diff options
Diffstat (limited to 'regress/forward-control.sh')
| -rw-r--r-- | regress/forward-control.sh | 228 |
1 files changed, 228 insertions, 0 deletions
diff --git a/regress/forward-control.sh b/regress/forward-control.sh new file mode 100644 index 0000000..63bbdeb --- /dev/null +++ b/regress/forward-control.sh @@ -0,0 +1,228 @@ +# $OpenBSD: forward-control.sh,v 1.11 2022/04/21 01:36:46 dtucker Exp $ +# Placed in the Public Domain. + +tid="sshd control of local and remote forwarding" + +LFWD_PORT=3320 +RFWD_PORT=3321 +CTL=$OBJ/ctl-sock +WAIT_SECONDS=20 + +wait_for_process_to_exit() { + _pid=$1 + _n=0 + while kill -0 $_pid 2>/dev/null ; do + test $_n -eq 1 && trace "waiting for $_pid to exit" + _n=`expr $_n + 1` + test $_n -ge $WAIT_SECONDS && return 1 + sleep 1 + done + return 0 +} + +mux_cmd() { + ${SSH} -F $OBJ/ssh_proxy -S $CTL -O $1 host 2>&1 +} + +controlmaster_pid() { + mux_cmd check | cut -f2 -d= | cut -f1 -d')' +} + +# usage: check_lfwd Y|N message +check_lfwd() { + _expected=$1 + _message=$2 + ${SSH} -F $OBJ/ssh_proxy \ + -L$LFWD_PORT:127.0.0.1:$PORT \ + -o ExitOnForwardFailure=yes \ + -MS $CTL -o ControlPersist=yes \ + -f host true + mux_cmd check >/dev/null || fatal "check_lfwd ssh fail: $_message" + ${SSH} -F $OBJ/ssh_config -p $LFWD_PORT \ + -oConnectionAttempts=10 host true >/dev/null 2>&1 + _result=$? + _sshpid=`controlmaster_pid` + mux_cmd exit >/dev/null + wait_for_process_to_exit $_sshpid + if test "x$_expected" = "xY" -a $_result -ne 0 ; then + fail "check_lfwd failed (expecting success): $_message" + elif test "x$_expected" = "xN" -a $_result -eq 0 ; then + fail "check_lfwd succeeded (expecting failure): $_message" + elif test "x$_expected" != "xY" -a "x$_expected" != "xN" ; then + fatal "check_lfwd invalid argument \"$_expected\"" + else + verbose "check_lfwd done (expecting $_expected): $_message" + fi +} + +# usage: check_rfwd Y|N message +check_rfwd() { + _expected=$1 + _message=$2 + ${SSH} -F $OBJ/ssh_proxy \ + -R127.0.0.1:$RFWD_PORT:127.0.0.1:$PORT \ + -o ExitOnForwardFailure=yes \ + -MS $CTL -o ControlPersist=yes \ + -f host true + mux_cmd check >/dev/null + _result=$? + _sshpid=`controlmaster_pid` + if test $_result -eq 0; then + ${SSH} -F $OBJ/ssh_config -p $RFWD_PORT \ + -oConnectionAttempts=10 host true >/dev/null 2>&1 + _result=$? + mux_cmd exit >/dev/null + wait_for_process_to_exit $_sshpid + fi + if test "x$_expected" = "xY" -a $_result -ne 0 ; then + fail "check_rfwd failed (expecting success): $_message" + elif test "x$_expected" = "xN" -a $_result -eq 0 ; then + fail "check_rfwd succeeded (expecting failure): $_message" + elif test "x$_expected" != "xY" -a "x$_expected" != "xN" ; then + fatal "check_rfwd invalid argument \"$_expected\"" + else + verbose "check_rfwd done (expecting $_expected): $_message" + fi +} + +start_sshd +cp ${OBJ}/sshd_proxy ${OBJ}/sshd_proxy.bak +cp ${OBJ}/authorized_keys_${USER} ${OBJ}/authorized_keys_${USER}.bak + +# Sanity check: ensure the default config allows forwarding +check_lfwd Y "default configuration" +check_rfwd Y "default configuration" + +# Usage: lperm_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N +lperm_tests() { + _tcpfwd=$1 + _plain_lfwd=$2 + _plain_rfwd=$3 + _nopermit_lfwd=$4 + _nopermit_rfwd=$5 + _permit_lfwd=$6 + _permit_rfwd=$7 + _badfwd1=127.0.0.1:22 + _badfwd2=127.0.0.2:22 + _goodfwd=127.0.0.1:${PORT} + cp ${OBJ}/authorized_keys_${USER}.bak ${OBJ}/authorized_keys_${USER} + _prefix="AllowTcpForwarding=$_tcpfwd" + + # No PermitOpen + ( cat ${OBJ}/sshd_proxy.bak ; + echo "AllowTcpForwarding $_tcpfwd" ) \ + > ${OBJ}/sshd_proxy + check_lfwd $_plain_lfwd "$_prefix" + check_rfwd $_plain_rfwd "$_prefix" + + # PermitOpen via sshd_config that doesn't match + ( cat ${OBJ}/sshd_proxy.bak ; + echo "AllowTcpForwarding $_tcpfwd" ; + echo "PermitOpen $_badfwd1 $_badfwd2" ) \ + > ${OBJ}/sshd_proxy + check_lfwd $_nopermit_lfwd "$_prefix, !PermitOpen" + check_rfwd $_nopermit_rfwd "$_prefix, !PermitOpen" + # PermitOpen via sshd_config that does match + ( cat ${OBJ}/sshd_proxy.bak ; + echo "AllowTcpForwarding $_tcpfwd" ; + echo "PermitOpen $_badfwd1 $_goodfwd $_badfwd2" ) \ + > ${OBJ}/sshd_proxy + check_lfwd $_plain_lfwd "$_prefix, PermitOpen" + check_rfwd $_plain_rfwd "$_prefix, PermitOpen" + + # permitopen keys option. + # NB. permitopen via authorized_keys should have same + # success/fail as via sshd_config + # permitopen via authorized_keys that doesn't match + sed "s/^/permitopen=\"$_badfwd1\",permitopen=\"$_badfwd2\" /" \ + < ${OBJ}/authorized_keys_${USER}.bak \ + > ${OBJ}/authorized_keys_${USER} || fatal "sed 1 fail" + ( cat ${OBJ}/sshd_proxy.bak ; + echo "AllowTcpForwarding $_tcpfwd" ) \ + > ${OBJ}/sshd_proxy + check_lfwd $_nopermit_lfwd "$_prefix, !permitopen" + check_rfwd $_nopermit_rfwd "$_prefix, !permitopen" + # permitopen via authorized_keys that does match + sed "s/^/permitopen=\"$_badfwd1\",permitopen=\"$_goodfwd\" /" \ + < ${OBJ}/authorized_keys_${USER}.bak \ + > ${OBJ}/authorized_keys_${USER} || fatal "sed 2 fail" + ( cat ${OBJ}/sshd_proxy.bak ; + echo "AllowTcpForwarding $_tcpfwd" ) \ + > ${OBJ}/sshd_proxy + check_lfwd $_permit_lfwd "$_prefix, permitopen" + check_rfwd $_permit_rfwd "$_prefix, permitopen" + + # Check port-forwarding flags in authorized_keys. + # These two should refuse all. + sed "s/^/no-port-forwarding /" \ + < ${OBJ}/authorized_keys_${USER}.bak \ + > ${OBJ}/authorized_keys_${USER} || fatal "sed 3 fail" + ( cat ${OBJ}/sshd_proxy.bak ; + echo "AllowTcpForwarding $_tcpfwd" ) \ + > ${OBJ}/sshd_proxy + check_lfwd N "$_prefix, no-port-forwarding" + check_rfwd N "$_prefix, no-port-forwarding" + sed "s/^/restrict /" \ + < ${OBJ}/authorized_keys_${USER}.bak \ + > ${OBJ}/authorized_keys_${USER} || fatal "sed 4 fail" + ( cat ${OBJ}/sshd_proxy.bak ; + echo "AllowTcpForwarding $_tcpfwd" ) \ + > ${OBJ}/sshd_proxy + check_lfwd N "$_prefix, restrict" + check_rfwd N "$_prefix, restrict" + # This should pass the same cases as _nopermit* + sed "s/^/restrict,port-forwarding /" \ + < ${OBJ}/authorized_keys_${USER}.bak \ + > ${OBJ}/authorized_keys_${USER} || fatal "sed 5 fail" + ( cat ${OBJ}/sshd_proxy.bak ; + echo "AllowTcpForwarding $_tcpfwd" ) \ + > ${OBJ}/sshd_proxy + check_lfwd $_plain_lfwd "$_prefix, restrict,port-forwarding" + check_rfwd $_plain_rfwd "$_prefix, restrict,port-forwarding" +} + +# permit-open none mismatch match +# AllowTcpForwarding local remote local remote local remote +lperm_tests yes Y Y N Y Y Y +lperm_tests local Y N N N Y N +lperm_tests remote N Y N Y N Y +lperm_tests no N N N N N N + +# Usage: rperm_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N +rperm_tests() { + _tcpfwd=$1 + _plain_lfwd=$2 + _plain_rfwd=$3 + _nopermit_lfwd=$4 + _nopermit_rfwd=$5 + _permit_lfwd=$6 + _permit_rfwd=$7 + _badfwd1=127.0.0.1:22 + _badfwd2=127.0.0.2:${RFWD_PORT} + _goodfwd=127.0.0.1:${RFWD_PORT} + cp ${OBJ}/authorized_keys_${USER}.bak ${OBJ}/authorized_keys_${USER} + _prefix="AllowTcpForwarding=$_tcpfwd" + + # PermitListen via sshd_config that doesn't match + ( cat ${OBJ}/sshd_proxy.bak ; + echo "AllowTcpForwarding $_tcpfwd" ; + echo "PermitListen $_badfwd1 $_badfwd2" ) \ + > ${OBJ}/sshd_proxy + check_lfwd $_nopermit_lfwd "$_prefix, !PermitListen" + check_rfwd $_nopermit_rfwd "$_prefix, !PermitListen" + # PermitListen via sshd_config that does match + ( cat ${OBJ}/sshd_proxy.bak ; + echo "AllowTcpForwarding $_tcpfwd" ; + echo "PermitListen $_badfwd1 $_goodfwd $_badfwd2" ) \ + > ${OBJ}/sshd_proxy + check_lfwd $_plain_lfwd "$_prefix, PermitListen" + check_rfwd $_plain_rfwd "$_prefix, PermitListen" +} + +# permit-remote-open none mismatch match +# AllowTcpForwarding local remote local remote local remote +rperm_tests yes Y Y Y N Y Y +rperm_tests local Y N Y N Y N +rperm_tests remote N Y N N N Y +rperm_tests no N N N N N N + |