summaryrefslogtreecommitdiffstats
path: root/regress/forward-control.sh
diff options
context:
space:
mode:
Diffstat (limited to 'regress/forward-control.sh')
-rw-r--r--regress/forward-control.sh235
1 files changed, 235 insertions, 0 deletions
diff --git a/regress/forward-control.sh b/regress/forward-control.sh
new file mode 100644
index 0000000..3b1f69a
--- /dev/null
+++ b/regress/forward-control.sh
@@ -0,0 +1,235 @@
+# $OpenBSD: forward-control.sh,v 1.7 2018/06/07 14:29:43 djm Exp $
+# Placed in the Public Domain.
+
+tid="sshd control of local and remote forwarding"
+
+LFWD_PORT=3320
+RFWD_PORT=3321
+CTL=$OBJ/ctl-sock
+READY=$OBJ/ready
+
+wait_for_file_to_appear() {
+ _path=$1
+ _n=0
+ while test ! -f $_path ; do
+ test $_n -eq 1 && trace "waiting for $_path to appear"
+ _n=`expr $_n + 1`
+ test $_n -ge 20 && return 1
+ sleep 1
+ done
+ return 0
+}
+
+wait_for_process_to_exit() {
+ _pid=$1
+ _n=0
+ while kill -0 $_pid 2>/dev/null ; do
+ test $_n -eq 1 && trace "waiting for $_pid to exit"
+ _n=`expr $_n + 1`
+ test $_n -ge 20 && return 1
+ sleep 1
+ done
+ return 0
+}
+
+# usage: check_lfwd Y|N message
+check_lfwd() {
+ _expected=$1
+ _message=$2
+ rm -f $READY
+ ${SSH} -F $OBJ/ssh_proxy \
+ -L$LFWD_PORT:127.0.0.1:$PORT \
+ -o ExitOnForwardFailure=yes \
+ -n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \
+ >/dev/null 2>&1 &
+ _sshpid=$!
+ wait_for_file_to_appear $READY || \
+ fatal "check_lfwd ssh fail: $_message"
+ ${SSH} -F $OBJ/ssh_config -p $LFWD_PORT \
+ -oConnectionAttempts=4 host true >/dev/null 2>&1
+ _result=$?
+ kill $_sshpid `cat $READY` 2>/dev/null
+ wait_for_process_to_exit $_sshpid
+ if test "x$_expected" = "xY" -a $_result -ne 0 ; then
+ fail "check_lfwd failed (expecting success): $_message"
+ elif test "x$_expected" = "xN" -a $_result -eq 0 ; then
+ fail "check_lfwd succeeded (expecting failure): $_message"
+ elif test "x$_expected" != "xY" -a "x$_expected" != "xN" ; then
+ fatal "check_lfwd invalid argument \"$_expected\""
+ else
+ verbose "check_lfwd done (expecting $_expected): $_message"
+ fi
+}
+
+# usage: check_rfwd Y|N message
+check_rfwd() {
+ _expected=$1
+ _message=$2
+ rm -f $READY
+ ${SSH} -F $OBJ/ssh_proxy \
+ -R127.0.0.1:$RFWD_PORT:127.0.0.1:$PORT \
+ -o ExitOnForwardFailure=yes \
+ -n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \
+ >/dev/null 2>&1 &
+ _sshpid=$!
+ wait_for_file_to_appear $READY
+ _result=$?
+ if test $_result -eq 0 ; then
+ ${SSH} -F $OBJ/ssh_config -p $RFWD_PORT \
+ -oConnectionAttempts=4 host true >/dev/null 2>&1
+ _result=$?
+ kill $_sshpid `cat $READY` 2>/dev/null
+ wait_for_process_to_exit $_sshpid
+ fi
+ if test "x$_expected" = "xY" -a $_result -ne 0 ; then
+ fail "check_rfwd failed (expecting success): $_message"
+ elif test "x$_expected" = "xN" -a $_result -eq 0 ; then
+ fail "check_rfwd succeeded (expecting failure): $_message"
+ elif test "x$_expected" != "xY" -a "x$_expected" != "xN" ; then
+ fatal "check_rfwd invalid argument \"$_expected\""
+ else
+ verbose "check_rfwd done (expecting $_expected): $_message"
+ fi
+}
+
+start_sshd
+cp ${OBJ}/sshd_proxy ${OBJ}/sshd_proxy.bak
+cp ${OBJ}/authorized_keys_${USER} ${OBJ}/authorized_keys_${USER}.bak
+
+# Sanity check: ensure the default config allows forwarding
+check_lfwd Y "default configuration"
+check_rfwd Y "default configuration"
+
+# Usage: lperm_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N
+lperm_tests() {
+ _tcpfwd=$1
+ _plain_lfwd=$2
+ _plain_rfwd=$3
+ _nopermit_lfwd=$4
+ _nopermit_rfwd=$5
+ _permit_lfwd=$6
+ _permit_rfwd=$7
+ _badfwd1=127.0.0.1:22
+ _badfwd2=127.0.0.2:22
+ _goodfwd=127.0.0.1:${PORT}
+ cp ${OBJ}/authorized_keys_${USER}.bak ${OBJ}/authorized_keys_${USER}
+ _prefix="AllowTcpForwarding=$_tcpfwd"
+
+ # No PermitOpen
+ ( cat ${OBJ}/sshd_proxy.bak ;
+ echo "AllowTcpForwarding $_tcpfwd" ) \
+ > ${OBJ}/sshd_proxy
+ check_lfwd $_plain_lfwd "$_prefix"
+ check_rfwd $_plain_rfwd "$_prefix"
+
+ # PermitOpen via sshd_config that doesn't match
+ ( cat ${OBJ}/sshd_proxy.bak ;
+ echo "AllowTcpForwarding $_tcpfwd" ;
+ echo "PermitOpen $_badfwd1 $_badfwd2" ) \
+ > ${OBJ}/sshd_proxy
+ check_lfwd $_nopermit_lfwd "$_prefix, !PermitOpen"
+ check_rfwd $_nopermit_rfwd "$_prefix, !PermitOpen"
+ # PermitOpen via sshd_config that does match
+ ( cat ${OBJ}/sshd_proxy.bak ;
+ echo "AllowTcpForwarding $_tcpfwd" ;
+ echo "PermitOpen $_badfwd1 $_goodfwd $_badfwd2" ) \
+ > ${OBJ}/sshd_proxy
+ check_lfwd $_plain_lfwd "$_prefix, PermitOpen"
+ check_rfwd $_plain_rfwd "$_prefix, PermitOpen"
+
+ # permitopen keys option.
+ # NB. permitopen via authorized_keys should have same
+ # success/fail as via sshd_config
+ # permitopen via authorized_keys that doesn't match
+ sed "s/^/permitopen=\"$_badfwd1\",permitopen=\"$_badfwd2\" /" \
+ < ${OBJ}/authorized_keys_${USER}.bak \
+ > ${OBJ}/authorized_keys_${USER} || fatal "sed 1 fail"
+ ( cat ${OBJ}/sshd_proxy.bak ;
+ echo "AllowTcpForwarding $_tcpfwd" ) \
+ > ${OBJ}/sshd_proxy
+ check_lfwd $_nopermit_lfwd "$_prefix, !permitopen"
+ check_rfwd $_nopermit_rfwd "$_prefix, !permitopen"
+ # permitopen via authorized_keys that does match
+ sed "s/^/permitopen=\"$_badfwd1\",permitopen=\"$_goodfwd\" /" \
+ < ${OBJ}/authorized_keys_${USER}.bak \
+ > ${OBJ}/authorized_keys_${USER} || fatal "sed 2 fail"
+ ( cat ${OBJ}/sshd_proxy.bak ;
+ echo "AllowTcpForwarding $_tcpfwd" ) \
+ > ${OBJ}/sshd_proxy
+ check_lfwd $_permit_lfwd "$_prefix, permitopen"
+ check_rfwd $_permit_rfwd "$_prefix, permitopen"
+
+ # Check port-forwarding flags in authorized_keys.
+ # These two should refuse all.
+ sed "s/^/no-port-forwarding /" \
+ < ${OBJ}/authorized_keys_${USER}.bak \
+ > ${OBJ}/authorized_keys_${USER} || fatal "sed 3 fail"
+ ( cat ${OBJ}/sshd_proxy.bak ;
+ echo "AllowTcpForwarding $_tcpfwd" ) \
+ > ${OBJ}/sshd_proxy
+ check_lfwd N "$_prefix, no-port-forwarding"
+ check_rfwd N "$_prefix, no-port-forwarding"
+ sed "s/^/restrict /" \
+ < ${OBJ}/authorized_keys_${USER}.bak \
+ > ${OBJ}/authorized_keys_${USER} || fatal "sed 4 fail"
+ ( cat ${OBJ}/sshd_proxy.bak ;
+ echo "AllowTcpForwarding $_tcpfwd" ) \
+ > ${OBJ}/sshd_proxy
+ check_lfwd N "$_prefix, restrict"
+ check_rfwd N "$_prefix, restrict"
+ # This should pass the same cases as _nopermit*
+ sed "s/^/restrict,port-forwarding /" \
+ < ${OBJ}/authorized_keys_${USER}.bak \
+ > ${OBJ}/authorized_keys_${USER} || fatal "sed 5 fail"
+ ( cat ${OBJ}/sshd_proxy.bak ;
+ echo "AllowTcpForwarding $_tcpfwd" ) \
+ > ${OBJ}/sshd_proxy
+ check_lfwd $_plain_lfwd "$_prefix, restrict,port-forwarding"
+ check_rfwd $_plain_rfwd "$_prefix, restrict,port-forwarding"
+}
+
+# permit-open none mismatch match
+# AllowTcpForwarding local remote local remote local remote
+lperm_tests yes Y Y N Y Y Y
+lperm_tests local Y N N N Y N
+lperm_tests remote N Y N Y N Y
+lperm_tests no N N N N N N
+
+# Usage: rperm_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N
+rperm_tests() {
+ _tcpfwd=$1
+ _plain_lfwd=$2
+ _plain_rfwd=$3
+ _nopermit_lfwd=$4
+ _nopermit_rfwd=$5
+ _permit_lfwd=$6
+ _permit_rfwd=$7
+ _badfwd1=127.0.0.1:22
+ _badfwd2=127.0.0.2:${RFWD_PORT}
+ _goodfwd=127.0.0.1:${RFWD_PORT}
+ cp ${OBJ}/authorized_keys_${USER}.bak ${OBJ}/authorized_keys_${USER}
+ _prefix="AllowTcpForwarding=$_tcpfwd"
+
+ # PermitListen via sshd_config that doesn't match
+ ( cat ${OBJ}/sshd_proxy.bak ;
+ echo "AllowTcpForwarding $_tcpfwd" ;
+ echo "PermitListen $_badfwd1 $_badfwd2" ) \
+ > ${OBJ}/sshd_proxy
+ check_lfwd $_nopermit_lfwd "$_prefix, !PermitListen"
+ check_rfwd $_nopermit_rfwd "$_prefix, !PermitListen"
+ # PermitListen via sshd_config that does match
+ ( cat ${OBJ}/sshd_proxy.bak ;
+ echo "AllowTcpForwarding $_tcpfwd" ;
+ echo "PermitListen $_badfwd1 $_goodfwd $_badfwd2" ) \
+ > ${OBJ}/sshd_proxy
+ check_lfwd $_plain_lfwd "$_prefix, PermitListen"
+ check_rfwd $_plain_rfwd "$_prefix, PermitListen"
+}
+
+# permit-remote-open none mismatch match
+# AllowTcpForwarding local remote local remote local remote
+rperm_tests yes Y Y Y N Y Y
+rperm_tests local Y N Y N Y N
+rperm_tests remote N Y N N N Y
+rperm_tests no N N N N N N
+