names)
- (djm) [Makefile.in]
Remove generated openbsd-compat/regress/Makefile in distclean target
+ - (djm) [regress/Makefile regress/agent-getpeereid.sh regress/cfgmatch.sh]
+ [regress/cipher-speed.sh regress/forcecommand.sh regress/forwarding.sh]
+ Sync regress tests to -current; include dtucker@'s new cfgmatch and
+ forcecommand tests. Add cipher-speed.sh test (not linked in yet)
20060713
- (dtucker) [auth-krb5.c auth-pam.c] Still more errno.h
-# $OpenBSD: Makefile,v 1.36 2005/03/04 08:48:46 djm Exp $
+# $OpenBSD: Makefile,v 1.42 2006/07/19 13:34:52 dtucker Exp $
REGRESS_TARGETS= t1 t2 t3 t4 t5 t6 t7 t-exec
tests: $(REGRESS_TARGETS)
forwarding \
multiplex \
reexec \
- brokenkeys
+ brokenkeys \
+ cfgmatch \
+ forcecommand
USER!= id -un
CLEANFILES= t2.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \
rsa.pub rsa rsa1.pub rsa1 host.rsa host.rsa1 \
rsa-agent rsa-agent.pub rsa1-agent rsa1-agent.pub \
ls.copy banner.in banner.out empty.in \
- scp-ssh-wrapper.scp ssh_proxy_envpass \
- remote_pid
+ scp-ssh-wrapper.scp ssh_proxy_envpass remote_pid \
+ sshd_proxy_bak rsa_ssh2_cr.prv rsa_ssh2_crnl.prv
#LTESTS += ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp
-# $OpenBSD: agent-getpeereid.sh,v 1.2 2005/11/14 21:25:56 grunk Exp $
+# $OpenBSD: agent-getpeereid.sh,v 1.3 2006/07/06 12:01:53 grunk Exp $
# Placed in the Public Domain.
tid="disallow agent attach from other uid"
echo "skipped (not supported on this platform)"
exit 0
fi
+if [ -z "$SUDO" ]; then
+ echo "skipped: need SUDO to switch to uid $UNPRIV"
+ exit 0
+fi
+
trace "start agent"
eval `${SSHAGENT} -s -a ${ASOCK}` > /dev/null
--- /dev/null
+# $OpenBSD: cfgmatch.sh,v 1.2 2006/07/22 01:50:00 dtucker Exp $
+# Placed in the Public Domain.
+
+tid="sshd_config match"
+
+pidfile=$OBJ/remote_pid
+fwdport=3301
+fwd="-L $fwdport:127.0.0.1:$PORT"
+
+stop_client()
+{
+ pid=`cat $pidfile`
+ if [ ! -z "$pid" ]; then
+ kill $pid
+ fi
+}
+
+cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
+
+echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_config
+echo "Match Address 127.0.0.1" >>$OBJ/sshd_config
+echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_config
+
+echo "PermitOpen 127.0.0.1:1" >>$OBJ/sshd_proxy
+echo "Match Address 127.0.0.1" >>$OBJ/sshd_proxy
+echo "PermitOpen 127.0.0.1:$PORT" >>$OBJ/sshd_proxy
+
+start_sshd
+
+#set -x
+
+# Test Match + PermitOpen in sshd_config. This should be permitted
+for p in 1 2; do
+ rm -f $pidfile
+ trace "match permitopen localhost proto $p"
+ ${SSH} -$p $fwd -F $OBJ/ssh_config -f somehost \
+ "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\
+ fail "match permitopen proto $p sshd failed"
+ sleep 1;
+ ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
+ fail "match permitopen permit proto $p"
+ stop_client
+done
+
+# Same but from different source. This should not be permitted
+for p in 1 2; do
+ rm -f $pidfile
+ trace "match permitopen proxy proto $p"
+ ${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \
+ "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\
+ fail "match permitopen proxy proto $p sshd failed"
+ sleep 1;
+ ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
+ fail "match permitopen deny proto $p"
+ stop_client
+done
+
+# Retry previous with key option, should also be denied.
+echo -n 'permitopen="127.0.0.1:'$PORT'" ' >$OBJ/authorized_keys_$USER
+cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER
+echo -n 'permitopen="127.0.0.1:'$PORT'" ' >>$OBJ/authorized_keys_$USER
+cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER
+for p in 1 2; do
+ rm -f $pidfile
+ trace "match permitopen proxy w/key opts proto $p"
+ ${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \
+ "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\
+ fail "match permitopen w/key opt proto $p sshd failed"
+ sleep 1;
+ ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
+ fail "match permitopen deny w/key opt proto $p"
+ stop_client
+done
+
+# Test both sshd_config and key options permitting the same dst/port pair.
+# Should be permitted.
+for p in 1 2; do
+ rm -f $pidfile
+ trace "match permitopen localhost proto $p"
+ ${SSH} -$p $fwd -F $OBJ/ssh_config -f somehost \
+ "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\
+ fail "match permitopen proto $p sshd failed"
+ sleep 1;
+ ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
+ fail "match permitopen permit proto $p"
+ stop_client
+done
+
+cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
+echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy
+echo "Match User $USER" >>$OBJ/sshd_proxy
+echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
+
+# Test that a Match overrides a PermitOpen in the global section
+for p in 1 2; do
+ rm -f $pidfile
+ trace "match permitopen proxy w/key opts proto $p"
+ ${SSH} -q -$p $fwd -F $OBJ/ssh_proxy -f somehost \
+ "echo \$\$ > $pidfile; exec sleep 100" >>$TEST_SSH_LOGFILE 2>&1 ||\
+ fail "match override permitopen proto $p sshd failed"
+ sleep 1;
+ ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
+ fail "match override permitopen proto $p"
+ stop_client
+done
--- /dev/null
+# $OpenBSD: cipher-speed.sh,v 1.2 2005/05/24 04:09:54 djm Exp $
+# Placed in the Public Domain.
+
+tid="cipher speed"
+
+getbytes ()
+{
+ sed -n '/transferred/s/.*secs (\(.* bytes.sec\).*/\1/p'
+}
+
+tries="1 2"
+DATA=/bin/ls
+DATA=/bsd
+
+macs="hmac-sha1 hmac-md5 hmac-sha1-96 hmac-md5-96"
+ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc
+ arcfour128 arcfour256 arcfour aes192-cbc aes256-cbc aes128-ctr"
+
+for c in $ciphers; do for m in $macs; do
+ trace "proto 2 cipher $c mac $m"
+ for x in $tries; do
+ echo -n "$c/$m:\t"
+ ( ${SSH} -o 'compression no' \
+ -F $OBJ/ssh_proxy -2 -m $m -c $c somehost \
+ exec sh -c \'"dd of=/dev/null obs=32k"\' \
+ < ${DATA} ) 2>&1 | getbytes
+
+ if [ $? -ne 0 ]; then
+ fail "ssh -2 failed with mac $m cipher $c"
+ fi
+ done
+done; done
+
+ciphers="3des blowfish"
+for c in $ciphers; do
+ trace "proto 1 cipher $c"
+ for x in $tries; do
+ echo -n "$c:\t"
+ ( ${SSH} -o 'compression no' \
+ -F $OBJ/ssh_proxy -1 -c $c somehost \
+ exec sh -c \'"dd of=/dev/null obs=32k"\' \
+ < ${DATA} ) 2>&1 | getbytes
+ if [ $? -ne 0 ]; then
+ fail "ssh -1 failed with cipher $c"
+ fi
+ done
+done
--- /dev/null
+# $OpenBSD: forcecommand.sh,v 1.1 2006/07/19 13:09:28 dtucker Exp $
+# Placed in the Public Domain.
+
+tid="forced command"
+
+cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
+
+echo -n 'command="true" ' >$OBJ/authorized_keys_$USER
+cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER
+echo -n 'command="true" ' >>$OBJ/authorized_keys_$USER
+cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER
+
+for p in 1 2; do
+ trace "forced command in key option proto $p"
+ ${SSH} -$p -F $OBJ/ssh_proxy somehost false \ ||
+ fail "forced command in key proto $p"
+done
+
+echo -n 'command="false" ' >$OBJ/authorized_keys_$USER
+cat $OBJ/rsa.pub >> $OBJ/authorized_keys_$USER
+echo -n 'command="false" ' >>$OBJ/authorized_keys_$USER
+cat $OBJ/rsa1.pub >> $OBJ/authorized_keys_$USER
+
+cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
+echo "ForceCommand true" >> $OBJ/sshd_proxy
+
+for p in 1 2; do
+ trace "forced command in sshd_config overrides key option proto $p"
+ ${SSH} -$p -F $OBJ/ssh_proxy somehost false \ ||
+ fail "forced command in key proto $p"
+done
+
+cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
+echo "ForceCommand false" >> $OBJ/sshd_proxy
+echo "Match User $USER" >> $OBJ/sshd_proxy
+echo " ForceCommand true" >> $OBJ/sshd_proxy
+
+for p in 1 2; do
+ trace "forced command with match proto $p"
+ ${SSH} -$p -F $OBJ/ssh_proxy somehost false \ ||
+ fail "forced command in key proto $p"
+done
-# $OpenBSD: forwarding.sh,v 1.5 2005/03/10 10:20:39 dtucker Exp $
+# $OpenBSD: forwarding.sh,v 1.6 2006/07/11 18:51:21 markus Exp $
# Placed in the Public Domain.
tid="local and remote forwarding"
sleep 10
done
+for p in 1 2; do
+for d in L R; do
+ trace "exit on -$d forward failure, proto $p"
+
+ # this one should succeed
+ ${SSH} -$p -F $OBJ/ssh_config \
+ -$d ${base}01:127.0.0.1:$PORT \
+ -$d ${base}02:127.0.0.1:$PORT \
+ -$d ${base}03:127.0.0.1:$PORT \
+ -$d ${base}04:127.0.0.1:$PORT \
+ -oExitOnForwardFailure=yes somehost true
+ if [ $? != 0 ]; then
+ fail "connection failed, should not"
+ else
+ # this one should fail
+ ${SSH} -q -$p -F $OBJ/ssh_config \
+ -$d ${base}01:127.0.0.1:$PORT \
+ -$d ${base}02:127.0.0.1:$PORT \
+ -$d ${base}03:127.0.0.1:$PORT \
+ -$d ${base}01:127.0.0.1:$PORT \
+ -$d ${base}04:127.0.0.1:$PORT \
+ -oExitOnForwardFailure=yes somehost true
+ r=$?
+ if [ $r != 255 ]; then
+ fail "connection not termintated, but should ($r)"
+ fi
+ fi
+done
+done
+
for p in 1 2; do
trace "simple clear forwarding proto $p"
${SSH} -$p -F $OBJ/ssh_config -oClearAllForwardings=yes somehost true
andersk / openssh.git / commitdiff
