tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
openssh-portable/regress/pesterTests/SSHDConfig.tests.ps1

358 lines
14 KiB
PowerShell
Raw Blame History

If ($PSVersiontable.PSVersion.Major -le 2) {$PSScriptRoot = Split-Path -Parent $MyInvocation.MyCommand.Path}
Import-Module $PSScriptRoot\CommonUtils.psm1 -Force
$tC = 1
$tI = 0
$suite = "sshdConfig"
Describe "Tests of sshd_config" -Tags "CI" {
BeforeAll {
if($OpenSSHTestInfo -eq $null)
{
Throw "`$OpenSSHTestInfo is null. Please run Set-OpenSSHTestEnvironment to set test environments."
}
$testDir = "$($OpenSSHTestInfo["TestDataPath"])\$suite"
if( -not (Test-path $testDir -PathType Container))
{
$null = New-Item $testDir -ItemType directory -Force -ErrorAction SilentlyContinue
}
$sshLogName = "test.txt"
$sshdLogName = "sshdlog.txt"
$server = $OpenSSHTestInfo["Target"]
$opensshbinpath = $OpenSSHTestInfo['OpenSSHBinPath']
$port = 47003
Remove-Item -Path (Join-Path $testDir "*$sshLogName") -Force -ErrorAction SilentlyContinue
Add-Type -AssemblyName System.DirectoryServices.AccountManagement
$ContextName = $env:COMPUTERNAME
$ContextType = [System.DirectoryServices.AccountManagement.ContextType]::Machine
$PrincipalContext = new-object -TypeName System.DirectoryServices.AccountManagement.PrincipalContext -ArgumentList @($ContextType, $ContextName)
$IdentityType = [System.DirectoryServices.AccountManagement.IdentityType]::SamAccountName
#prepare custom sshd_config
$sshdconfig_ori = Join-Path $Global:OpenSSHTestInfo["ServiceConfigDir"] sshd_config
$sshdconfig_custom = Join-Path $Global:OpenSSHTestInfo["ServiceConfigDir"] sshd_config_custom
if (Test-Path $sshdconfig_custom) {
Remove-Item $sshdconfig_custom -Force
}
Copy-Item $sshdconfig_ori $sshdconfig_custom
get-acl $sshdconfig_ori | set-acl $sshdconfig_custom
Add-Content $sshdconfig_custom @"
DenyUsers denyuser1 deny*2 denyuse?3,
AllowUsers allowuser1 allowu*r2 allow?se?3 allowuser4 localuser1 localu*r2 loc?lu?er3 localadmin matchuser
DenyGroups denygroup1 denygr*p2 deny?rou?3
AllowGroups allowgroup1 allowg*2 allowg?ou?3 Adm*
Match User matchuser
ForceCommand cmd.exe /c "whoami & set SSH_ORIGINAL_COMMAND"
"@
function Add-LocalUser
{
param([string] $UserName, [string] $Password)
$user = [System.DirectoryServices.AccountManagement.UserPrincipal]::FindByIdentity($PrincipalContext, $IdentityType, $UserName)
if($user -eq $null)
{
try {
$user = new-object -TypeName System.DirectoryServices.AccountManagement.UserPrincipal -ArgumentList @($PrincipalContext,$UserName,$Password, $true)
$user.Save()
}
finally {
$user.Dispose()
}
}
}
function Add-LocalGroup
{
param([string] $groupName)
$group = [System.DirectoryServices.AccountManagement.GroupPrincipal]::FindByIdentity($PrincipalContext, $IdentityType, $GroupName)
if($group -eq $null)
{
try {
$group = new-object -TypeName System.DirectoryServices.AccountManagement.GroupPrincipal -ArgumentList @($PrincipalContext,$groupName)
$group.Save()
}
finally {
$group.Dispose()
}
}
}
function Add-UserToLocalGroup
{
param([string]$UserName, [string]$Password, [string]$GroupName)
Add-LocalGroup -groupName $GroupName
Add-LocalUser -UserName $UserName -Password $Password
$group = [System.DirectoryServices.AccountManagement.GroupPrincipal]::FindByIdentity($PrincipalContext, $IdentityType, $GroupName)
$user = [System.DirectoryServices.AccountManagement.UserPrincipal]::FindByIdentity($PrincipalContext, $IdentityType, $UserName)
if(-not $group.Members.Contains($user))
{
try {
$group.Members.Add($user)
$group.save()
}
finally {
$group.Dispose()
}
}
}
function Remove-UserFromLocalGroup
{
param([string]$UserName, [string]$GroupName)
$group = [System.DirectoryServices.AccountManagement.GroupPrincipal]::FindByIdentity($PrincipalContext, $IdentityType, $GroupName)
$user = [System.DirectoryServices.AccountManagement.UserPrincipal]::FindByIdentity($PrincipalContext, $IdentityType, $UserName)
if($group.Members.Contains($user))
{
try {
$group.Members.Remove($user)
$group.save()
}
finally {
$group.Dispose()
}
}
}
function Clenaup-LocalGroup
{
param([string]$GroupName)
$group = [System.DirectoryServices.AccountManagement.GroupPrincipal]::FindByIdentity($PrincipalContext, $IdentityType, $GroupName)
if($group -ne $null)
{
try {
$group.Delete()
}
finally {
$group.Dispose()
}
}
}
#skip when the task schedular (*-ScheduledTask) cmdlets does not exist
$ts = (get-command get-ScheduledTask -ErrorAction SilentlyContinue)
$skip = $ts -eq $null
if(-not $skip)
{
Stop-SSHDTestDaemon -Port $port
}
if(($platform -eq [PlatformType]::Windows) -and ([Environment]::OSVersion.Version.Major -le 6))
{
#suppress the firewall blocking dialogue on win7
netsh advfirewall firewall add rule name="sshd" program="$($OpenSSHTestInfo['OpenSSHBinPath'])\sshd.exe" protocol=any action=allow dir=in
}
}
AfterEach { $tI++ }
AfterAll {
$PrincipalContext.Dispose()
if(($platform -eq [PlatformType]::Windows) -and ($psversiontable.BuildVersion.Major -le 6))
{
netsh advfirewall firewall delete rule name="sshd" program="$($OpenSSHTestInfo['OpenSSHBinPath'])\sshd.exe" protocol=any dir=in
}
}
<#
Settings in the sshd_config:
DenyUsers denyuser1 denyu*2 denyuse?3,
AllowUsers allowuser1 allowu*r2 allow?se?3 allowuser4 localuser1 localu*r2 loc?lu?er3 localadmin
DenyGroups denygroup1 denygr*p2 deny?rou?3
AllowGroups allowgroup1 allowg*2 allowg?ou?3 Adm*
#>
Context "Tests of AllowGroups, AllowUsers, DenyUsers, DenyGroups" {
BeforeAll {
$password = "Bull_dog1"
$allowUser1 = "allowuser1"
$allowUser2 = "allowuser2"
$allowUser3 = "allowuser3"
$allowUser4 = "allowuser4"
$denyUser1 = "denyuser1"
$denyUser2 = "denyuser2"
$denyUser3 = "denyuser3"
$localuser1 = "localuser1"
$localuser2 = "localuser2"
$localuser3 = "localuser3"
$allowGroup1 = "allowgroup1"
$allowGroup2 = "allowgroup2"
$allowGroup3 = "allowgroup3"
$denyGroup1 = "denygroup1"
$denyGroup2 = "denygroup2"
$denyGroup3 = "denygroup3"
$sshdConfigPath = $sshdconfig_custom
#add wrong password so ssh does not prompt password if failed with authorized keys
Add-PasswordSetting -Pass $password
$tI=1
}
BeforeEach {
$sshlog = Join-Path $testDir "$tC.$tI.$sshLogName"
$sshdlog = Join-Path $testDir "$tC.$tI.$sshdLogName"
if(-not $skip)
{
Stop-SSHDTestDaemon -Port $port
}
}
AfterAll {
Remove-PasswordSetting
$tC++
}
It "$tC.$tI-User with full name in the list of AllowUsers" -skip:$skip {
#Run
Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-d -f $sshdConfigPath -E $sshdlog" -Port $port
Add-UserToLocalGroup -UserName $allowUser1 -Password $password -GroupName $allowGroup1
$o = ssh -p $port $allowUser1@$server echo 1234
Stop-SSHDTestDaemon -Port $port
$o | Should Be "1234"
Remove-UserFromLocalGroup -UserName $allowUser1 -GroupName $allowGroup1
}
It "$tC.$tI-User with * wildcard" -skip:$skip {
#Run
Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-d -f $sshdConfigPath -E $sshdlog" -Port $port
Add-UserToLocalGroup -UserName $allowUser2 -Password $password -GroupName $allowGroup1
$o = ssh -p $port $allowUser2@$server echo 1234
Stop-SSHDTestDaemon -Port $port
$o | Should Be "1234"
Remove-UserFromLocalGroup -UserName $allowUser2 -GroupName $allowGroup1
}
It "$tC.$tI-User with ? wildcard" -skip:$skip {
#Run
Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-d -f $sshdConfigPath -E $sshdlog" -Port $port
Add-UserToLocalGroup -UserName $allowUser3 -Password $password -GroupName $allowGroup1
$o = ssh -p $port $allowUser3@$server echo 1234
Stop-SSHDTestDaemon -Port $port
$o | Should Be "1234"
Remove-UserFromLocalGroup -UserName $allowUser3 -GroupName $allowGroup1
}
It "$tC.$tI-User with full name in the list of DenyUsers" -skip:$skip {
#Run
Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-d -f $sshdConfigPath -E $sshdlog" -Port $port
Add-UserToLocalGroup -UserName $denyUser1 -Password $password -GroupName $allowGroup1
ssh -p $port -E $sshlog $denyUser1@$server echo 1234
$LASTEXITCODE | Should Not Be 0
Stop-SSHDTestDaemon -Port $port
$sshdlog | Should Contain "not allowed because listed in DenyUsers"
Remove-UserFromLocalGroup -UserName $denyUser1 -GroupName $allowGroup1
}
It "$tC.$tI-User with * wildcard in the list of DenyUsers" -skip:$skip {
#Run
Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-d -f $sshdConfigPath -E $sshdlog" -Port $port
Add-UserToLocalGroup -UserName $denyUser2 -Password $password -GroupName $allowGroup1
ssh -p $port -E $sshlog $denyUser2@$server echo 1234
$LASTEXITCODE | Should Not Be 0
Stop-SSHDTestDaemon -Port $port
$sshdlog | Should Contain "not allowed because listed in DenyUsers"
Remove-UserFromLocalGroup -UserName $denyUser2 -GroupName $allowGroup1
}
It "$tC.$tI-User with ? wildcard in the list of DenyUsers" -skip:$skip {
#Run
Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-d -f $sshdConfigPath -E $sshdlog" -Port $port
Add-UserToLocalGroup -UserName $denyUser3 -Password $password -GroupName $allowGroup1
ssh -p $port -E $sshlog $denyUser3@$server echo 1234
$LASTEXITCODE | Should Not Be 0
Stop-SSHDTestDaemon -Port $port
$sshdlog | Should Contain "not allowed because not listed in AllowUsers"
Remove-UserFromLocalGroup -UserName $denyUser3 -GroupName $allowGroup1
}
It "$tC.$tI-User is listed in the list of AllowUsers but also in a full name DenyGroups and AllowGroups" -skip:$skip {
#Run
Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-d -f $sshdConfigPath -E $sshdlog" -Port $port
Add-UserToLocalGroup -UserName $localuser1 -Password $password -GroupName $allowGroup1
Add-UserToLocalGroup -UserName $localuser1 -Password $password -GroupName $denyGroup1
ssh -p $port -E $sshlog $localuser1@$server echo 1234
$LASTEXITCODE | Should Not Be 0
Stop-SSHDTestDaemon -Port $port
$sshdlog | Should Contain "not allowed because a group is listed in DenyGroups"
Remove-UserFromLocalGroup -UserName $localuser1 -GroupName $allowGroup1
Remove-UserFromLocalGroup -UserName $localuser1 -GroupName $denyGroup1
}
It "$tC.$tI-User is listed in the list of AllowUsers but also in a wildcard * DenyGroups" -skip:$skip {
#Run
Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-d -f $sshdConfigPath -E $sshdlog" -Port $port
Add-UserToLocalGroup -UserName $localuser2 -Password $password -GroupName $denyGroup2
ssh -p $port -E $sshlog $localuser2@$server echo 1234
$LASTEXITCODE | Should Not Be 0
Stop-SSHDTestDaemon -Port $port
$sshdlog | Should Contain "not allowed because a group is listed in DenyGroups"
Remove-UserFromLocalGroup -UserName $localuser2 -GroupName $denyGroup2
}
It "$tC.$tI-User is listed in the list of AllowUsers but also in a wildcard ? DenyGroups" -skip:$skip {
#Run
Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-d -f $sshdConfigPath -E $sshdlog" -Port $port
Add-UserToLocalGroup -UserName $localuser3 -Password $password -GroupName $denyGroup3
ssh -p $port -E $sshlog $localuser3@$server echo 1234
$LASTEXITCODE | Should Not Be 0
Stop-SSHDTestDaemon -Port $port
$sshdlog | Should Contain "not allowed because a group is listed in DenyGroups"
Remove-UserFromLocalGroup -UserName $localuser3 -GroupName $denyGroup3
}
It "$tC.$tI - Match User block with ForceCommand" -skip:$skip {
Start-SSHDTestDaemon -WorkDir $opensshbinpath -Arguments "-d -f $sshdConfigPath -E $sshdlog" -Port $port
$matchuser = "matchuser"
Add-UserToLocalGroup -UserName $matchuser -Password $password -GroupName $allowGroup1
$o = ssh -p $port -T $matchuser@$server randomcommand
# Match block's ForceCommand returns output of "whoami & set SSH_ORIGINAL_COMMAND"
$o[0].Contains($matchuser) | Should Be $true
$o[1].Contains("randomcommand") | Should Be $true
Stop-SSHDTestDaemon -Port $port
Remove-UserFromLocalGroup -UserName $matchuser -GroupName $allowGroup1
}
}
}
Reference in New Issue View Git Blame Copy Permalink