d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
9faa27f263
freebsd-dev/crypto/openssh/regress/forward-control.sh
Ed Maste 38a52bd3b5 ssh: update to OpenSSH 9.1p1 
Release notes are available at https://www.openssh.com/txt/release-9.1

9.1 contains fixes for three minor memory safety problems; these have
lready been merged to the copy of OpenSSH 9.0 that is in the FreeBSD base
system.

Some highlights copied from the release notes:

Potentially-incompatible changes
--------------------------------

 * ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config
   are now first-match-wins to match other directives. Previously
   if an environment variable was multiply specified the last set
   value would have been used. bz3438

 * ssh-keygen(8): ssh-keygen -A (generate all default host key types)
   will no longer generate DSA keys, as these are insecure and have
   not been used by default for some years.

New features
------------

 * ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum
   RSA key length. Keys below this length will be ignored for user
   authentication and for host authentication in sshd(8).

 * sftp-server(8): add a "users-groups-by-id@openssh.com" extension
   request that allows the client to obtain user/group names that
   correspond to a set of uids/gids.

 * sftp(1): use "users-groups-by-id@openssh.com" sftp-server
   extension (when available) to fill in user/group names for
   directory listings.

 * sftp-server(8): support the "home-directory" extension request
   defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps
   a bit with the existing "expand-path@openssh.com", but some other
   clients support it.

 * ssh-keygen(1), sshd(8): allow certificate validity intervals,
   sshsig verification times and authorized_keys expiry-time options
   to accept dates in the UTC time zone in addition to the default
   of interpreting them in the system time zone. YYYYMMDD and
   YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed
   with a 'Z' character.

   Also allow certificate validity intervals to be specified in raw
   seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This
   is intended for use by regress tests and other tools that call
   ssh-keygen as part of a CA workflow. bz3468

 * sftp(1): allow arguments to the sftp -D option, e.g. sftp -D
   "/usr/libexec/sftp-server -el debug3"

 * ssh-keygen(1): allow the existing -U (use agent) flag to work
   with "-Y sign" operations, where it will be interpreted to require
   that the private keys is hosted in an agent; bz3429

MFC after:	2 weeks
Relnotes:	Yes
Sponsored by:	The FreeBSD Foundation
2022-10-19 10:27:11 -04:00

229 lines
7.5 KiB
Bash
Raw Blame History

# $OpenBSD: forward-control.sh,v 1.11 2022/04/21 01:36:46 dtucker Exp $
# Placed in the Public Domain.
tid="sshd control of local and remote forwarding"
LFWD_PORT=3320
RFWD_PORT=3321
CTL=$OBJ/ctl-sock
WAIT_SECONDS=20
wait_for_process_to_exit() {
_pid=$1
_n=0
while kill -0 $_pid 2>/dev/null ; do
test $_n -eq 1 && trace "waiting for $_pid to exit"
_n=`expr $_n + 1`
test $_n -ge $WAIT_SECONDS && return 1
sleep 1
done
return 0
}
mux_cmd() {
${SSH} -F $OBJ/ssh_proxy -S $CTL -O $1 host 2>&1
}
controlmaster_pid() {
mux_cmd check | cut -f2 -d= | cut -f1 -d')'
}
# usage: check_lfwd Y|N message
check_lfwd() {
_expected=$1
_message=$2
${SSH} -F $OBJ/ssh_proxy \
-L$LFWD_PORT:127.0.0.1:$PORT \
-o ExitOnForwardFailure=yes \
-MS $CTL -o ControlPersist=yes \
-f host true
mux_cmd check >/dev/null || fatal "check_lfwd ssh fail: $_message"
${SSH} -F $OBJ/ssh_config -p $LFWD_PORT \
-oConnectionAttempts=10 host true >/dev/null 2>&1
_result=$?
_sshpid=`controlmaster_pid`
mux_cmd exit >/dev/null
wait_for_process_to_exit $_sshpid
if test "x$_expected" = "xY" -a $_result -ne 0 ; then
fail "check_lfwd failed (expecting success): $_message"
elif test "x$_expected" = "xN" -a $_result -eq 0 ; then
fail "check_lfwd succeeded (expecting failure): $_message"
elif test "x$_expected" != "xY" -a "x$_expected" != "xN" ; then
fatal "check_lfwd invalid argument \"$_expected\""
else
verbose "check_lfwd done (expecting $_expected): $_message"
fi
}
# usage: check_rfwd Y|N message
check_rfwd() {
_expected=$1
_message=$2
${SSH} -F $OBJ/ssh_proxy \
-R127.0.0.1:$RFWD_PORT:127.0.0.1:$PORT \
-o ExitOnForwardFailure=yes \
-MS $CTL -o ControlPersist=yes \
-f host true
mux_cmd check >/dev/null
_result=$?
_sshpid=`controlmaster_pid`
if test $_result -eq 0; then
${SSH} -F $OBJ/ssh_config -p $RFWD_PORT \
-oConnectionAttempts=10 host true >/dev/null 2>&1
_result=$?
mux_cmd exit >/dev/null
wait_for_process_to_exit $_sshpid
fi
if test "x$_expected" = "xY" -a $_result -ne 0 ; then
fail "check_rfwd failed (expecting success): $_message"
elif test "x$_expected" = "xN" -a $_result -eq 0 ; then
fail "check_rfwd succeeded (expecting failure): $_message"
elif test "x$_expected" != "xY" -a "x$_expected" != "xN" ; then
fatal "check_rfwd invalid argument \"$_expected\""
else
verbose "check_rfwd done (expecting $_expected): $_message"
fi
}
start_sshd
cp ${OBJ}/sshd_proxy ${OBJ}/sshd_proxy.bak
cp ${OBJ}/authorized_keys_${USER} ${OBJ}/authorized_keys_${USER}.bak
# Sanity check: ensure the default config allows forwarding
check_lfwd Y "default configuration"
check_rfwd Y "default configuration"
# Usage: lperm_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N
lperm_tests() {
_tcpfwd=$1
_plain_lfwd=$2
_plain_rfwd=$3
_nopermit_lfwd=$4
_nopermit_rfwd=$5
_permit_lfwd=$6
_permit_rfwd=$7
_badfwd1=127.0.0.1:22
_badfwd2=127.0.0.2:22
_goodfwd=127.0.0.1:${PORT}
cp ${OBJ}/authorized_keys_${USER}.bak ${OBJ}/authorized_keys_${USER}
_prefix="AllowTcpForwarding=$_tcpfwd"
# No PermitOpen
( cat ${OBJ}/sshd_proxy.bak ;
echo "AllowTcpForwarding $_tcpfwd" ) \
> ${OBJ}/sshd_proxy
check_lfwd $_plain_lfwd "$_prefix"
check_rfwd $_plain_rfwd "$_prefix"
# PermitOpen via sshd_config that doesn't match
( cat ${OBJ}/sshd_proxy.bak ;
echo "AllowTcpForwarding $_tcpfwd" ;
echo "PermitOpen $_badfwd1 $_badfwd2" ) \
> ${OBJ}/sshd_proxy
check_lfwd $_nopermit_lfwd "$_prefix, !PermitOpen"
check_rfwd $_nopermit_rfwd "$_prefix, !PermitOpen"
# PermitOpen via sshd_config that does match
( cat ${OBJ}/sshd_proxy.bak ;
echo "AllowTcpForwarding $_tcpfwd" ;
echo "PermitOpen $_badfwd1 $_goodfwd $_badfwd2" ) \
> ${OBJ}/sshd_proxy
check_lfwd $_plain_lfwd "$_prefix, PermitOpen"
check_rfwd $_plain_rfwd "$_prefix, PermitOpen"
# permitopen keys option.
# NB. permitopen via authorized_keys should have same
# success/fail as via sshd_config
# permitopen via authorized_keys that doesn't match
sed "s/^/permitopen=\"$_badfwd1\",permitopen=\"$_badfwd2\" /" \
< ${OBJ}/authorized_keys_${USER}.bak \
> ${OBJ}/authorized_keys_${USER} || fatal "sed 1 fail"
( cat ${OBJ}/sshd_proxy.bak ;
echo "AllowTcpForwarding $_tcpfwd" ) \
> ${OBJ}/sshd_proxy
check_lfwd $_nopermit_lfwd "$_prefix, !permitopen"
check_rfwd $_nopermit_rfwd "$_prefix, !permitopen"
# permitopen via authorized_keys that does match
sed "s/^/permitopen=\"$_badfwd1\",permitopen=\"$_goodfwd\" /" \
< ${OBJ}/authorized_keys_${USER}.bak \
> ${OBJ}/authorized_keys_${USER} || fatal "sed 2 fail"
( cat ${OBJ}/sshd_proxy.bak ;
echo "AllowTcpForwarding $_tcpfwd" ) \
> ${OBJ}/sshd_proxy
check_lfwd $_permit_lfwd "$_prefix, permitopen"
check_rfwd $_permit_rfwd "$_prefix, permitopen"
# Check port-forwarding flags in authorized_keys.
# These two should refuse all.
sed "s/^/no-port-forwarding /" \
< ${OBJ}/authorized_keys_${USER}.bak \
> ${OBJ}/authorized_keys_${USER} || fatal "sed 3 fail"
( cat ${OBJ}/sshd_proxy.bak ;
echo "AllowTcpForwarding $_tcpfwd" ) \
> ${OBJ}/sshd_proxy
check_lfwd N "$_prefix, no-port-forwarding"
check_rfwd N "$_prefix, no-port-forwarding"
sed "s/^/restrict /" \
< ${OBJ}/authorized_keys_${USER}.bak \
> ${OBJ}/authorized_keys_${USER} || fatal "sed 4 fail"
( cat ${OBJ}/sshd_proxy.bak ;
echo "AllowTcpForwarding $_tcpfwd" ) \
> ${OBJ}/sshd_proxy
check_lfwd N "$_prefix, restrict"
check_rfwd N "$_prefix, restrict"
# This should pass the same cases as _nopermit*
sed "s/^/restrict,port-forwarding /" \
< ${OBJ}/authorized_keys_${USER}.bak \
> ${OBJ}/authorized_keys_${USER} || fatal "sed 5 fail"
( cat ${OBJ}/sshd_proxy.bak ;
echo "AllowTcpForwarding $_tcpfwd" ) \
> ${OBJ}/sshd_proxy
check_lfwd $_plain_lfwd "$_prefix, restrict,port-forwarding"
check_rfwd $_plain_rfwd "$_prefix, restrict,port-forwarding"
}
# permit-open none mismatch match
# AllowTcpForwarding local remote local remote local remote
lperm_tests yes Y Y N Y Y Y
lperm_tests local Y N N N Y N
lperm_tests remote N Y N Y N Y
lperm_tests no N N N N N N
# Usage: rperm_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N
rperm_tests() {
_tcpfwd=$1
_plain_lfwd=$2
_plain_rfwd=$3
_nopermit_lfwd=$4
_nopermit_rfwd=$5
_permit_lfwd=$6
_permit_rfwd=$7
_badfwd1=127.0.0.1:22
_badfwd2=127.0.0.2:${RFWD_PORT}
_goodfwd=127.0.0.1:${RFWD_PORT}
cp ${OBJ}/authorized_keys_${USER}.bak ${OBJ}/authorized_keys_${USER}
_prefix="AllowTcpForwarding=$_tcpfwd"
# PermitListen via sshd_config that doesn't match
( cat ${OBJ}/sshd_proxy.bak ;
echo "AllowTcpForwarding $_tcpfwd" ;
echo "PermitListen $_badfwd1 $_badfwd2" ) \
> ${OBJ}/sshd_proxy
check_lfwd $_nopermit_lfwd "$_prefix, !PermitListen"
check_rfwd $_nopermit_rfwd "$_prefix, !PermitListen"
# PermitListen via sshd_config that does match
( cat ${OBJ}/sshd_proxy.bak ;
echo "AllowTcpForwarding $_tcpfwd" ;
echo "PermitListen $_badfwd1 $_goodfwd $_badfwd2" ) \
> ${OBJ}/sshd_proxy
check_lfwd $_plain_lfwd "$_prefix, PermitListen"
check_rfwd $_plain_rfwd "$_prefix, PermitListen"
}
# permit-remote-open none mismatch match
# AllowTcpForwarding local remote local remote local remote
rperm_tests yes Y Y Y N Y Y
rperm_tests local Y N Y N Y N
rperm_tests remote N Y N N N Y
rperm_tests no N N N N N N
Reference in New Issue View Git Blame Copy Permalink