ne 0 ]; then
fail "ssh-add -l via agent fwd failed (exit code $r)"
fi
${SSH} -A -F $OBJ/ssh_proxy somehost \
"${SSH} -F $OBJ/ssh_proxy somehost exit 52"
r=$?
if [ $r -ne 52 ]; then
fail "agent fwd failed (exit code $r)"
fi
trace "delete all agent keys"
${SSHADD} -D > /dev/null 2>&1

8
regress/banner.sh
View File

@ -1,4 +1,4 @@
# $OpenBSD: banner.sh,v 1.2 2003/10/11 11:49:49 dtucker Exp $
# $OpenBSD: banner.sh,v 1.3 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="banner"
@ -9,7 +9,7 @@ touch $OBJ/empty.in
trace "test missing banner file"
verbose "test $tid: missing banner file"
( ${SSH} -2 -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \
( ${SSH} -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \
cmp $OBJ/empty.in $OBJ/banner.out ) || \
fail "missing banner file"
@ -30,14 +30,14 @@ for s in 0 10 100 1000 10000 100000 ; do
trace "test banner size $s"
verbose "test $tid: size $s"
( ${SSH} -2 -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \
( ${SSH} -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \
cmp $OBJ/banner.in $OBJ/banner.out ) || \
fail "banner size $s mismatch"
done
trace "test suppress banner (-q)"
verbose "test $tid: suppress banner (-q)"
( ${SSH} -q -2 -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \
( ${SSH} -q -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \
cmp $OBJ/empty.in $OBJ/banner.out ) || \
fail "suppress banner (-q)"

17
regress/broken-pipe.sh
View File

@ -1,15 +1,12 @@
# $OpenBSD: broken-pipe.sh,v 1.5 2015/03/03 22:35:19 markus Exp $
# $OpenBSD: broken-pipe.sh,v 1.6 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="broken pipe test"
for p in ${SSH_PROTOCOLS}; do
trace "protocol $p"
for i in 1 2 3 4; do
${SSH} -$p -F $OBJ/ssh_config_config nexthost echo $i 2> /dev/null | true
r=$?
if [ $r -ne 0 ]; then
fail "broken pipe returns $r for protocol $p"
fi
done
for i in 1 2 3 4; do
${SSH} -F $OBJ/ssh_config_config nexthost echo $i 2> /dev/null | true
r=$?
if [ $r -ne 0 ]; then
fail "broken pipe returns $r"
fi
done

6
regress/brokenkeys.sh
View File

@ -1,4 +1,4 @@
# $OpenBSD: brokenkeys.sh,v 1.1 2004/10/29 23:59:22 djm Exp $
# $OpenBSD: brokenkeys.sh,v 1.2 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="broken keys"
@ -14,9 +14,9 @@ echo "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEABTM= bad key" > $KEYS
cat ${KEYS}.bak >> ${KEYS}
cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
${SSH} -2 -F $OBJ/ssh_config somehost true
${SSH} -F $OBJ/ssh_config somehost true
if [ $? -ne 0 ]; then
fail "ssh connect with protocol $p failed"
fail "ssh connect with failed"
fi
mv ${KEYS}.bak ${KEYS}

119
regress/cert-file.sh
View File

@ -1,4 +1,4 @@
# $OpenBSD: cert-file.sh,v 1.5 2017/03/11 23:44:16 djm Exp $
# $OpenBSD: cert-file.sh,v 1.6 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="ssh with certificates"
@ -54,66 +54,64 @@ cat $OBJ/ssh_proxy | grep -v IdentityFile > $OBJ/no_identity_config
# XXX: verify that certificate used was what we expect. Needs exposure of
# keys via enviornment variable or similar.
for p in ${SSH_PROTOCOLS}; do
# Key with no .pub should work - finding the equivalent *-cert.pub.
verbose "protocol $p: identity cert with no plain public file"
${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \
-i $OBJ/user_key3 somehost exit 5$p
[ $? -ne 5$p ] && fail "ssh failed"
verbose "identity cert with no plain public file"
${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \
-i $OBJ/user_key3 somehost exit 52
[ $? -ne 52 ] && fail "ssh failed"
# CertificateFile matching private key with no .pub file should work.
verbose "protocol $p: CertificateFile with no plain public file"
${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \
-oCertificateFile=$OBJ/user_key3-cert.pub \
-i $OBJ/user_key3 somehost exit 5$p
[ $? -ne 5$p ] && fail "ssh failed"
# CertificateFile matching private key with no .pub file should work.
verbose "CertificateFile with no plain public file"
${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \
-oCertificateFile=$OBJ/user_key3-cert.pub \
-i $OBJ/user_key3 somehost exit 52
[ $? -ne 52 ] && fail "ssh failed"
# Just keys should fail
verbose "protocol $p: plain keys"
${SSH} $opts2 somehost exit 5$p
r=$?
if [ $r -eq 5$p ]; then
fail "ssh succeeded with no certs in protocol $p"
fi
# Just keys should fail
verbose "plain keys"
${SSH} $opts2 somehost exit 52
r=$?
if [ $r -eq 52 ]; then
fail "ssh succeeded with no certs"
fi
# Keys with untrusted cert should fail.
verbose "protocol $p: untrusted cert"
opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub"
${SSH} $opts3 somehost exit 5$p
r=$?
if [ $r -eq 5$p ]; then
fail "ssh succeeded with bad cert in protocol $p"
fi
# Keys with untrusted cert should fail.
verbose "untrusted cert"
opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub"
${SSH} $opts3 somehost exit 52
r=$?
if [ $r -eq 52 ]; then
fail "ssh succeeded with bad cert"
fi
# Good cert with bad key should fail.
verbose "protocol $p: good cert, bad key"
opts3="$opts -i $OBJ/user_key2"
opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
${SSH} $opts3 somehost exit 5$p
r=$?
if [ $r -eq 5$p ]; then
fail "ssh succeeded with no matching key in protocol $p"
fi
# Good cert with bad key should fail.
verbose "good cert, bad key"
opts3="$opts -i $OBJ/user_key2"
opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
${SSH} $opts3 somehost exit 52
r=$?
if [ $r -eq 52 ]; then
fail "ssh succeeded with no matching key"
fi
# Keys with one trusted cert, should succeed.
verbose "protocol $p: single trusted"
opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
${SSH} $opts3 somehost exit 5$p
r=$?
if [ $r -ne 5$p ]; then
fail "ssh failed with trusted cert and key in protocol $p"
fi
# Keys with one trusted cert, should succeed.
verbose "single trusted"
opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
${SSH} $opts3 somehost exit 52
r=$?
if [ $r -ne 52 ]; then
fail "ssh failed with trusted cert and key"
fi
# Multiple certs and keys, with one trusted cert, should succeed.
verbose "protocol $p: multiple trusted"
opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub"
opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
${SSH} $opts3 somehost exit 5$p
r=$?
if [ $r -ne 5$p ]; then
fail "ssh failed with multiple certs in protocol $p"
fi
done
# Multiple certs and keys, with one trusted cert, should succeed.
verbose "multiple trusted"
opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub"
opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
${SSH} $opts3 somehost exit 52
r=$?
if [ $r -ne 52 ]; then
fail "ssh failed with multiple certs"
fi
#next, using an agent in combination with the keys
SSH_AUTH_SOCK=/nonexistent ${SSHADD} -l > /dev/null 2>&1
@ -139,26 +137,25 @@ if [ $? -ne 0 ]; then
fi
# try ssh with the agent and certificates
# note: ssh agent only uses certificates in protocol 2
opts="-F $OBJ/ssh_proxy"
# with no certificates, shoud fail
${SSH} -2 $opts somehost exit 52
${SSH} $opts somehost exit 52
if [ $? -eq 52 ]; then
fail "ssh connect with agent in protocol 2 succeeded with no cert"
fail "ssh connect with agent in succeeded with no cert"
fi
#with an untrusted certificate, should fail
opts="$opts -oCertificateFile=$OBJ/cert_user_key1_2.pub"
${SSH} -2 $opts somehost exit 52
${SSH} $opts somehost exit 52
if [ $? -eq 52 ]; then
fail "ssh connect with agent in protocol 2 succeeded with bad cert"
fail "ssh connect with agent in succeeded with bad cert"
fi
#with an additional trusted certificate, should succeed
opts="$opts -oCertificateFile=$OBJ/cert_user_key1_1.pub"
${SSH} -2 $opts somehost exit 52
${SSH} $opts somehost exit 52
if [ $? -ne 52 ]; then
fail "ssh connect with agent in protocol 2 failed with good cert"
fail "ssh connect with agent in failed with good cert"
fi
trace "kill agent"

14
regress/cert-hostkey.sh
View File

@ -1,4 +1,4 @@
# $OpenBSD: cert-hostkey.sh,v 1.14 2016/05/02 09:52:00 djm Exp $
# $OpenBSD: cert-hostkey.sh,v 1.15 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="certified host keys"
@ -104,7 +104,7 @@ attempt_connect() {
shift; shift
verbose "$tid: $_ident expect success $_expect_success"
cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \
-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
"$@" -F $OBJ/ssh_proxy somehost true
_r=$?
@ -169,7 +169,7 @@ for privsep in yes no ; do
) > $OBJ/sshd_proxy
cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \
-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
@ -190,7 +190,7 @@ for ktype in $PLAIN_TYPES ; do
echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
) > $OBJ/sshd_proxy
cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \
-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
@ -222,7 +222,7 @@ test_one() {
) > $OBJ/sshd_proxy
cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \
-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
rc=$?
@ -271,7 +271,7 @@ for ktype in $PLAIN_TYPES ; do
echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
) > $OBJ/sshd_proxy
${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \
-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
-F $OBJ/ssh_proxy somehost true
if [ $? -ne 0 ]; then
@ -303,7 +303,7 @@ for kt in $PLAIN_TYPES ; do
) > $OBJ/sshd_proxy
cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \
-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
-F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then

36
regress/cert-userkey.sh
View File

@ -1,4 +1,4 @@
# $OpenBSD: cert-userkey.sh,v 1.17 2016/11/30 03:01:33 djm Exp $
# $OpenBSD: cert-userkey.sh,v 1.18 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="certified user keys"
@ -67,7 +67,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
# Missing authorized_principals
verbose "$tid: ${_prefix} missing authorized_principals"
rm -f $OBJ/authorized_principals_$USER
${SSH} -2i $OBJ/cert_user_key_${ktype} \
${SSH} -i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect succeeded unexpectedly"
@ -76,7 +76,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
# Empty authorized_principals
verbose "$tid: ${_prefix} empty authorized_principals"
echo > $OBJ/authorized_principals_$USER
${SSH} -2i $OBJ/cert_user_key_${ktype} \
${SSH} -i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect succeeded unexpectedly"
@ -85,7 +85,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
# Wrong authorized_principals
verbose "$tid: ${_prefix} wrong authorized_principals"
echo gregorsamsa > $OBJ/authorized_principals_$USER
${SSH} -2i $OBJ/cert_user_key_${ktype} \
${SSH} -i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect succeeded unexpectedly"
@ -94,7 +94,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
# Correct authorized_principals
verbose "$tid: ${_prefix} correct authorized_principals"
echo mekmitasdigoat > $OBJ/authorized_principals_$USER
${SSH} -2i $OBJ/cert_user_key_${ktype} \
${SSH} -i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -ne 0 ]; then
fail "ssh cert connect failed"
@ -103,7 +103,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
# authorized_principals with bad key option
verbose "$tid: ${_prefix} authorized_principals bad key opt"
echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
${SSH} -2i $OBJ/cert_user_key_${ktype} \
${SSH} -i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect succeeded unexpectedly"
@ -113,7 +113,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
verbose "$tid: ${_prefix} authorized_principals command=false"
echo 'command="false" mekmitasdigoat' > \
$OBJ/authorized_principals_$USER
${SSH} -2i $OBJ/cert_user_key_${ktype} \
${SSH} -i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect succeeded unexpectedly"
@ -124,7 +124,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
verbose "$tid: ${_prefix} authorized_principals command=true"
echo 'command="true" mekmitasdigoat' > \
$OBJ/authorized_principals_$USER
${SSH} -2i $OBJ/cert_user_key_${ktype} \
${SSH} -i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
if [ $? -ne 0 ]; then
fail "ssh cert connect failed"
@ -148,7 +148,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
printf 'cert-authority,principals="gregorsamsa" '
cat $OBJ/user_ca_key.pub
) > $OBJ/authorized_keys_$USER
${SSH} -2i $OBJ/cert_user_key_${ktype} \
${SSH} -i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect succeeded unexpectedly"
@ -160,7 +160,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
printf 'cert-authority,principals="mekmitasdigoat" '
cat $OBJ/user_ca_key.pub
) > $OBJ/authorized_keys_$USER
${SSH} -2i $OBJ/cert_user_key_${ktype} \
${SSH} -i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -ne 0 ]; then
fail "ssh cert connect failed"
@ -198,7 +198,7 @@ basic_tests() {
echo "PubkeyAcceptedKeyTypes ${t}"
) > $OBJ/ssh_proxy
${SSH} -2i $OBJ/cert_user_key_${ktype} \
${SSH} -i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true
if [ $? -ne 0 ]; then
fail "ssh cert connect failed"
@ -215,7 +215,7 @@ basic_tests() {
) > $OBJ/sshd_proxy
cp $OBJ/cert_user_key_${ktype}.pub \
$OBJ/cert_user_key_revoked
${SSH} -2i $OBJ/cert_user_key_${ktype} \
${SSH} -i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect succeeded unexpecedly"
@ -224,14 +224,14 @@ basic_tests() {
rm $OBJ/cert_user_key_revoked
${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked \
$OBJ/cert_user_key_${ktype}.pub
${SSH} -2i $OBJ/cert_user_key_${ktype} \
${SSH} -i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect succeeded unexpecedly"
fi
verbose "$tid: ${_prefix} empty KRL"
${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked
${SSH} -2i $OBJ/cert_user_key_${ktype} \
${SSH} -i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -ne 0 ]; then
fail "ssh cert connect failed"
@ -246,7 +246,7 @@ basic_tests() {
echo "PubkeyAcceptedKeyTypes ${t}"
echo "$extra_sshd"
) > $OBJ/sshd_proxy
${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
${SSH} -i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect succeeded unexpecedly"
@ -260,7 +260,7 @@ basic_tests() {
echo "$extra_sshd"
) > $OBJ/sshd_proxy
verbose "$tid: ensure CA key does not authenticate user"
${SSH} -2i $OBJ/user_ca_key \
${SSH} -i $OBJ/user_ca_key \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect with CA key succeeded unexpectedly"
@ -307,7 +307,7 @@ test_one() {
$sign_opts $OBJ/cert_user_key_${ktype} ||
fail "couldn't sign cert_user_key_${ktype}"
${SSH} -2i $OBJ/cert_user_key_${ktype} \
${SSH} -i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
rc=$?
if [ "x$result" = "xsuccess" ] ; then
@ -378,7 +378,7 @@ for ktype in $PLAIN_TYPES ; do
-n $USER $OBJ/cert_user_key_${ktype} ||
fatal "couldn't sign cert_user_key_${ktype}"
verbose "$tid: user ${ktype} connect wrong cert"
${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
${SSH} -i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect $ident succeeded unexpectedly"

76
regress/cfgmatch.sh
View File

@ -1,4 +1,4 @@
# $OpenBSD: cfgmatch.sh,v 1.9 2015/03/03 22:35:19 markus Exp $
# $OpenBSD: cfgmatch.sh,v 1.10 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="sshd_config match"
@ -13,7 +13,7 @@ echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_proxy
start_client()
{
rm -f $pidfile
${SSH} -q -$p $fwd "$@" somehost \
${SSH} -q $fwd "$@" somehost \
exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' \
>>$TEST_REGRESS_LOGFILE 2>&1 &
client_pid=$!
@ -56,22 +56,18 @@ start_sshd
#set -x
# Test Match + PermitOpen in sshd_config. This should be permitted
for p in ${SSH_PROTOCOLS}; do
trace "match permitopen localhost proto $p"
start_client -F $OBJ/ssh_config
${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
fail "match permitopen permit proto $p"
stop_client
done
trace "match permitopen localhost"
start_client -F $OBJ/ssh_config
${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \
fail "match permitopen permit"
stop_client
# Same but from different source. This should not be permitted
for p in ${SSH_PROTOCOLS}; do
trace "match permitopen proxy proto $p"
start_client -F $OBJ/ssh_proxy
${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
fail "match permitopen deny proto $p"
stop_client
done
trace "match permitopen proxy"
start_client -F $OBJ/ssh_proxy
${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \
fail "match permitopen deny"
stop_client
# Retry previous with key option, should also be denied.
cp /dev/null $OBJ/authorized_keys_$USER
@ -79,23 +75,19 @@ for t in ${SSH_KEYTYPES}; do
printf 'permitopen="127.0.0.1:'$PORT'" ' >> $OBJ/authorized_keys_$USER
cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
done
for p in ${SSH_PROTOCOLS}; do
trace "match permitopen proxy w/key opts proto $p"
start_client -F $OBJ/ssh_proxy
${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
fail "match permitopen deny w/key opt proto $p"
stop_client
done
trace "match permitopen proxy w/key opts"
start_client -F $OBJ/ssh_proxy
${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \
fail "match permitopen deny w/key opt"
stop_client
# Test both sshd_config and key options permitting the same dst/port pair.
# Should be permitted.
for p in ${SSH_PROTOCOLS}; do
trace "match permitopen localhost proto $p"
start_client -F $OBJ/ssh_config
${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
fail "match permitopen permit proto $p"
stop_client
done
trace "match permitopen localhost"
start_client -F $OBJ/ssh_config
${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \
fail "match permitopen permit"
stop_client
cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy
@ -103,13 +95,11 @@ echo "Match User $USER" >>$OBJ/sshd_proxy
echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
# Test that a Match overrides a PermitOpen in the global section
for p in ${SSH_PROTOCOLS}; do
trace "match permitopen proxy w/key opts proto $p"
start_client -F $OBJ/ssh_proxy
${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
fail "match override permitopen proto $p"
stop_client
done
trace "match permitopen proxy w/key opts"
start_client -F $OBJ/ssh_proxy
${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \
fail "match override permitopen"
stop_client
cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy
@ -118,10 +108,8 @@ echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
# Test that a rule that doesn't match doesn't override, plus test a
# PermitOpen entry that's not at the start of the list
for p in ${SSH_PROTOCOLS}; do
trace "nomatch permitopen proxy w/key opts proto $p"
start_client -F $OBJ/ssh_proxy
${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
fail "nomatch override permitopen proto $p"
stop_client
done
trace "nomatch permitopen proxy w/key opts"
start_client -F $OBJ/ssh_proxy
${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \
fail "nomatch override permitopen"
stop_client

27
regress/cipher-speed.sh
View File

@ -1,4 +1,4 @@
# $OpenBSD: cipher-speed.sh,v 1.13 2015/03/24 20:22:17 markus Exp $
# $OpenBSD: cipher-speed.sh,v 1.14 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="cipher speed"
@ -12,16 +12,16 @@ getbytes ()
tries="1 2"
for c in `${SSH} -Q cipher`; do n=0; for m in `${SSH} -Q mac`; do
trace "proto 2 cipher $c mac $m"
trace "cipher $c mac $m"
for x in $tries; do
printf "%-60s" "$c/$m:"
( ${SSH} -o 'compression no' \
-F $OBJ/ssh_proxy -2 -m $m -c $c somehost \
-F $OBJ/ssh_proxy -m $m -c $c somehost \
exec sh -c \'"dd of=/dev/null obs=32k"\' \
< ${DATA} ) 2>&1 | getbytes
if [ $? -ne 0 ]; then
fail "ssh -2 failed with mac $m cipher $c"
fail "ssh failed with mac $m cipher $c"
fi
done
# No point trying all MACs for AEAD ciphers since they are ignored.
@ -30,22 +30,3 @@ for c in `${SSH} -Q cipher`; do n=0; for m in `${SSH} -Q mac`; do
fi
n=`expr $n + 1`
done; done
if ssh_version 1; then
ciphers="3des blowfish"
else
ciphers=""
fi
for c in $ciphers; do
trace "proto 1 cipher $c"
for x in $tries; do
printf "%-60s" "$c:"
( ${SSH} -o 'compression no' \
-F $OBJ/ssh_proxy -1 -c $c somehost \
exec sh -c \'"dd of=/dev/null obs=32k"\' \
< ${DATA} ) 2>&1 | getbytes
if [ $? -ne 0 ]; then
fail "ssh -1 failed with cipher $c"
fi
done
done

30
regress/connect-privsep.sh
View File

@ -1,4 +1,4 @@
# $OpenBSD: connect-privsep.sh,v 1.8 2016/11/01 13:43:27 tb Exp $
# $OpenBSD: connect-privsep.sh,v 1.9 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="proxy connect with privsep"
@ -6,23 +6,19 @@ tid="proxy connect with privsep"
cp $OBJ/sshd_proxy $OBJ/sshd_proxy.orig
echo 'UsePrivilegeSeparation yes' >> $OBJ/sshd_proxy
for p in ${SSH_PROTOCOLS}; do
${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true
if [ $? -ne 0 ]; then
fail "ssh privsep+proxyconnect protocol $p failed"
fi
done
${SSH} -F $OBJ/ssh_proxy 999.999.999.999 true
if [ $? -ne 0 ]; then
fail "ssh privsep+proxyconnect failed"
fi
cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
echo 'UsePrivilegeSeparation sandbox' >> $OBJ/sshd_proxy
for p in ${SSH_PROTOCOLS}; do
${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true
if [ $? -ne 0 ]; then
# XXX replace this with fail once sandbox has stabilised
warn "ssh privsep/sandbox+proxyconnect protocol $p failed"
fi
done
${SSH} -F $OBJ/ssh_proxy 999.999.999.999 true
if [ $? -ne 0 ]; then
# XXX replace this with fail once sandbox has stabilised
warn "ssh privsep/sandbox+proxyconnect failed"
fi
# Because sandbox is sensitive to changes in libc, especially malloc, retest
# with every malloc.conf option (and none).
@ -32,10 +28,8 @@ else
mopts=`echo $TEST_MALLOC_OPTIONS | sed 's/./& /g'`
fi
for m in '' $mopts ; do
for p in ${SSH_PROTOCOLS}; do
env MALLOC_OPTIONS="$m" ${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true
env MALLOC_OPTIONS="$m" ${SSH} -F $OBJ/ssh_proxy 999.999.999.999 true
if [ $? -ne 0 ]; then
fail "ssh privsep/sandbox+proxyconnect protocol $p mopt '$m' failed"
fail "ssh privsep/sandbox+proxyconnect mopt '$m' failed"
fi
done
done

12
regress/connect.sh
View File

@ -1,13 +1,11 @@
# $OpenBSD: connect.sh,v 1.5 2015/03/03 22:35:19 markus Exp $
# $OpenBSD: connect.sh,v 1.6 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="simple connect"
start_sshd
for p in ${SSH_PROTOCOLS}; do
${SSH} -o "Protocol=$p" -F $OBJ/ssh_config somehost true
if [ $? -ne 0 ]; then
fail "ssh connect with protocol $p failed"
fi
done
${SSH} -F $OBJ/ssh_config somehost true
if [ $? -ne 0 ]; then
fail "ssh connect with failed"
fi

2
regress/dynamic-forward.sh
View File

@ -1,4 +1,4 @@
# $OpenBSD: dynamic-forward.sh,v 1.11 2015/03/03 22:35:19 markus Exp $
# $OpenBSD: dynamic-forward.sh,v 1.12 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="dynamic forwarding"

34
regress/exit-status.sh
View File

@ -1,24 +1,22 @@
# $OpenBSD: exit-status.sh,v 1.7 2015/03/03 22:35:19 markus Exp $
# $OpenBSD: exit-status.sh,v 1.8 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="remote exit status"
for p in ${SSH_PROTOCOLS}; do
for s in 0 1 4 5 44; do
trace "proto $p status $s"
verbose "test $tid: proto $p status $s"
${SSH} -$p -F $OBJ/ssh_proxy otherhost exit $s
r=$?
if [ $r -ne $s ]; then
fail "exit code mismatch for protocol $p: $r != $s"
fi
for s in 0 1 4 5 44; do
trace "status $s"
verbose "test $tid: status $s"
${SSH} -F $OBJ/ssh_proxy otherhost exit $s
r=$?
if [ $r -ne $s ]; then
fail "exit code mismatch for: $r != $s"
fi
# same with early close of stdout/err
${SSH} -$p -F $OBJ/ssh_proxy -n otherhost \
exec sh -c \'"sleep 2; exec > /dev/null 2>&1; sleep 3; exit $s"\'
r=$?
if [ $r -ne $s ]; then
fail "exit code (with sleep) mismatch for protocol $p: $r != $s"
fi
done
# same with early close of stdout/err
${SSH} -F $OBJ/ssh_proxy -n otherhost exec \
sh -c \'"sleep 2; exec > /dev/null 2>&1; sleep 3; exit $s"\'
r=$?
if [ $r -ne $s ]; then
fail "exit code (with sleep) mismatch for: $r != $s"
fi
done

23
regress/forcecommand.sh
View File

@ -1,4 +1,4 @@
# $OpenBSD: forcecommand.sh,v 1.3 2015/03/03 22:35:19 markus Exp $
# $OpenBSD: forcecommand.sh,v 1.4 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="forced command"
@ -11,11 +11,8 @@ for t in ${SSH_KEYTYPES}; do
cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
done
for p in ${SSH_PROTOCOLS}; do
trace "forced command in key option proto $p"
${SSH} -$p -F $OBJ/ssh_proxy somehost false \ ||
fail "forced command in key proto $p"
done
trace "forced command in key option"
${SSH} -F $OBJ/ssh_proxy somehost false || fail "forced command in key"
cp /dev/null $OBJ/authorized_keys_$USER
for t in ${SSH_KEYTYPES}; do
@ -26,19 +23,13 @@ done
cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
echo "ForceCommand true" >> $OBJ/sshd_proxy
for p in ${SSH_PROTOCOLS}; do
trace "forced command in sshd_config overrides key option proto $p"
${SSH} -$p -F $OBJ/ssh_proxy somehost false \ ||
fail "forced command in key proto $p"
done
trace "forced command in sshd_config overrides key option"
${SSH} -F $OBJ/ssh_proxy somehost false || fail "forced command in key"
cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
echo "ForceCommand false" >> $OBJ/sshd_proxy
echo "Match User $USER" >> $OBJ/sshd_proxy
echo " ForceCommand true" >> $OBJ/sshd_proxy
for p in ${SSH_PROTOCOLS}; do
trace "forced command with match proto $p"
${SSH} -$p -F $OBJ/ssh_proxy somehost false \ ||
fail "forced command in key proto $p"
done
trace "forced command with match"
${SSH} -F $OBJ/ssh_proxy somehost false || fail "forced command in key"

109
regress/forward-control.sh
View File

@ -1,4 +1,4 @@
# $OpenBSD: forward-control.sh,v 1.3 2015/03/03 22:35:19 markus Exp $
# $OpenBSD: forward-control.sh,v 1.4 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="sshd control of local and remote forwarding"
@ -32,13 +32,12 @@ wait_for_process_to_exit() {
return 0
}
# usage: check_lfwd protocol Y|N message
# usage: check_lfwd Y|N message
check_lfwd() {
_proto=$1
_expected=$2
_message=$3
_expected=$1
_message=$2
rm -f $READY
${SSH} -oProtocol=$_proto -F $OBJ/ssh_proxy \
${SSH} -F $OBJ/ssh_proxy \
-L$LFWD_PORT:127.0.0.1:$PORT \
-o ExitOnForwardFailure=yes \
-n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \
@ -62,13 +61,12 @@ check_lfwd() {
fi
}
# usage: check_rfwd protocol Y|N message
# usage: check_rfwd Y|N message
check_rfwd() {
_proto=$1
_expected=$2
_message=$3
_expected=$1
_message=$2
rm -f $READY
${SSH} -oProtocol=$_proto -F $OBJ/ssh_proxy \
${SSH} -F $OBJ/ssh_proxy \
-R$RFWD_PORT:127.0.0.1:$PORT \
-o ExitOnForwardFailure=yes \
-n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \
@ -99,10 +97,8 @@ cp ${OBJ}/sshd_proxy ${OBJ}/sshd_proxy.bak
cp ${OBJ}/authorized_keys_${USER} ${OBJ}/authorized_keys_${USER}.bak
# Sanity check: ensure the default config allows forwarding
for p in ${SSH_PROTOCOLS} ; do
check_lfwd $p Y "proto $p, default configuration"
check_rfwd $p Y "proto $p, default configuration"
done
check_lfwd Y "default configuration"
check_rfwd Y "default configuration"
# Usage: all_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N
all_tests() {
@ -115,49 +111,46 @@ all_tests() {
_permit_rfwd=$7
_badfwd=127.0.0.1:22
_goodfwd=127.0.0.1:${PORT}
for _proto in ${SSH_PROTOCOLS} ; do
cp ${OBJ}/authorized_keys_${USER}.bak \
${OBJ}/authorized_keys_${USER}
_prefix="proto $_proto, AllowTcpForwarding=$_tcpfwd"
# No PermitOpen
( cat ${OBJ}/sshd_proxy.bak ;
echo "AllowTcpForwarding $_tcpfwd" ) \
> ${OBJ}/sshd_proxy
check_lfwd $_proto $_plain_lfwd "$_prefix"
check_rfwd $_proto $_plain_rfwd "$_prefix"
# PermitOpen via sshd_config that doesn't match
( cat ${OBJ}/sshd_proxy.bak ;
echo "AllowTcpForwarding $_tcpfwd" ;
echo "PermitOpen $_badfwd" ) \
> ${OBJ}/sshd_proxy
check_lfwd $_proto $_nopermit_lfwd "$_prefix, !PermitOpen"
check_rfwd $_proto $_nopermit_rfwd "$_prefix, !PermitOpen"
# PermitOpen via sshd_config that does match
( cat ${OBJ}/sshd_proxy.bak ;
echo "AllowTcpForwarding $_tcpfwd" ;
echo "PermitOpen $_badfwd $_goodfwd" ) \
> ${OBJ}/sshd_proxy
# NB. permitopen via authorized_keys should have same
# success/fail as via sshd_config
# permitopen via authorized_keys that doesn't match
sed "s/^/permitopen=\"$_badfwd\" /" \
< ${OBJ}/authorized_keys_${USER}.bak \
> ${OBJ}/authorized_keys_${USER} || fatal "sed 1 fail"
( cat ${OBJ}/sshd_proxy.bak ;
echo "AllowTcpForwarding $_tcpfwd" ) \
> ${OBJ}/sshd_proxy
check_lfwd $_proto $_nopermit_lfwd "$_prefix, !permitopen"
check_rfwd $_proto $_nopermit_rfwd "$_prefix, !permitopen"
# permitopen via authorized_keys that does match
sed "s/^/permitopen=\"$_badfwd\",permitopen=\"$_goodfwd\" /" \
< ${OBJ}/authorized_keys_${USER}.bak \
> ${OBJ}/authorized_keys_${USER} || fatal "sed 2 fail"
( cat ${OBJ}/sshd_proxy.bak ;
echo "AllowTcpForwarding $_tcpfwd" ) \
> ${OBJ}/sshd_proxy
check_lfwd $_proto $_permit_lfwd "$_prefix, permitopen"
check_rfwd $_proto $_permit_rfwd "$_prefix, permitopen"
done
cp ${OBJ}/authorized_keys_${USER}.bak ${OBJ}/authorized_keys_${USER}
_prefix="AllowTcpForwarding=$_tcpfwd"
# No PermitOpen
( cat ${OBJ}/sshd_proxy.bak ;
echo "AllowTcpForwarding $_tcpfwd" ) \
> ${OBJ}/sshd_proxy
check_lfwd $_plain_lfwd "$_prefix"
check_rfwd $_plain_rfwd "$_prefix"
# PermitOpen via sshd_config that doesn't match
( cat ${OBJ}/sshd_proxy.bak ;
echo "AllowTcpForwarding $_tcpfwd" ;
echo "PermitOpen $_badfwd" ) \
> ${OBJ}/sshd_proxy
check_lfwd $_nopermit_lfwd "$_prefix, !PermitOpen"
check_rfwd $_nopermit_rfwd "$_prefix, !PermitOpen"
# PermitOpen via sshd_config that does match
( cat ${OBJ}/sshd_proxy.bak ;
echo "AllowTcpForwarding $_tcpfwd" ;
echo "PermitOpen $_badfwd $_goodfwd" ) \
> ${OBJ}/sshd_proxy
# NB. permitopen via authorized_keys should have same
# success/fail as via sshd_config
# permitopen via authorized_keys that doesn't match
sed "s/^/permitopen=\"$_badfwd\" /" \
< ${OBJ}/authorized_keys_${USER}.bak \
> ${OBJ}/authorized_keys_${USER} || fatal "sed 1 fail"
( cat ${OBJ}/sshd_proxy.bak ;
echo "AllowTcpForwarding $_tcpfwd" ) \
> ${OBJ}/sshd_proxy
check_lfwd $_nopermit_lfwd "$_prefix, !permitopen"
check_rfwd $_nopermit_rfwd "$_prefix, !permitopen"
# permitopen via authorized_keys that does match
sed "s/^/permitopen=\"$_badfwd\",permitopen=\"$_goodfwd\" /" \
< ${OBJ}/authorized_keys_${USER}.bak \
> ${OBJ}/authorized_keys_${USER} || fatal "sed 2 fail"
( cat ${OBJ}/sshd_proxy.bak ;
echo "AllowTcpForwarding $_tcpfwd" ) \
> ${OBJ}/sshd_proxy
check_lfwd $_permit_lfwd "$_prefix, permitopen"
check_rfwd $_permit_rfwd "$_prefix, permitopen"
}
# no-permitopen mismatch-permitopen match-permitopen

164
regress/forwarding.sh
View File

@ -1,4 +1,4 @@
# $OpenBSD: forwarding.sh,v 1.19 2017/01/30 05:22:14 djm Exp $
# $OpenBSD: forwarding.sh,v 1.20 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="local and remote forwarding"
@ -22,30 +22,24 @@ for j in 0 1 2; do
last=$a
done
done
for p in ${SSH_PROTOCOLS}; do
q=`expr 3 - $p`
if ! ssh_version $q; then
q=$p
fi
trace "start forwarding, fork to background"
rm -f $CTL
${SSH} -S $CTL -M -$p -F $OBJ/ssh_config -f $fwd somehost sleep 10
trace "transfer over forwarded channels and check result"
${SSH} -$q -F $OBJ/ssh_config -p$last -o 'ConnectionAttempts=4' \
somehost cat ${DATA} > ${COPY}
test -s ${COPY} || fail "failed copy of ${DATA}"
cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}"
trace "start forwarding, fork to background"
rm -f $CTL
${SSH} -S $CTL -M -F $OBJ/ssh_config -f $fwd somehost sleep 10
${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost
done
trace "transfer over forwarded channels and check result"
${SSH} -F $OBJ/ssh_config -p$last -o 'ConnectionAttempts=4' \
somehost cat ${DATA} > ${COPY}
test -s ${COPY} || fail "failed copy of ${DATA}"
cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}"
${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost
for p in ${SSH_PROTOCOLS}; do
for d in L R; do
trace "exit on -$d forward failure, proto $p"
trace "exit on -$d forward failure"
# this one should succeed
${SSH} -$p -F $OBJ/ssh_config \
${SSH} -F $OBJ/ssh_config \
-$d ${base}01:127.0.0.1:$PORT \
-$d ${base}02:127.0.0.1:$PORT \
-$d ${base}03:127.0.0.1:$PORT \
@ -55,7 +49,7 @@ for d in L R; do
fatal "connection failed, should not"
else
# this one should fail
${SSH} -q -$p -F $OBJ/ssh_config \
${SSH} -q -F $OBJ/ssh_config \
-$d ${base}01:127.0.0.1:$PORT \
-$d ${base}02:127.0.0.1:$PORT \
-$d ${base}03:127.0.0.1:$PORT \
@ -68,82 +62,74 @@ for d in L R; do
fi
fi
done
done
for p in ${SSH_PROTOCOLS}; do
trace "simple clear forwarding proto $p"
${SSH} -$p -F $OBJ/ssh_config -oClearAllForwardings=yes somehost true
trace "simple clear forwarding"
${SSH} -F $OBJ/ssh_config -oClearAllForwardings=yes somehost true
trace "clear local forward proto $p"
rm -f $CTL
${SSH} -S $CTL -M -$p -f -F $OBJ/ssh_config -L ${base}01:127.0.0.1:$PORT \
-oClearAllForwardings=yes somehost sleep 10
if [ $? != 0 ]; then
fail "connection failed with cleared local forwarding"
else
# this one should fail
${SSH} -$p -F $OBJ/ssh_config -p ${base}01 somehost true \
>>$TEST_REGRESS_LOGFILE 2>&1 && \
fail "local forwarding not cleared"
fi
${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost
trace "clear remote forward proto $p"
rm -f $CTL
${SSH} -S $CTL -M -$p -f -F $OBJ/ssh_config -R ${base}01:127.0.0.1:$PORT \
-oClearAllForwardings=yes somehost sleep 10
if [ $? != 0 ]; then
fail "connection failed with cleared remote forwarding"
else
# this one should fail
${SSH} -$p -F $OBJ/ssh_config -p ${base}01 somehost true \
>>$TEST_REGRESS_LOGFILE 2>&1 && \
fail "remote forwarding not cleared"
fi
${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost
done
trace "clear local forward"
rm -f $CTL
${SSH} -S $CTL -M -f -F $OBJ/ssh_config -L ${base}01:127.0.0.1:$PORT \
-oClearAllForwardings=yes somehost sleep 10
if [ $? != 0 ]; then
fail "connection failed with cleared local forwarding"
else
# this one should fail
${SSH} -F $OBJ/ssh_config -p ${base}01 somehost true \
>>$TEST_REGRESS_LOGFILE 2>&1 && \
fail "local forwarding not cleared"
fi
${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost
for p in 2; do
trace "stdio forwarding proto $p"
cmd="${SSH} -$p -F $OBJ/ssh_config"
$cmd -o "ProxyCommand $cmd -q -W localhost:$PORT somehost" \
somehost true
if [ $? != 0 ]; then
fail "stdio forwarding proto $p"
fi
done
trace "clear remote forward"
rm -f $CTL
${SSH} -S $CTL -M -f -F $OBJ/ssh_config -R ${base}01:127.0.0.1:$PORT \
-oClearAllForwardings=yes somehost sleep 10
if [ $? != 0 ]; then
fail "connection failed with cleared remote forwarding"
else
# this one should fail
${SSH} -F $OBJ/ssh_config -p ${base}01 somehost true \
>>$TEST_REGRESS_LOGFILE 2>&1 && \
fail "remote forwarding not cleared"
fi
${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost
trace "stdio forwarding"
cmd="${SSH} -F $OBJ/ssh_config"
$cmd -o "ProxyCommand $cmd -q -W localhost:$PORT somehost" somehost true
if [ $? != 0 ]; then
fail "stdio forwarding"
fi
echo "LocalForward ${base}01 127.0.0.1:$PORT" >> $OBJ/ssh_config
echo "RemoteForward ${base}02 127.0.0.1:${base}01" >> $OBJ/ssh_config
for p in ${SSH_PROTOCOLS}; do
trace "config file: start forwarding, fork to background"
rm -f $CTL
${SSH} -S $CTL -M -$p -F $OBJ/ssh_config -f somehost sleep 10
trace "config file: transfer over forwarded channels and check result"
${SSH} -F $OBJ/ssh_config -p${base}02 -o 'ConnectionAttempts=4' \
somehost cat ${DATA} > ${COPY}
test -s ${COPY} || fail "failed copy of ${DATA}"
cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}"
trace "config file: start forwarding, fork to background"
rm -f $CTL
${SSH} -S $CTL -M -F $OBJ/ssh_config -f somehost sleep 10
${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost
done
trace "config file: transfer over forwarded channels and check result"
${SSH} -F $OBJ/ssh_config -p${base}02 -o 'ConnectionAttempts=4' \
somehost cat ${DATA} > ${COPY}
test -s ${COPY} || fail "failed copy of ${DATA}"
cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}"
for p in 2; do
trace "transfer over chained unix domain socket forwards and check result"
rm -f $OBJ/unix-[123].fwd
rm -f $CTL $CTL.[123]
${SSH} -S $CTL -M -f -F $OBJ/ssh_config -R${base}01:[$OBJ/unix-1.fwd] somehost sleep 10
${SSH} -S $CTL.1 -M -f -F $OBJ/ssh_config -L[$OBJ/unix-1.fwd]:[$OBJ/unix-2.fwd] somehost sleep 10
${SSH} -S $CTL.2 -M -f -F $OBJ/ssh_config -R[$OBJ/unix-2.fwd]:[$OBJ/unix-3.fwd] somehost sleep 10
${SSH} -S $CTL.3 -M -f -F $OBJ/ssh_config -L[$OBJ/unix-3.fwd]:127.0.0.1:$PORT somehost sleep 10
${SSH} -F $OBJ/ssh_config -p${base}01 -o 'ConnectionAttempts=4' \
somehost cat ${DATA} > ${COPY}
test -s ${COPY} || fail "failed copy ${DATA}"
cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}"
${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost
trace "transfer over chained unix domain socket forwards and check result"
rm -f $OBJ/unix-[123].fwd
rm -f $CTL $CTL.[123]
${SSH} -S $CTL -M -f -F $OBJ/ssh_config -R${base}01:[$OBJ/unix-1.fwd] somehost sleep 10
${SSH} -S $CTL.1 -M -f -F $OBJ/ssh_config -L[$OBJ/unix-1.fwd]:[$OBJ/unix-2.fwd] somehost sleep 10
${SSH} -S $CTL.2 -M -f -F $OBJ/ssh_config -R[$OBJ/unix-2.fwd]:[$OBJ/unix-3.fwd] somehost sleep 10
${SSH} -S $CTL.3 -M -f -F $OBJ/ssh_config -L[$OBJ/unix-3.fwd]:127.0.0.1:$PORT somehost sleep 10
${SSH} -F $OBJ/ssh_config -p${base}01 -o 'ConnectionAttempts=4' \
somehost cat ${DATA} > ${COPY}
test -s ${COPY} || fail "failed copy ${DATA}"
cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}"
${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost
${SSH} -F $OBJ/ssh_config -S $CTL.1 -O exit somehost
${SSH} -F $OBJ/ssh_config -S $CTL.2 -O exit somehost
${SSH} -F $OBJ/ssh_config -S $CTL.3 -O exit somehost
${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost
${SSH} -F $OBJ/ssh_config -S $CTL.1 -O exit somehost
${SSH} -F $OBJ/ssh_config -S $CTL.2 -O exit somehost
${SSH} -F $OBJ/ssh_config -S $CTL.3 -O exit somehost
done

9
regress/host-expand.sh
View File

@ -1,4 +1,4 @@
# $OpenBSD: host-expand.sh,v 1.4 2015/03/03 22:35:19 markus Exp $
# $OpenBSD: host-expand.sh,v 1.5 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="expand %h and %n"
@ -11,9 +11,6 @@ somehost
127.0.0.1
EOE
for p in ${SSH_PROTOCOLS}; do
verbose "test $tid: proto $p"
${SSH} -F $OBJ/ssh_proxy -$p somehost true >$OBJ/actual
diff $OBJ/expect $OBJ/actual || fail "$tid proto $p"
done
${SSH} -F $OBJ/ssh_proxy somehost true >$OBJ/actual
diff $OBJ/expect $OBJ/actual || fail "$tid"

4
regress/hostkey-agent.sh
View File

@ -1,4 +1,4 @@
# $OpenBSD: hostkey-agent.sh,v 1.6 2015/07/10 06:23:25 markus Exp $
# $OpenBSD: hostkey-agent.sh,v 1.7 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="hostkey agent"
@ -40,7 +40,7 @@ for ps in no yes; do
cp $OBJ/known_hosts.orig $OBJ/known_hosts
SSH_CONNECTION=`${SSH} $opts host 'echo $SSH_CONNECTION'`
if [ $? -ne 0 ]; then
fail "protocol $p privsep=$ps failed"
fail "privsep=$ps failed"
fi
if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then
fail "bad SSH_CONNECTION key type $k privsep=$ps"

4
regress/integrity.sh
View File

@ -1,4 +1,4 @@
# $OpenBSD: integrity.sh,v 1.22 2017/04/28 04:16:27 dtucker Exp $
# $OpenBSD: integrity.sh,v 1.23 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="integrity"
@ -46,7 +46,7 @@ for m in $macs; do
macopt="-m $m -c aes128-ctr"
fi
verbose "test $tid: $m @$off"
${SSH} $macopt -2F $OBJ/ssh_proxy -o "$pxy" \
${SSH} $macopt -F $OBJ/ssh_proxy -o "$pxy" \
-oServerAliveInterval=1 -oServerAliveCountMax=30 \
999.999.999.999 'printf "%4096s" " "' >/dev/null
if [ $? -eq 0 ]; then

52
regress/key-options.sh
View File

@ -1,4 +1,4 @@
# $OpenBSD: key-options.sh,v 1.3 2015/03/03 22:35:19 markus Exp $
# $OpenBSD: key-options.sh,v 1.4 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="key options"
@ -8,64 +8,56 @@ authkeys="$OBJ/authorized_keys_${USER}"
cp $authkeys $origkeys
# Test command= forced command
for p in ${SSH_PROTOCOLS}; do
for c in 'command="echo bar"' 'no-pty,command="echo bar"'; do
for c in 'command="echo bar"' 'no-pty,command="echo bar"'; do
sed "s/.*/$c &/" $origkeys >$authkeys
verbose "key option proto $p $c"
r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost echo foo`
verbose "key option $c"
r=`${SSH} -q -F $OBJ/ssh_proxy somehost echo foo`
if [ "$r" = "foo" ]; then
fail "key option forced command not restricted"
fi
if [ "$r" != "bar" ]; then
fail "key option forced command not executed"
fi
done
done
# Test no-pty
sed 's/.*/no-pty &/' $origkeys >$authkeys
for p in ${SSH_PROTOCOLS}; do
verbose "key option proto $p no-pty"
r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost tty`
if [ -f "$r" ]; then
fail "key option failed proto $p no-pty (pty $r)"
fi
done
verbose "key option proto no-pty"
r=`${SSH} -q -F $OBJ/ssh_proxy somehost tty`
if [ -f "$r" ]; then
fail "key option failed no-pty (pty $r)"
fi
# Test environment=
echo 'PermitUserEnvironment yes' >> $OBJ/sshd_proxy
sed 's/.*/environment="FOO=bar" &/' $origkeys >$authkeys
for p in ${SSH_PROTOCOLS}; do
verbose "key option proto $p environment"
r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost 'echo $FOO'`
if [ "$r" != "bar" ]; then
fail "key option environment not set"
fi
done
verbose "key option environment"
r=`${SSH} -q -F $OBJ/ssh_proxy somehost 'echo $FOO'`
if [ "$r" != "bar" ]; then
fail "key option environment not set"
fi
# Test from= restriction
start_sshd
for p in ${SSH_PROTOCOLS}; do
for f in 127.0.0.1 '127.0.0.0\/8'; do
for f in 127.0.0.1 '127.0.0.0\/8'; do
cat $origkeys >$authkeys
${SSH} -$p -q -F $OBJ/ssh_proxy somehost true
${SSH} -q -F $OBJ/ssh_proxy somehost true
if [ $? -ne 0 ]; then
fail "key option proto $p failed without restriction"
fail "key option failed without restriction"
fi
sed 's/.*/from="'"$f"'" &/' $origkeys >$authkeys
from=`head -1 $authkeys | cut -f1 -d ' '`
verbose "key option proto $p $from"
r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost 'echo true'`
verbose "key option $from"
r=`${SSH} -q -F $OBJ/ssh_proxy somehost 'echo true'`
if [ "$r" = "true" ]; then
fail "key option proto $p $from not restricted"
fail "key option $from not restricted"
fi
r=`${SSH} -$p -q -F $OBJ/ssh_config somehost 'echo true'`
r=`${SSH} -q -F $OBJ/ssh_config somehost 'echo true'`
if [ "$r" != "true" ]; then
fail "key option proto $p $from not allowed but should be"
fail "key option $from not allowed but should be"
fi
done
done
rm -f "$origkeys"

5
regress/keygen-change.sh
View File

@ -1,4 +1,4 @@
# $OpenBSD: keygen-change.sh,v 1.5 2015/03/03 22:35:19 markus Exp $
# $OpenBSD: keygen-change.sh,v 1.6 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="change passphrase for key"
@ -7,9 +7,6 @@ S1="secret1"
S2="2secret"
KEYTYPES=`${SSH} -Q key-plain`
if ssh_version 1; then
KEYTYPES="${KEYTYPES} rsa1"
fi
for t in $KEYTYPES; do
# generate user key for agent

6
regress/keyscan.sh
View File

@ -1,4 +1,4 @@
# $OpenBSD: keyscan.sh,v 1.5 2015/09/11 03:44:21 djm Exp $
# $OpenBSD: keyscan.sh,v 1.6 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="keyscan"
@ -9,10 +9,6 @@ rm -f ${OBJ}/host.dsa
start_sshd
KEYTYPES=`${SSH} -Q key-plain`
if ssh_version 1; then
KEYTYPES="${KEYTYPES} rsa1"
fi
for t in $KEYTYPES; do
trace "keyscan type $t"
${SSHKEYSCAN} -t $t -p $PORT 127.0.0.1 127.0.0.1 127.0.0.1 \

14
regress/localcommand.sh
View File

@ -1,4 +1,4 @@
# $OpenBSD: localcommand.sh,v 1.3 2015/03/03 22:35:19 markus Exp $
# $OpenBSD: localcommand.sh,v 1.4 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="localcommand"
@ -6,10 +6,8 @@ tid="localcommand"
echo 'PermitLocalCommand yes' >> $OBJ/ssh_proxy
echo 'LocalCommand echo foo' >> $OBJ/ssh_proxy
for p in ${SSH_PROTOCOLS}; do
verbose "test $tid: proto $p localcommand"
a=`${SSH} -F $OBJ/ssh_proxy -$p somehost true`
if [ "$a" != "foo" ] ; then
fail "$tid proto $p"
fi
done
verbose "test $tid: proto $p localcommand"
a=`${SSH} -F $OBJ/ssh_proxy somehost true`
if [ "$a" != "foo" ] ; then
fail "$tid proto $p"
fi

4
regress/misc/kexfuzz/kexfuzz.c
View File

@ -1,4 +1,4 @@
/* $OpenBSD: kexfuzz.c,v 1.3 2016/10/11 21:49:54 djm Exp $ */
/* $OpenBSD: kexfuzz.c,v 1.4 2017/04/30 23:34:55 djm Exp $ */
/*
* Fuzz harness for KEX code
*
@ -418,7 +418,7 @@ main(int argc, char **argv)
close(fd);
/* XXX check that it is a private key */
/* XXX support certificates */
if (key == NULL || key->type == KEY_UNSPEC || key->type == KEY_RSA1)
if (key == NULL || key->type == KEY_UNSPEC)
badusage("Invalid key file (-k flag)");
/* Replace (fuzz) mode */

6
regress/multiplex.sh
View File

@ -1,4 +1,4 @@
# $OpenBSD: multiplex.sh,v 1.27 2014/12/22 06:14:29 djm Exp $
# $OpenBSD: multiplex.sh,v 1.28 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
CTL=/tmp/openssh.regress.ctl-sock.$$
@ -101,7 +101,7 @@ for s in 0 1 4 5 44; do
${SSH} -F $OBJ/ssh_config -S $CTL otherhost exit $s
r=$?
if [ $r -ne $s ]; then
fail "exit code mismatch for protocol $p: $r != $s"
fail "exit code mismatch: $r != $s"
fi
# same with early close of stdout/err
@ -110,7 +110,7 @@ for s in 0 1 4 5 44; do
exec sh -c \'"sleep 2; exec > /dev/null 2>&1; sleep 3; exit $s"\'
r=$?
if [ $r -ne $s ]; then
fail "exit code (with sleep) mismatch for protocol $p: $r != $s"
fail "exit code (with sleep) mismatch: $r != $s"
fi
done

18
regress/principals-command.sh
View File

@ -1,4 +1,4 @@
# $OpenBSD: principals-command.sh,v 1.3 2016/09/26 21:34:38 bluhm Exp $
# $OpenBSD: principals-command.sh,v 1.4 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="authorized principals command"
@ -78,7 +78,7 @@ if [ -x $PRINCIPALS_COMMAND ]; then
# Empty authorized_principals
verbose "$tid: ${_prefix} empty authorized_principals"
echo > $OBJ/authorized_principals_$USER
${SSH} -2i $OBJ/cert_user_key \
${SSH} -i $OBJ/cert_user_key \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect succeeded unexpectedly"
@ -87,7 +87,7 @@ if [ -x $PRINCIPALS_COMMAND ]; then
# Wrong authorized_principals
verbose "$tid: ${_prefix} wrong authorized_principals"
echo gregorsamsa > $OBJ/authorized_principals_$USER
${SSH} -2i $OBJ/cert_user_key \
${SSH} -i $OBJ/cert_user_key \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect succeeded unexpectedly"
@ -96,7 +96,7 @@ if [ -x $PRINCIPALS_COMMAND ]; then
# Correct authorized_principals
verbose "$tid: ${_prefix} correct authorized_principals"
echo mekmitasdigoat > $OBJ/authorized_principals_$USER
${SSH} -2i $OBJ/cert_user_key \
${SSH} -i $OBJ/cert_user_key \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -ne 0 ]; then
fail "ssh cert connect failed"
@ -105,7 +105,7 @@ if [ -x $PRINCIPALS_COMMAND ]; then
# authorized_principals with bad key option
verbose "$tid: ${_prefix} authorized_principals bad key opt"
echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
${SSH} -2i $OBJ/cert_user_key \
${SSH} -i $OBJ/cert_user_key \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect succeeded unexpectedly"
@ -115,7 +115,7 @@ if [ -x $PRINCIPALS_COMMAND ]; then
verbose "$tid: ${_prefix} authorized_principals command=false"
echo 'command="false" mekmitasdigoat' > \
$OBJ/authorized_principals_$USER
${SSH} -2i $OBJ/cert_user_key \
${SSH} -i $OBJ/cert_user_key \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect succeeded unexpectedly"
@ -125,7 +125,7 @@ if [ -x $PRINCIPALS_COMMAND ]; then
verbose "$tid: ${_prefix} authorized_principals command=true"
echo 'command="true" mekmitasdigoat' > \
$OBJ/authorized_principals_$USER
${SSH} -2i $OBJ/cert_user_key \
${SSH} -i $OBJ/cert_user_key \
-F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
if [ $? -ne 0 ]; then
fail "ssh cert connect failed"
@ -144,7 +144,7 @@ if [ -x $PRINCIPALS_COMMAND ]; then
printf 'cert-authority,principals="gregorsamsa" '
cat $OBJ/user_ca_key.pub
) > $OBJ/authorized_keys_$USER
${SSH} -2i $OBJ/cert_user_key \
${SSH} -i $OBJ/cert_user_key \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect succeeded unexpectedly"
@ -156,7 +156,7 @@ if [ -x $PRINCIPALS_COMMAND ]; then
printf 'cert-authority,principals="mekmitasdigoat" '
cat $OBJ/user_ca_key.pub
) > $OBJ/authorized_keys_$USER
${SSH} -2i $OBJ/cert_user_key \
${SSH} -i $OBJ/cert_user_key \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -ne 0 ]; then
fail "ssh cert connect failed"

12
regress/proto-mismatch.sh
View File

@ -1,21 +1,17 @@
# $OpenBSD: proto-mismatch.sh,v 1.4 2015/03/03 22:35:19 markus Exp $
# $OpenBSD: proto-mismatch.sh,v 1.5 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="protocol version mismatch"
mismatch ()
{
server=$1
client=$2
banner=`echo ${client} | ${SSHD} -o "Protocol=${server}" -i -f ${OBJ}/sshd_proxy`
banner=`echo ${client} | ${SSHD} -i -f ${OBJ}/sshd_proxy`
r=$?
trace "sshd prints ${banner}"
if [ $r -ne 255 ]; then
fail "sshd prints ${banner} and accepts connect with version ${client}"
fail "sshd prints ${banner} but accepts version ${client}"
fi
}
mismatch 2 SSH-1.5-HALLO
if ssh_version 1; then
mismatch 1 SSH-2.0-HALLO
fi
mismatch SSH-1.5-HALLO

14
regress/proto-version.sh
View File

@ -1,4 +1,4 @@
# $OpenBSD: proto-version.sh,v 1.5 2015/03/03 22:35:19 markus Exp $
# $OpenBSD: proto-version.sh,v 1.6 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="sshd version with different protocol combinations"
@ -6,9 +6,8 @@ tid="sshd version with different protocol combinations"
# we just start sshd in inetd mode and check the banner
check_version ()
{
version=$1
expect=$2
banner=`printf '' | ${SSHD} -o "Protocol=${version}" -i -f ${OBJ}/sshd_proxy`
banner=`printf '' | ${SSHD} -i -f ${OBJ}/sshd_proxy`
case ${banner} in
SSH-1.99-*)
proto=199
@ -24,13 +23,8 @@ check_version ()
;;
esac
if [ ${expect} -ne ${proto} ]; then
fail "wrong protocol version ${banner} for ${version}"
fail "wrong protocol version ${banner}"
fi
}
check_version 2 20
if ssh_version 1; then
check_version 2,1 199
check_version 1,2 199
check_version 1 15
fi
check_version 20

41
regress/proxy-connect.sh
View File

@ -1,4 +1,4 @@
# $OpenBSD: proxy-connect.sh,v 1.9 2016/02/17 02:24:17 djm Exp $
# $OpenBSD: proxy-connect.sh,v 1.10 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="proxy connect"
@ -6,27 +6,22 @@ tid="proxy connect"
mv $OBJ/sshd_proxy $OBJ/sshd_proxy.orig
for ps in no yes; do
cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy
for p in ${SSH_PROTOCOLS}; do
for c in no yes; do
verbose "plain username protocol $p privsep=$ps comp=$c"
opts="-$p -oCompression=$c -F $OBJ/ssh_proxy"
SSH_CONNECTION=`${SSH} $opts 999.999.999.999 'echo $SSH_CONNECTION'`
if [ $? -ne 0 ]; then
fail "ssh proxyconnect protocol $p privsep=$ps comp=$c failed"
fi
if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then
fail "bad SSH_CONNECTION protocol $p privsep=$ps comp=$c: " \
"$SSH_CONNECTION"
fi
done
done
cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy
for c in no yes; do
verbose "plain username privsep=$ps comp=$c"
opts="-oCompression=$c -F $OBJ/ssh_proxy"
SSH_CONNECTION=`${SSH} $opts 999.999.999.999 'echo $SSH_CONNECTION'`
if [ $? -ne 0 ]; then
fail "ssh proxyconnect privsep=$ps comp=$c failed"
fi
if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then
fail "bad SSH_CONNECTION privsep=$ps comp=$c: " \
"$SSH_CONNECTION"
fi
done
done
for p in ${SSH_PROTOCOLS}; do
verbose "username with style protocol $p"
${SSH} -$p -F $OBJ/ssh_proxy ${USER}:style@999.999.999.999 true || \
fail "ssh proxyconnect protocol $p failed"
done
verbose "username with style"
${SSH} -F $OBJ/ssh_proxy ${USER}:style@999.999.999.999 true || \
fail "ssh proxyconnect failed"

45
regress/putty-transfer.sh
View File

@ -1,4 +1,4 @@
# $OpenBSD: putty-transfer.sh,v 1.4 2016/11/25 03:02:01 dtucker Exp $
# $OpenBSD: putty-transfer.sh,v 1.5 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="putty transfer data"
@ -8,33 +8,30 @@ if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then
exit 0
fi
# XXX support protocol 1 too
for p in 2; do
for c in 0 1 ; do
verbose "$tid: proto $p compression $c"
for c in 0 1 ; do
verbose "$tid: compression $c"
rm -f ${COPY}
cp ${OBJ}/.putty/sessions/localhost_proxy \
${OBJ}/.putty/sessions/compression_$c
echo "Compression=$c" >> ${OBJ}/.putty/sessions/kex_$k
env HOME=$PWD ${PLINK} -load compression_$c -batch \
-i putty.rsa cat ${DATA} > ${COPY}
if [ $? -ne 0 ]; then
fail "ssh cat $DATA failed"
fi
cmp ${DATA} ${COPY} || fail "corrupted copy"
for s in 10 100 1k 32k 64k 128k 256k; do
trace "compression $c dd-size ${s}"
rm -f ${COPY}
cp ${OBJ}/.putty/sessions/localhost_proxy \
${OBJ}/.putty/sessions/compression_$c
echo "Compression=$c" >> ${OBJ}/.putty/sessions/kex_$k
env HOME=$PWD ${PLINK} -load compression_$c -batch \
-i putty.rsa$p cat ${DATA} > ${COPY}
dd if=$DATA obs=${s} 2> /dev/null | \
env HOME=$PWD ${PLINK} -load compression_$c \
-batch -i putty.rsa \
"cat > ${COPY}"
if [ $? -ne 0 ]; then
fail "ssh cat $DATA failed"
fi
cmp ${DATA} ${COPY} || fail "corrupted copy"
for s in 10 100 1k 32k 64k 128k 256k; do
trace "proto $p compression $c dd-size ${s}"
rm -f ${COPY}
dd if=$DATA obs=${s} 2> /dev/null | \
env HOME=$PWD ${PLINK} -load compression_$c \
-batch -i putty.rsa$p \
"cat > ${COPY}"
if [ $? -ne 0 ]; then
fail "ssh cat $DATA failed"
fi
cmp $DATA ${COPY} || fail "corrupted copy"
done
cmp $DATA ${COPY} || fail "corrupted copy"
done
done
rm -f ${COPY}

22
regress/reconfigure.sh
View File

@ -1,4 +1,4 @@
# $OpenBSD: reconfigure.sh,v 1.5 2015/03/03 22:35:19 markus Exp $
# $OpenBSD: reconfigure.sh,v 1.6 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="simple connect after reconfigure"
@ -18,12 +18,10 @@ fi
start_sshd
trace "connect before restart"
for p in ${SSH_PROTOCOLS} ; do
${SSH} -o "Protocol=$p" -F $OBJ/ssh_config somehost true
if [ $? -ne 0 ]; then
fail "ssh connect with protocol $p failed before reconfigure"
fi
done
${SSH} -F $OBJ/ssh_config somehost true
if [ $? -ne 0 ]; then
fail "ssh connect with failed before reconfigure"
fi
PID=`$SUDO cat $PIDFILE`
rm -f $PIDFILE
@ -39,9 +37,7 @@ done
test -f $PIDFILE || fatal "sshd did not restart"
trace "connect after restart"
for p in ${SSH_PROTOCOLS} ; do
${SSH} -o "Protocol=$p" -F $OBJ/ssh_config somehost true
if [ $? -ne 0 ]; then
fail "ssh connect with protocol $p failed after reconfigure"
fi
done
${SSH} -F $OBJ/ssh_config somehost true
if [ $? -ne 0 ]; then
fail "ssh connect with failed after reconfigure"
fi

19
regress/reexec.sh
View File

@ -1,4 +1,4 @@
# $OpenBSD: reexec.sh,v 1.10 2016/12/16 01:06:27 dtucker Exp $
# $OpenBSD: reexec.sh,v 1.11 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="reexec tests"
@ -19,16 +19,13 @@ start_sshd_copy ()
copy_tests ()
{
rm -f ${COPY}
for p in ${SSH_PROTOCOLS} ; do
verbose "$tid: proto $p"
${SSH} -nqo "Protocol=$p" -F $OBJ/ssh_config somehost \
cat ${DATA} > ${COPY}
if [ $? -ne 0 ]; then
fail "ssh cat $DATA failed"
fi
cmp ${DATA} ${COPY} || fail "corrupted copy"
rm -f ${COPY}
done
${SSH} -nq -F $OBJ/ssh_config somehost \
cat ${DATA} > ${COPY}
if [ $? -ne 0 ]; then
fail "ssh cat $DATA failed"
fi
cmp ${DATA} ${COPY} || fail "corrupted copy"
rm -f ${COPY}
}
verbose "test config passing"

4
regress/stderr-after-eof.sh
View File

@ -1,4 +1,4 @@
# $OpenBSD: stderr-after-eof.sh,v 1.2 2013/05/17 04:29:14 dtucker Exp $
# $OpenBSD: stderr-after-eof.sh,v 1.3 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="stderr data after eof"
@ -10,7 +10,7 @@ for i in 1 2 3 4 5 6; do
(date;echo $i) | md5 >> ${DATA}
done
${SSH} -2 -F $OBJ/ssh_proxy otherhost \
${SSH} -F $OBJ/ssh_proxy otherhost \
exec sh -c \'"exec > /dev/null; sleep 2; cat ${DATA} 1>&2 $s"\' \
2> ${COPY}
r=$?

14
regress/stderr-data.sh
View File

@ -1,13 +1,12 @@
# $OpenBSD: stderr-data.sh,v 1.4 2015/03/03 22:35:19 markus Exp $
# $OpenBSD: stderr-data.sh,v 1.5 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="stderr data transfer"
for n in '' -n; do
for p in ${SSH_PROTOCOLS}; do
verbose "test $tid: proto $p ($n)"
${SSH} $n -$p -F $OBJ/ssh_proxy otherhost \
exec sh -c \'"exec > /dev/null; sleep 3; cat ${DATA} 1>&2 $s"\' \
verbose "test $tid: ($n)"
${SSH} $n -F $OBJ/ssh_proxy otherhost exec \
sh -c \'"exec > /dev/null; sleep 3; cat ${DATA} 1>&2 $s"\' \
2> ${COPY}
r=$?
if [ $r -ne 0 ]; then
@ -16,8 +15,8 @@ for p in ${SSH_PROTOCOLS}; do
cmp ${DATA} ${COPY} || fail "stderr corrupt"
rm -f ${COPY}
${SSH} $n -$p -F $OBJ/ssh_proxy otherhost \
exec sh -c \'"echo a; exec > /dev/null; sleep 3; cat ${DATA} 1>&2 $s"\' \
${SSH} $n -F $OBJ/ssh_proxy otherhost exec \
sh -c \'"echo a; exec > /dev/null; sleep 3; cat ${DATA} 1>&2 $s"\' \
> /dev/null 2> ${COPY}
r=$?
if [ $r -ne 0 ]; then
@ -26,4 +25,3 @@ for p in ${SSH_PROTOCOLS}; do
cmp ${DATA} ${COPY} || fail "stderr corrupt"
rm -f ${COPY}
done
done

26
regress/test-exec.sh
View File

@ -1,4 +1,4 @@
# $OpenBSD: test-exec.sh,v 1.59 2017/02/07 23:03:11 dtucker Exp $
# $OpenBSD: test-exec.sh,v 1.60 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
#SUDO=sudo
@ -130,12 +130,6 @@ if [ "x$TEST_SSH_CONCH" != "x" ]; then
esac
fi
SSH_PROTOCOLS=2
#SSH_PROTOCOLS=`$SSH -Q protocol-version`
if [ "x$TEST_SSH_PROTOCOLS" != "x" ]; then
SSH_PROTOCOLS="${TEST_SSH_PROTOCOLS}"
fi
# Path to sshd must be absolute for rexec
case "$SSHD" in
/*) ;;
@ -386,22 +380,11 @@ fatal ()
exit $RESULT
}
ssh_version ()
{
echo ${SSH_PROTOCOLS} | grep "$1" >/dev/null
}
RESULT=0
PIDFILE=$OBJ/pidfile
trap fatal 3 2
if ssh_version 1; then
PROTO="2,1"
else
PROTO="2"
fi
# create server config
cat << EOF > $OBJ/sshd_config
StrictModes no
@ -460,11 +443,8 @@ fi
rm -f $OBJ/known_hosts $OBJ/authorized_keys_$USER
if ssh_version 1; then
SSH_KEYTYPES="rsa rsa1"
else
SSH_KEYTYPES="rsa ed25519"
fi
SSH_KEYTYPES="rsa ed25519"
trace "generate keys"
for t in ${SSH_KEYTYPES}; do
# generate user key

29
regress/transfer.sh
View File

@ -1,26 +1,23 @@
# $OpenBSD: transfer.sh,v 1.3 2015/03/03 22:35:19 markus Exp $
# $OpenBSD: transfer.sh,v 1.4 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="transfer data"
for p in ${SSH_PROTOCOLS}; do
verbose "$tid: proto $p"
rm -f ${COPY}
${SSH} -n -q -F $OBJ/ssh_proxy somehost cat ${DATA} > ${COPY}
if [ $? -ne 0 ]; then
fail "ssh cat $DATA failed"
fi
cmp ${DATA} ${COPY} || fail "corrupted copy"
for s in 10 100 1k 32k 64k 128k 256k; do
trace "dd-size ${s}"
rm -f ${COPY}
${SSH} -n -q -$p -F $OBJ/ssh_proxy somehost cat ${DATA} > ${COPY}
dd if=$DATA obs=${s} 2> /dev/null | \
${SSH} -q -F $OBJ/ssh_proxy somehost "cat > ${COPY}"
if [ $? -ne 0 ]; then
fail "ssh cat $DATA failed"
fi
cmp ${DATA} ${COPY} || fail "corrupted copy"
for s in 10 100 1k 32k 64k 128k 256k; do
trace "proto $p dd-size ${s}"
rm -f ${COPY}
dd if=$DATA obs=${s} 2> /dev/null | \
${SSH} -q -$p -F $OBJ/ssh_proxy somehost "cat > ${COPY}"
if [ $? -ne 0 ]; then
fail "ssh cat $DATA failed"
fi
cmp $DATA ${COPY} || fail "corrupted copy"
done
cmp $DATA ${COPY} || fail "corrupted copy"
done
rm -f ${COPY}

24
regress/try-ciphers.sh
View File

@ -1,4 +1,4 @@
# $OpenBSD: try-ciphers.sh,v 1.25 2015/03/24 20:22:17 markus Exp $
# $OpenBSD: try-ciphers.sh,v 1.26 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="try ciphers"
@ -8,14 +8,14 @@ cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
for c in `${SSH} -Q cipher`; do
n=0
for m in `${SSH} -Q mac`; do
trace "proto 2 cipher $c mac $m"
verbose "test $tid: proto 2 cipher $c mac $m"
trace "cipher $c mac $m"
verbose "test $tid: cipher $c mac $m"
cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
echo "Ciphers=$c" >> $OBJ/sshd_proxy
echo "MACs=$m" >> $OBJ/sshd_proxy
${SSH} -F $OBJ/ssh_proxy -2 -m $m -c $c somehost true
${SSH} -F $OBJ/ssh_proxy -m $m -c $c somehost true
if [ $? -ne 0 ]; then
fail "ssh -2 failed with mac $m cipher $c"
fail "ssh failed with mac $m cipher $c"
fi
# No point trying all MACs for AEAD ciphers since they
# are ignored.
@ -26,17 +26,3 @@ for c in `${SSH} -Q cipher`; do
done
done
if ssh_version 1; then
ciphers="3des blowfish"
else
ciphers=""
fi
for c in $ciphers; do
trace "proto 1 cipher $c"
verbose "test $tid: proto 1 cipher $c"
${SSH} -F $OBJ/ssh_proxy -1 -c $c somehost true
if [ $? -ne 0 ]; then
fail "ssh -1 failed with cipher $c"
fi
done

18
regress/yes-head.sh
View File

@ -3,13 +3,11 @@
tid="yes pipe head"
for p in ${SSH_PROTOCOLS}; do
lines=`${SSH} -$p -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | _POSIX2_VERSION=199209 head -2000"' | (sleep 3 ; wc -l)`
if [ $? -ne 0 ]; then
fail "yes|head test failed"
lines = 0;
fi
if [ $lines -ne 2000 ]; then
fail "yes|head returns $lines lines instead of 2000"
fi
done
lines=`${SSH} -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | _POSIX2_VERSION=199209 head -2000"' | (sleep 3 ; wc -l)`
if [ $? -ne 0 ]; then
fail "yes|head test failed"
lines = 0;
fi
if [ $lines -ne 2000 ]; then
fail "yes|head returns $lines lines instead of 2000"
fi