protocol. We only support SSHv2 now.
-# $OpenBSD: agent-pkcs11.sh,v 1.2 2015/01/12 11:46:32 djm Exp $
+# $OpenBSD: agent-pkcs11.sh,v 1.3 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="pkcs11 agent test"
fi
trace "pkcs11 connect via agent"
- ${SSH} -2 -F $OBJ/ssh_proxy somehost exit 5
+ ${SSH} -F $OBJ/ssh_proxy somehost exit 5
r=$?
if [ $r -ne 5 ]; then
fail "ssh connect failed (exit code $r)"
-# $OpenBSD: agent.sh,v 1.11 2015/03/03 22:35:19 markus Exp $
+# $OpenBSD: agent.sh,v 1.12 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="simple agent test"
fi
trace "simple connect via agent"
- for p in ${SSH_PROTOCOLS}; do
- ${SSH} -$p -F $OBJ/ssh_proxy somehost exit 5$p
- r=$?
- if [ $r -ne 5$p ]; then
- fail "ssh connect with protocol $p failed (exit code $r)"
- fi
- done
+ ${SSH} -F $OBJ/ssh_proxy somehost exit 52
+ r=$?
+ if [ $r -ne 52 ]; then
+ fail "ssh connect with failed (exit code $r)"
+ fi
trace "agent forwarding"
- for p in ${SSH_PROTOCOLS}; do
- ${SSH} -A -$p -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1
- r=$?
- if [ $r -ne 0 ]; then
- fail "ssh-add -l via agent fwd proto $p failed (exit code $r)"
- fi
- ${SSH} -A -$p -F $OBJ/ssh_proxy somehost \
- "${SSH} -$p -F $OBJ/ssh_proxy somehost exit 5$p"
- r=$?
- if [ $r -ne 5$p ]; then
- fail "agent fwd proto $p failed (exit code $r)"
- fi
- done
+ ${SSH} -A -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1
+ r=$?
+ if [ $r -ne 0 ]; then
+ fail "ssh-add -l via agent fwd failed (exit code $r)"
+ fi
+ ${SSH} -A -F $OBJ/ssh_proxy somehost \
+ "${SSH} -F $OBJ/ssh_proxy somehost exit 52"
+ r=$?
+ if [ $r -ne 52 ]; then
+ fail "agent fwd failed (exit code $r)"
+ fi
trace "delete all agent keys"
${SSHADD} -D > /dev/null 2>&1
-# $OpenBSD: banner.sh,v 1.2 2003/10/11 11:49:49 dtucker Exp $
+# $OpenBSD: banner.sh,v 1.3 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="banner"
trace "test missing banner file"
verbose "test $tid: missing banner file"
-( ${SSH} -2 -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \
+( ${SSH} -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \
cmp $OBJ/empty.in $OBJ/banner.out ) || \
fail "missing banner file"
trace "test banner size $s"
verbose "test $tid: size $s"
- ( ${SSH} -2 -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \
+ ( ${SSH} -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \
cmp $OBJ/banner.in $OBJ/banner.out ) || \
fail "banner size $s mismatch"
done
trace "test suppress banner (-q)"
verbose "test $tid: suppress banner (-q)"
-( ${SSH} -q -2 -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \
+( ${SSH} -q -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \
cmp $OBJ/empty.in $OBJ/banner.out ) || \
fail "suppress banner (-q)"
-# $OpenBSD: broken-pipe.sh,v 1.5 2015/03/03 22:35:19 markus Exp $
+# $OpenBSD: broken-pipe.sh,v 1.6 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="broken pipe test"
-for p in ${SSH_PROTOCOLS}; do
- trace "protocol $p"
- for i in 1 2 3 4; do
- ${SSH} -$p -F $OBJ/ssh_config_config nexthost echo $i 2> /dev/null | true
- r=$?
- if [ $r -ne 0 ]; then
- fail "broken pipe returns $r for protocol $p"
- fi
- done
+for i in 1 2 3 4; do
+ ${SSH} -F $OBJ/ssh_config_config nexthost echo $i 2> /dev/null | true
+ r=$?
+ if [ $r -ne 0 ]; then
+ fail "broken pipe returns $r"
+ fi
done
-# $OpenBSD: brokenkeys.sh,v 1.1 2004/10/29 23:59:22 djm Exp $
+# $OpenBSD: brokenkeys.sh,v 1.2 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="broken keys"
cat ${KEYS}.bak >> ${KEYS}
cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
-${SSH} -2 -F $OBJ/ssh_config somehost true
+${SSH} -F $OBJ/ssh_config somehost true
if [ $? -ne 0 ]; then
- fail "ssh connect with protocol $p failed"
+ fail "ssh connect with failed"
fi
mv ${KEYS}.bak ${KEYS}
-# $OpenBSD: cert-file.sh,v 1.5 2017/03/11 23:44:16 djm Exp $
+# $OpenBSD: cert-file.sh,v 1.6 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="ssh with certificates"
# XXX: verify that certificate used was what we expect. Needs exposure of
# keys via enviornment variable or similar.
-for p in ${SSH_PROTOCOLS}; do
# Key with no .pub should work - finding the equivalent *-cert.pub.
- verbose "protocol $p: identity cert with no plain public file"
- ${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \
- -i $OBJ/user_key3 somehost exit 5$p
- [ $? -ne 5$p ] && fail "ssh failed"
-
- # CertificateFile matching private key with no .pub file should work.
- verbose "protocol $p: CertificateFile with no plain public file"
- ${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \
- -oCertificateFile=$OBJ/user_key3-cert.pub \
- -i $OBJ/user_key3 somehost exit 5$p
- [ $? -ne 5$p ] && fail "ssh failed"
-
- # Just keys should fail
- verbose "protocol $p: plain keys"
- ${SSH} $opts2 somehost exit 5$p
- r=$?
- if [ $r -eq 5$p ]; then
- fail "ssh succeeded with no certs in protocol $p"
- fi
-
- # Keys with untrusted cert should fail.
- verbose "protocol $p: untrusted cert"
- opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub"
- ${SSH} $opts3 somehost exit 5$p
- r=$?
- if [ $r -eq 5$p ]; then
- fail "ssh succeeded with bad cert in protocol $p"
- fi
-
- # Good cert with bad key should fail.
- verbose "protocol $p: good cert, bad key"
- opts3="$opts -i $OBJ/user_key2"
- opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
- ${SSH} $opts3 somehost exit 5$p
- r=$?
- if [ $r -eq 5$p ]; then
- fail "ssh succeeded with no matching key in protocol $p"
- fi
-
- # Keys with one trusted cert, should succeed.
- verbose "protocol $p: single trusted"
- opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
- ${SSH} $opts3 somehost exit 5$p
- r=$?
- if [ $r -ne 5$p ]; then
- fail "ssh failed with trusted cert and key in protocol $p"
- fi
-
- # Multiple certs and keys, with one trusted cert, should succeed.
- verbose "protocol $p: multiple trusted"
- opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub"
- opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
- ${SSH} $opts3 somehost exit 5$p
- r=$?
- if [ $r -ne 5$p ]; then
- fail "ssh failed with multiple certs in protocol $p"
- fi
-done
+verbose "identity cert with no plain public file"
+${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \
+ -i $OBJ/user_key3 somehost exit 52
+[ $? -ne 52 ] && fail "ssh failed"
+
+# CertificateFile matching private key with no .pub file should work.
+verbose "CertificateFile with no plain public file"
+${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \
+ -oCertificateFile=$OBJ/user_key3-cert.pub \
+ -i $OBJ/user_key3 somehost exit 52
+[ $? -ne 52 ] && fail "ssh failed"
+
+# Just keys should fail
+verbose "plain keys"
+${SSH} $opts2 somehost exit 52
+r=$?
+if [ $r -eq 52 ]; then
+ fail "ssh succeeded with no certs"
+fi
+
+# Keys with untrusted cert should fail.
+verbose "untrusted cert"
+opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub"
+${SSH} $opts3 somehost exit 52
+r=$?
+if [ $r -eq 52 ]; then
+ fail "ssh succeeded with bad cert"
+fi
+
+# Good cert with bad key should fail.
+verbose "good cert, bad key"
+opts3="$opts -i $OBJ/user_key2"
+opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
+${SSH} $opts3 somehost exit 52
+r=$?
+if [ $r -eq 52 ]; then
+ fail "ssh succeeded with no matching key"
+fi
+
+# Keys with one trusted cert, should succeed.
+verbose "single trusted"
+opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
+${SSH} $opts3 somehost exit 52
+r=$?
+if [ $r -ne 52 ]; then
+ fail "ssh failed with trusted cert and key"
+fi
+
+# Multiple certs and keys, with one trusted cert, should succeed.
+verbose "multiple trusted"
+opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub"
+opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
+${SSH} $opts3 somehost exit 52
+r=$?
+if [ $r -ne 52 ]; then
+ fail "ssh failed with multiple certs"
+fi
#next, using an agent in combination with the keys
SSH_AUTH_SOCK=/nonexistent ${SSHADD} -l > /dev/null 2>&1
fi
# try ssh with the agent and certificates
-# note: ssh agent only uses certificates in protocol 2
opts="-F $OBJ/ssh_proxy"
# with no certificates, shoud fail
-${SSH} -2 $opts somehost exit 52
+${SSH} $opts somehost exit 52
if [ $? -eq 52 ]; then
- fail "ssh connect with agent in protocol 2 succeeded with no cert"
+ fail "ssh connect with agent in succeeded with no cert"
fi
#with an untrusted certificate, should fail
opts="$opts -oCertificateFile=$OBJ/cert_user_key1_2.pub"
-${SSH} -2 $opts somehost exit 52
+${SSH} $opts somehost exit 52
if [ $? -eq 52 ]; then
- fail "ssh connect with agent in protocol 2 succeeded with bad cert"
+ fail "ssh connect with agent in succeeded with bad cert"
fi
#with an additional trusted certificate, should succeed
opts="$opts -oCertificateFile=$OBJ/cert_user_key1_1.pub"
-${SSH} -2 $opts somehost exit 52
+${SSH} $opts somehost exit 52
if [ $? -ne 52 ]; then
- fail "ssh connect with agent in protocol 2 failed with good cert"
+ fail "ssh connect with agent in failed with good cert"
fi
trace "kill agent"
-# $OpenBSD: cert-hostkey.sh,v 1.14 2016/05/02 09:52:00 djm Exp $
+# $OpenBSD: cert-hostkey.sh,v 1.15 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="certified host keys"
shift; shift
verbose "$tid: $_ident expect success $_expect_success"
cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
- ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+ ${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \
-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
"$@" -F $OBJ/ssh_proxy somehost true
_r=$?
) > $OBJ/sshd_proxy
cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
- ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+ ${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \
-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
) > $OBJ/sshd_proxy
cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
- ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+ ${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \
-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
) > $OBJ/sshd_proxy
cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
- ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+ ${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \
-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
rc=$?
echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
) > $OBJ/sshd_proxy
- ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+ ${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \
-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
-F $OBJ/ssh_proxy somehost true
if [ $? -ne 0 ]; then
) > $OBJ/sshd_proxy
cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
- ${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+ ${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \
-oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
-F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
-# $OpenBSD: cert-userkey.sh,v 1.17 2016/11/30 03:01:33 djm Exp $
+# $OpenBSD: cert-userkey.sh,v 1.18 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="certified user keys"
# Missing authorized_principals
verbose "$tid: ${_prefix} missing authorized_principals"
rm -f $OBJ/authorized_principals_$USER
- ${SSH} -2i $OBJ/cert_user_key_${ktype} \
+ ${SSH} -i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect succeeded unexpectedly"
# Empty authorized_principals
verbose "$tid: ${_prefix} empty authorized_principals"
echo > $OBJ/authorized_principals_$USER
- ${SSH} -2i $OBJ/cert_user_key_${ktype} \
+ ${SSH} -i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect succeeded unexpectedly"
# Wrong authorized_principals
verbose "$tid: ${_prefix} wrong authorized_principals"
echo gregorsamsa > $OBJ/authorized_principals_$USER
- ${SSH} -2i $OBJ/cert_user_key_${ktype} \
+ ${SSH} -i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect succeeded unexpectedly"
# Correct authorized_principals
verbose "$tid: ${_prefix} correct authorized_principals"
echo mekmitasdigoat > $OBJ/authorized_principals_$USER
- ${SSH} -2i $OBJ/cert_user_key_${ktype} \
+ ${SSH} -i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -ne 0 ]; then
fail "ssh cert connect failed"
# authorized_principals with bad key option
verbose "$tid: ${_prefix} authorized_principals bad key opt"
echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
- ${SSH} -2i $OBJ/cert_user_key_${ktype} \
+ ${SSH} -i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect succeeded unexpectedly"
verbose "$tid: ${_prefix} authorized_principals command=false"
echo 'command="false" mekmitasdigoat' > \
$OBJ/authorized_principals_$USER
- ${SSH} -2i $OBJ/cert_user_key_${ktype} \
+ ${SSH} -i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect succeeded unexpectedly"
verbose "$tid: ${_prefix} authorized_principals command=true"
echo 'command="true" mekmitasdigoat' > \
$OBJ/authorized_principals_$USER
- ${SSH} -2i $OBJ/cert_user_key_${ktype} \
+ ${SSH} -i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
if [ $? -ne 0 ]; then
fail "ssh cert connect failed"
printf 'cert-authority,principals="gregorsamsa" '
cat $OBJ/user_ca_key.pub
) > $OBJ/authorized_keys_$USER
- ${SSH} -2i $OBJ/cert_user_key_${ktype} \
+ ${SSH} -i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect succeeded unexpectedly"
printf 'cert-authority,principals="mekmitasdigoat" '
cat $OBJ/user_ca_key.pub
) > $OBJ/authorized_keys_$USER
- ${SSH} -2i $OBJ/cert_user_key_${ktype} \
+ ${SSH} -i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -ne 0 ]; then
fail "ssh cert connect failed"
echo "PubkeyAcceptedKeyTypes ${t}"
) > $OBJ/ssh_proxy
- ${SSH} -2i $OBJ/cert_user_key_${ktype} \
+ ${SSH} -i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true
if [ $? -ne 0 ]; then
fail "ssh cert connect failed"
) > $OBJ/sshd_proxy
cp $OBJ/cert_user_key_${ktype}.pub \
$OBJ/cert_user_key_revoked
- ${SSH} -2i $OBJ/cert_user_key_${ktype} \
+ ${SSH} -i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect succeeded unexpecedly"
rm $OBJ/cert_user_key_revoked
${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked \
$OBJ/cert_user_key_${ktype}.pub
- ${SSH} -2i $OBJ/cert_user_key_${ktype} \
+ ${SSH} -i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect succeeded unexpecedly"
fi
verbose "$tid: ${_prefix} empty KRL"
${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked
- ${SSH} -2i $OBJ/cert_user_key_${ktype} \
+ ${SSH} -i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -ne 0 ]; then
fail "ssh cert connect failed"
echo "PubkeyAcceptedKeyTypes ${t}"
echo "$extra_sshd"
) > $OBJ/sshd_proxy
- ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
+ ${SSH} -i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect succeeded unexpecedly"
echo "$extra_sshd"
) > $OBJ/sshd_proxy
verbose "$tid: ensure CA key does not authenticate user"
- ${SSH} -2i $OBJ/user_ca_key \
+ ${SSH} -i $OBJ/user_ca_key \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect with CA key succeeded unexpectedly"
$sign_opts $OBJ/cert_user_key_${ktype} ||
fail "couldn't sign cert_user_key_${ktype}"
- ${SSH} -2i $OBJ/cert_user_key_${ktype} \
+ ${SSH} -i $OBJ/cert_user_key_${ktype} \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
rc=$?
if [ "x$result" = "xsuccess" ] ; then
-n $USER $OBJ/cert_user_key_${ktype} ||
fatal "couldn't sign cert_user_key_${ktype}"
verbose "$tid: user ${ktype} connect wrong cert"
- ${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
+ ${SSH} -i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect $ident succeeded unexpectedly"
-# $OpenBSD: cfgmatch.sh,v 1.9 2015/03/03 22:35:19 markus Exp $
+# $OpenBSD: cfgmatch.sh,v 1.10 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="sshd_config match"
start_client()
{
rm -f $pidfile
- ${SSH} -q -$p $fwd "$@" somehost \
+ ${SSH} -q $fwd "$@" somehost \
exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' \
>>$TEST_REGRESS_LOGFILE 2>&1 &
client_pid=$!
#set -x
# Test Match + PermitOpen in sshd_config. This should be permitted
-for p in ${SSH_PROTOCOLS}; do
- trace "match permitopen localhost proto $p"
- start_client -F $OBJ/ssh_config
- ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
- fail "match permitopen permit proto $p"
- stop_client
-done
+trace "match permitopen localhost"
+start_client -F $OBJ/ssh_config
+${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \
+ fail "match permitopen permit"
+stop_client
# Same but from different source. This should not be permitted
-for p in ${SSH_PROTOCOLS}; do
- trace "match permitopen proxy proto $p"
- start_client -F $OBJ/ssh_proxy
- ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
- fail "match permitopen deny proto $p"
- stop_client
-done
+trace "match permitopen proxy"
+start_client -F $OBJ/ssh_proxy
+${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \
+ fail "match permitopen deny"
+stop_client
# Retry previous with key option, should also be denied.
cp /dev/null $OBJ/authorized_keys_$USER
printf 'permitopen="127.0.0.1:'$PORT'" ' >> $OBJ/authorized_keys_$USER
cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
done
-for p in ${SSH_PROTOCOLS}; do
- trace "match permitopen proxy w/key opts proto $p"
- start_client -F $OBJ/ssh_proxy
- ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
- fail "match permitopen deny w/key opt proto $p"
- stop_client
-done
+trace "match permitopen proxy w/key opts"
+start_client -F $OBJ/ssh_proxy
+${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \
+ fail "match permitopen deny w/key opt"
+stop_client
# Test both sshd_config and key options permitting the same dst/port pair.
# Should be permitted.
-for p in ${SSH_PROTOCOLS}; do
- trace "match permitopen localhost proto $p"
- start_client -F $OBJ/ssh_config
- ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
- fail "match permitopen permit proto $p"
- stop_client
-done
+trace "match permitopen localhost"
+start_client -F $OBJ/ssh_config
+${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \
+ fail "match permitopen permit"
+stop_client
cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy
echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
# Test that a Match overrides a PermitOpen in the global section
-for p in ${SSH_PROTOCOLS}; do
- trace "match permitopen proxy w/key opts proto $p"
- start_client -F $OBJ/ssh_proxy
- ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
- fail "match override permitopen proto $p"
- stop_client
-done
+trace "match permitopen proxy w/key opts"
+start_client -F $OBJ/ssh_proxy
+${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \
+ fail "match override permitopen"
+stop_client
cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy
# Test that a rule that doesn't match doesn't override, plus test a
# PermitOpen entry that's not at the start of the list
-for p in ${SSH_PROTOCOLS}; do
- trace "nomatch permitopen proxy w/key opts proto $p"
- start_client -F $OBJ/ssh_proxy
- ${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
- fail "nomatch override permitopen proto $p"
- stop_client
-done
+trace "nomatch permitopen proxy w/key opts"
+start_client -F $OBJ/ssh_proxy
+${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \
+ fail "nomatch override permitopen"
+stop_client
-# $OpenBSD: cipher-speed.sh,v 1.13 2015/03/24 20:22:17 markus Exp $
+# $OpenBSD: cipher-speed.sh,v 1.14 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="cipher speed"
tries="1 2"
for c in `${SSH} -Q cipher`; do n=0; for m in `${SSH} -Q mac`; do
- trace "proto 2 cipher $c mac $m"
+ trace "cipher $c mac $m"
for x in $tries; do
printf "$c/$m:\t"
( ${SSH} -o 'compression no' \
- -F $OBJ/ssh_proxy -2 -m $m -c $c somehost \
+ -F $OBJ/ssh_proxy -m $m -c $c somehost \
exec sh -c \'"dd of=/dev/null obs=32k"\' \
< ${DATA} ) 2>&1 | getbytes
if [ $? -ne 0 ]; then
- fail "ssh -2 failed with mac $m cipher $c"
+ fail "ssh failed with mac $m cipher $c"
fi
done
# No point trying all MACs for AEAD ciphers since they are ignored.
n=$(($n + 1))
done; done
-if ssh_version 1; then
- ciphers="3des blowfish"
-else
- ciphers=""
-fi
-for c in $ciphers; do
- trace "proto 1 cipher $c"
- for x in $tries; do
- printf "$c:\t"
- ( ${SSH} -o 'compression no' \
- -F $OBJ/ssh_proxy -1 -c $c somehost \
- exec sh -c \'"dd of=/dev/null obs=32k"\' \
- < ${DATA} ) 2>&1 | getbytes
- if [ $? -ne 0 ]; then
- fail "ssh -1 failed with cipher $c"
- fi
- done
-done
-# $OpenBSD: connect-privsep.sh,v 1.8 2016/11/01 13:43:27 tb Exp $
+# $OpenBSD: connect-privsep.sh,v 1.9 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="proxy connect with privsep"
cp $OBJ/sshd_proxy $OBJ/sshd_proxy.orig
echo 'UsePrivilegeSeparation yes' >> $OBJ/sshd_proxy
-for p in ${SSH_PROTOCOLS}; do
- ${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true
- if [ $? -ne 0 ]; then
- fail "ssh privsep+proxyconnect protocol $p failed"
- fi
-done
+${SSH} -F $OBJ/ssh_proxy 999.999.999.999 true
+if [ $? -ne 0 ]; then
+ fail "ssh privsep+proxyconnect failed"
+fi
cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
echo 'UsePrivilegeSeparation sandbox' >> $OBJ/sshd_proxy
-for p in ${SSH_PROTOCOLS}; do
- ${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true
- if [ $? -ne 0 ]; then
- fail "ssh privsep/sandbox+proxyconnect protocol $p failed"
- fi
-done
+${SSH} -F $OBJ/ssh_proxy 999.999.999.999 true
+if [ $? -ne 0 ]; then
+ fail "ssh privsep/sandbox+proxyconnect failed"
+fi
# Because sandbox is sensitive to changes in libc, especially malloc, retest
# with every malloc.conf option (and none).
for m in '' C F G J R S U X '<' '>'; do
- for p in ${SSH_PROTOCOLS}; do
- env MALLOC_OPTIONS="$m" ${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true
+ env MALLOC_OPTIONS="$m" \
+ ${SSH} -F $OBJ/ssh_proxy 999.999.999.999 true
if [ $? -ne 0 ]; then
- fail "ssh privsep/sandbox+proxyconnect protocol $p mopt '$m' failed"
+ fail "ssh privsep/sandbox+proxyconnect mopt '$m' failed"
fi
- done
done
+
-# $OpenBSD: connect.sh,v 1.5 2015/03/03 22:35:19 markus Exp $
+# $OpenBSD: connect.sh,v 1.6 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="simple connect"
start_sshd
-for p in ${SSH_PROTOCOLS}; do
- ${SSH} -o "Protocol=$p" -F $OBJ/ssh_config somehost true
- if [ $? -ne 0 ]; then
- fail "ssh connect with protocol $p failed"
- fi
-done
+${SSH} -F $OBJ/ssh_config somehost true
+if [ $? -ne 0 ]; then
+ fail "ssh connect with failed"
+fi
-# $OpenBSD: dynamic-forward.sh,v 1.11 2015/03/03 22:35:19 markus Exp $
+# $OpenBSD: dynamic-forward.sh,v 1.12 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="dynamic forwarding"
start_sshd
-for p in ${SSH_PROTOCOLS}; do
- n=0
- error="1"
- trace "start dynamic forwarding, fork to background"
- while [ "$error" -ne 0 -a "$n" -lt 3 ]; do
- n=`expr $n + 1`
- ${SSH} -$p -F $OBJ/ssh_config -f -D $FWDPORT -q \
- -oExitOnForwardFailure=yes somehost exec sh -c \
- \'"echo \$\$ > $OBJ/remote_pid; exec sleep 444"\'
- error=$?
- if [ "$error" -ne 0 ]; then
- trace "forward failed proto $p attempt $n err $error"
- sleep $n
- fi
- done
+n=0
+error="1"
+trace "start dynamic forwarding, fork to background"
+while [ "$error" -ne 0 -a "$n" -lt 3 ]; do
+ n=`expr $n + 1`
+ ${SSH} -F $OBJ/ssh_config -f -D $FWDPORT -q \
+ -oExitOnForwardFailure=yes somehost exec sh -c \
+ \'"echo \$\$ > $OBJ/remote_pid; exec sleep 444"\'
+ error=$?
if [ "$error" -ne 0 ]; then
- fatal "failed to start dynamic forwarding proto $p"
+ trace "forward failed attempt $n err $error"
+ sleep $n
fi
+done
+if [ "$error" -ne 0 ]; then
+ fatal "failed to start dynamic forwarding"
+fi
- for s in 4 5; do
- for h in 127.0.0.1 localhost; do
- trace "testing ssh protocol $p socks version $s host $h"
- ${SSH} -F $OBJ/ssh_config \
- -o "ProxyCommand ${proxycmd}${s} $h $PORT" \
- somehost cat ${DATA} > ${COPY}
- test -f ${COPY} || fail "failed copy ${DATA}"
- cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}"
- done
- done
-
- if [ -f $OBJ/remote_pid ]; then
- remote=`cat $OBJ/remote_pid`
- trace "terminate remote shell, pid $remote"
- if [ $remote -gt 1 ]; then
- kill -HUP $remote
- fi
- else
- fail "no pid file: $OBJ/remote_pid"
- fi
+for s in 4 5; do
+ for h in 127.0.0.1 localhost; do
+ trace "testing ssh socks version $s host $h"
+ ${SSH} -F $OBJ/ssh_config \
+ -o "ProxyCommand ${proxycmd}${s} $h $PORT" \
+ somehost cat ${DATA} > ${COPY}
+ test -f ${COPY} || fail "failed copy ${DATA}"
+ cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}"
+ done
done
+
+if [ -f $OBJ/remote_pid ]; then
+ remote=`cat $OBJ/remote_pid`
+ trace "terminate remote shell, pid $remote"
+ if [ $remote -gt 1 ]; then
+ kill -HUP $remote
+ fi
+else
+ fail "no pid file: $OBJ/remote_pid"
+fi
+
-# $OpenBSD: exit-status.sh,v 1.7 2015/03/03 22:35:19 markus Exp $
+# $OpenBSD: exit-status.sh,v 1.8 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="remote exit status"
-for p in ${SSH_PROTOCOLS}; do
- for s in 0 1 4 5 44; do
- trace "proto $p status $s"
- verbose "test $tid: proto $p status $s"
- ${SSH} -$p -F $OBJ/ssh_proxy otherhost exit $s
- r=$?
- if [ $r -ne $s ]; then
- fail "exit code mismatch for protocol $p: $r != $s"
- fi
+for s in 0 1 4 5 44; do
+ trace "status $s"
+ verbose "test $tid: status $s"
+ ${SSH} -F $OBJ/ssh_proxy otherhost exit $s
+ r=$?
+ if [ $r -ne $s ]; then
+ fail "exit code mismatch for: $r != $s"
+ fi
- # same with early close of stdout/err
- ${SSH} -$p -F $OBJ/ssh_proxy -n otherhost \
- exec sh -c \'"sleep 2; exec > /dev/null 2>&1; sleep 3; exit $s"\'
- r=$?
- if [ $r -ne $s ]; then
- fail "exit code (with sleep) mismatch for protocol $p: $r != $s"
- fi
- done
+ # same with early close of stdout/err
+ ${SSH} -F $OBJ/ssh_proxy -n otherhost exec \
+ sh -c \'"sleep 2; exec > /dev/null 2>&1; sleep 3; exit $s"\'
+ r=$?
+ if [ $r -ne $s ]; then
+ fail "exit code (with sleep) mismatch for: $r != $s"
+ fi
done
-# $OpenBSD: forcecommand.sh,v 1.3 2015/03/03 22:35:19 markus Exp $
+# $OpenBSD: forcecommand.sh,v 1.4 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="forced command"
cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
done
-for p in ${SSH_PROTOCOLS}; do
- trace "forced command in key option proto $p"
- ${SSH} -$p -F $OBJ/ssh_proxy somehost false \ ||
- fail "forced command in key proto $p"
-done
+trace "forced command in key option"
+${SSH} -F $OBJ/ssh_proxy somehost false || fail "forced command in key"
cp /dev/null $OBJ/authorized_keys_$USER
for t in ${SSH_KEYTYPES}; do
cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
echo "ForceCommand true" >> $OBJ/sshd_proxy
-for p in ${SSH_PROTOCOLS}; do
- trace "forced command in sshd_config overrides key option proto $p"
- ${SSH} -$p -F $OBJ/ssh_proxy somehost false \ ||
- fail "forced command in key proto $p"
-done
+trace "forced command in sshd_config overrides key option"
+${SSH} -F $OBJ/ssh_proxy somehost false || fail "forced command in key"
cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
echo "ForceCommand false" >> $OBJ/sshd_proxy
echo "Match User $USER" >> $OBJ/sshd_proxy
echo " ForceCommand true" >> $OBJ/sshd_proxy
-for p in ${SSH_PROTOCOLS}; do
- trace "forced command with match proto $p"
- ${SSH} -$p -F $OBJ/ssh_proxy somehost false \ ||
- fail "forced command in key proto $p"
-done
+trace "forced command with match"
+${SSH} -F $OBJ/ssh_proxy somehost false || fail "forced command in key"
-# $OpenBSD: forward-control.sh,v 1.3 2015/03/03 22:35:19 markus Exp $
+# $OpenBSD: forward-control.sh,v 1.4 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="sshd control of local and remote forwarding"
return 0
}
-# usage: check_lfwd protocol Y|N message
+# usage: check_lfwd Y|N message
check_lfwd() {
- _proto=$1
- _expected=$2
- _message=$3
+ _expected=$1
+ _message=$2
rm -f $READY
- ${SSH} -oProtocol=$_proto -F $OBJ/ssh_proxy \
+ ${SSH} -F $OBJ/ssh_proxy \
-L$LFWD_PORT:127.0.0.1:$PORT \
-o ExitOnForwardFailure=yes \
-n host "sleep 60 & echo \$! > $READY ; wait " \
fi
}
-# usage: check_rfwd protocol Y|N message
+# usage: check_rfwd Y|N message
check_rfwd() {
- _proto=$1
- _expected=$2
- _message=$3
+ _expected=$1
+ _message=$2
rm -f $READY
- ${SSH} -oProtocol=$_proto -F $OBJ/ssh_proxy \
+ ${SSH} -F $OBJ/ssh_proxy \
-R$RFWD_PORT:127.0.0.1:$PORT \
-o ExitOnForwardFailure=yes \
-n host "sleep 60 & echo \$! > $READY ; wait " \
cp ${OBJ}/authorized_keys_${USER} ${OBJ}/authorized_keys_${USER}.bak
# Sanity check: ensure the default config allows forwarding
-for p in ${SSH_PROTOCOLS} ; do
- check_lfwd $p Y "proto $p, default configuration"
- check_rfwd $p Y "proto $p, default configuration"
-done
+check_lfwd Y "default configuration"
+check_rfwd Y "default configuration"
# Usage: all_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N
all_tests() {
_permit_rfwd=$7
_badfwd=127.0.0.1:22
_goodfwd=127.0.0.1:${PORT}
- for _proto in ${SSH_PROTOCOLS} ; do
- cp ${OBJ}/authorized_keys_${USER}.bak \
- ${OBJ}/authorized_keys_${USER}
- _prefix="proto $_proto, AllowTcpForwarding=$_tcpfwd"
- # No PermitOpen
- ( cat ${OBJ}/sshd_proxy.bak ;
- echo "AllowTcpForwarding $_tcpfwd" ) \
- > ${OBJ}/sshd_proxy
- check_lfwd $_proto $_plain_lfwd "$_prefix"
- check_rfwd $_proto $_plain_rfwd "$_prefix"
- # PermitOpen via sshd_config that doesn't match
- ( cat ${OBJ}/sshd_proxy.bak ;
- echo "AllowTcpForwarding $_tcpfwd" ;
- echo "PermitOpen $_badfwd" ) \
- > ${OBJ}/sshd_proxy
- check_lfwd $_proto $_nopermit_lfwd "$_prefix, !PermitOpen"
- check_rfwd $_proto $_nopermit_rfwd "$_prefix, !PermitOpen"
- # PermitOpen via sshd_config that does match
- ( cat ${OBJ}/sshd_proxy.bak ;
- echo "AllowTcpForwarding $_tcpfwd" ;
- echo "PermitOpen $_badfwd $_goodfwd" ) \
- > ${OBJ}/sshd_proxy
- # NB. permitopen via authorized_keys should have same
- # success/fail as via sshd_config
- # permitopen via authorized_keys that doesn't match
- sed "s/^/permitopen=\"$_badfwd\" /" \
- < ${OBJ}/authorized_keys_${USER}.bak \
- > ${OBJ}/authorized_keys_${USER} || fatal "sed 1 fail"
- ( cat ${OBJ}/sshd_proxy.bak ;
- echo "AllowTcpForwarding $_tcpfwd" ) \
- > ${OBJ}/sshd_proxy
- check_lfwd $_proto $_nopermit_lfwd "$_prefix, !permitopen"
- check_rfwd $_proto $_nopermit_rfwd "$_prefix, !permitopen"
- # permitopen via authorized_keys that does match
- sed "s/^/permitopen=\"$_badfwd\",permitopen=\"$_goodfwd\" /" \
- < ${OBJ}/authorized_keys_${USER}.bak \
- > ${OBJ}/authorized_keys_${USER} || fatal "sed 2 fail"
- ( cat ${OBJ}/sshd_proxy.bak ;
- echo "AllowTcpForwarding $_tcpfwd" ) \
- > ${OBJ}/sshd_proxy
- check_lfwd $_proto $_permit_lfwd "$_prefix, permitopen"
- check_rfwd $_proto $_permit_rfwd "$_prefix, permitopen"
- done
+ cp ${OBJ}/authorized_keys_${USER}.bak ${OBJ}/authorized_keys_${USER}
+ _prefix="AllowTcpForwarding=$_tcpfwd"
+ # No PermitOpen
+ ( cat ${OBJ}/sshd_proxy.bak ;
+ echo "AllowTcpForwarding $_tcpfwd" ) \
+ > ${OBJ}/sshd_proxy
+ check_lfwd $_plain_lfwd "$_prefix"
+ check_rfwd $_plain_rfwd "$_prefix"
+ # PermitOpen via sshd_config that doesn't match
+ ( cat ${OBJ}/sshd_proxy.bak ;
+ echo "AllowTcpForwarding $_tcpfwd" ;
+ echo "PermitOpen $_badfwd" ) \
+ > ${OBJ}/sshd_proxy
+ check_lfwd $_nopermit_lfwd "$_prefix, !PermitOpen"
+ check_rfwd $_nopermit_rfwd "$_prefix, !PermitOpen"
+ # PermitOpen via sshd_config that does match
+ ( cat ${OBJ}/sshd_proxy.bak ;
+ echo "AllowTcpForwarding $_tcpfwd" ;
+ echo "PermitOpen $_badfwd $_goodfwd" ) \
+ > ${OBJ}/sshd_proxy
+ # NB. permitopen via authorized_keys should have same
+ # success/fail as via sshd_config
+ # permitopen via authorized_keys that doesn't match
+ sed "s/^/permitopen=\"$_badfwd\" /" \
+ < ${OBJ}/authorized_keys_${USER}.bak \
+ > ${OBJ}/authorized_keys_${USER} || fatal "sed 1 fail"
+ ( cat ${OBJ}/sshd_proxy.bak ;
+ echo "AllowTcpForwarding $_tcpfwd" ) \
+ > ${OBJ}/sshd_proxy
+ check_lfwd $_nopermit_lfwd "$_prefix, !permitopen"
+ check_rfwd $_nopermit_rfwd "$_prefix, !permitopen"
+ # permitopen via authorized_keys that does match
+ sed "s/^/permitopen=\"$_badfwd\",permitopen=\"$_goodfwd\" /" \
+ < ${OBJ}/authorized_keys_${USER}.bak \
+ > ${OBJ}/authorized_keys_${USER} || fatal "sed 2 fail"
+ ( cat ${OBJ}/sshd_proxy.bak ;
+ echo "AllowTcpForwarding $_tcpfwd" ) \
+ > ${OBJ}/sshd_proxy
+ check_lfwd $_permit_lfwd "$_prefix, permitopen"
+ check_rfwd $_permit_rfwd "$_prefix, permitopen"
}
# no-permitopen mismatch-permitopen match-permitopen
-# $OpenBSD: forwarding.sh,v 1.19 2017/01/30 05:22:14 djm Exp $
+# $OpenBSD: forwarding.sh,v 1.20 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="local and remote forwarding"
last=$a
done
done
-for p in ${SSH_PROTOCOLS}; do
- q=`expr 3 - $p`
- if ! ssh_version $q; then
- q=$p
- fi
- trace "start forwarding, fork to background"
- rm -f $CTL
- ${SSH} -S $CTL -M -$p -F $OBJ/ssh_config -f $fwd somehost sleep 10
- trace "transfer over forwarded channels and check result"
- ${SSH} -$q -F $OBJ/ssh_config -p$last -o 'ConnectionAttempts=4' \
- somehost cat ${DATA} > ${COPY}
- test -s ${COPY} || fail "failed copy of ${DATA}"
- cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}"
+trace "start forwarding, fork to background"
+rm -f $CTL
+${SSH} -S $CTL -M -F $OBJ/ssh_config -f $fwd somehost sleep 10
- ${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost
-done
+trace "transfer over forwarded channels and check result"
+${SSH} -F $OBJ/ssh_config -p$last -o 'ConnectionAttempts=4' \
+ somehost cat ${DATA} > ${COPY}
+test -s ${COPY} || fail "failed copy of ${DATA}"
+cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}"
+
+${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost
-for p in ${SSH_PROTOCOLS}; do
for d in L R; do
- trace "exit on -$d forward failure, proto $p"
+ trace "exit on -$d forward failure"
# this one should succeed
- ${SSH} -$p -F $OBJ/ssh_config \
+ ${SSH} -F $OBJ/ssh_config \
-$d ${base}01:127.0.0.1:$PORT \
-$d ${base}02:127.0.0.1:$PORT \
-$d ${base}03:127.0.0.1:$PORT \
fatal "connection failed, should not"
else
# this one should fail
- ${SSH} -q -$p -F $OBJ/ssh_config \
+ ${SSH} -q -F $OBJ/ssh_config \
-$d ${base}01:127.0.0.1:$PORT \
-$d ${base}02:127.0.0.1:$PORT \
-$d ${base}03:127.0.0.1:$PORT \
fi
fi
done
-done
-for p in ${SSH_PROTOCOLS}; do
- trace "simple clear forwarding proto $p"
- ${SSH} -$p -F $OBJ/ssh_config -oClearAllForwardings=yes somehost true
-
- trace "clear local forward proto $p"
- rm -f $CTL
- ${SSH} -S $CTL -M -$p -f -F $OBJ/ssh_config -L ${base}01:127.0.0.1:$PORT \
- -oClearAllForwardings=yes somehost sleep 10
- if [ $? != 0 ]; then
- fail "connection failed with cleared local forwarding"
- else
- # this one should fail
- ${SSH} -$p -F $OBJ/ssh_config -p ${base}01 somehost true \
- >>$TEST_REGRESS_LOGFILE 2>&1 && \
- fail "local forwarding not cleared"
- fi
- ${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost
-
- trace "clear remote forward proto $p"
- rm -f $CTL
- ${SSH} -S $CTL -M -$p -f -F $OBJ/ssh_config -R ${base}01:127.0.0.1:$PORT \
- -oClearAllForwardings=yes somehost sleep 10
- if [ $? != 0 ]; then
- fail "connection failed with cleared remote forwarding"
- else
- # this one should fail
- ${SSH} -$p -F $OBJ/ssh_config -p ${base}01 somehost true \
- >>$TEST_REGRESS_LOGFILE 2>&1 && \
- fail "remote forwarding not cleared"
- fi
- ${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost
-done
-
-for p in 2; do
- trace "stdio forwarding proto $p"
- cmd="${SSH} -$p -F $OBJ/ssh_config"
- $cmd -o "ProxyCommand $cmd -q -W localhost:$PORT somehost" \
- somehost true
- if [ $? != 0 ]; then
- fail "stdio forwarding proto $p"
- fi
-done
+trace "simple clear forwarding"
+${SSH} -F $OBJ/ssh_config -oClearAllForwardings=yes somehost true
+
+trace "clear local forward"
+rm -f $CTL
+${SSH} -S $CTL -M -f -F $OBJ/ssh_config -L ${base}01:127.0.0.1:$PORT \
+ -oClearAllForwardings=yes somehost sleep 10
+if [ $? != 0 ]; then
+ fail "connection failed with cleared local forwarding"
+else
+ # this one should fail
+ ${SSH} -F $OBJ/ssh_config -p ${base}01 somehost true \
+ >>$TEST_REGRESS_LOGFILE 2>&1 && \
+ fail "local forwarding not cleared"
+fi
+${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost
+
+trace "clear remote forward"
+rm -f $CTL
+${SSH} -S $CTL -M -f -F $OBJ/ssh_config -R ${base}01:127.0.0.1:$PORT \
+ -oClearAllForwardings=yes somehost sleep 10
+if [ $? != 0 ]; then
+ fail "connection failed with cleared remote forwarding"
+else
+ # this one should fail
+ ${SSH} -F $OBJ/ssh_config -p ${base}01 somehost true \
+ >>$TEST_REGRESS_LOGFILE 2>&1 && \
+ fail "remote forwarding not cleared"
+fi
+${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost
+
+trace "stdio forwarding"
+cmd="${SSH} -F $OBJ/ssh_config"
+$cmd -o "ProxyCommand $cmd -q -W localhost:$PORT somehost" somehost true
+if [ $? != 0 ]; then
+ fail "stdio forwarding"
+fi
echo "LocalForward ${base}01 127.0.0.1:$PORT" >> $OBJ/ssh_config
echo "RemoteForward ${base}02 127.0.0.1:${base}01" >> $OBJ/ssh_config
-for p in ${SSH_PROTOCOLS}; do
- trace "config file: start forwarding, fork to background"
- rm -f $CTL
- ${SSH} -S $CTL -M -$p -F $OBJ/ssh_config -f somehost sleep 10
-
- trace "config file: transfer over forwarded channels and check result"
- ${SSH} -F $OBJ/ssh_config -p${base}02 -o 'ConnectionAttempts=4' \
- somehost cat ${DATA} > ${COPY}
- test -s ${COPY} || fail "failed copy of ${DATA}"
- cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}"
-
- ${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost
-done
-for p in 2; do
- trace "transfer over chained unix domain socket forwards and check result"
- rm -f $OBJ/unix-[123].fwd
- rm -f $CTL $CTL.[123]
- ${SSH} -S $CTL -M -f -F $OBJ/ssh_config -R${base}01:[$OBJ/unix-1.fwd] somehost sleep 10
- ${SSH} -S $CTL.1 -M -f -F $OBJ/ssh_config -L[$OBJ/unix-1.fwd]:[$OBJ/unix-2.fwd] somehost sleep 10
- ${SSH} -S $CTL.2 -M -f -F $OBJ/ssh_config -R[$OBJ/unix-2.fwd]:[$OBJ/unix-3.fwd] somehost sleep 10
- ${SSH} -S $CTL.3 -M -f -F $OBJ/ssh_config -L[$OBJ/unix-3.fwd]:127.0.0.1:$PORT somehost sleep 10
- ${SSH} -F $OBJ/ssh_config -p${base}01 -o 'ConnectionAttempts=4' \
- somehost cat ${DATA} > ${COPY}
- test -s ${COPY} || fail "failed copy ${DATA}"
- cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}"
-
- ${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost
- ${SSH} -F $OBJ/ssh_config -S $CTL.1 -O exit somehost
- ${SSH} -F $OBJ/ssh_config -S $CTL.2 -O exit somehost
- ${SSH} -F $OBJ/ssh_config -S $CTL.3 -O exit somehost
-done
+trace "config file: start forwarding, fork to background"
+rm -f $CTL
+${SSH} -S $CTL -M -F $OBJ/ssh_config -f somehost sleep 10
+
+trace "config file: transfer over forwarded channels and check result"
+${SSH} -F $OBJ/ssh_config -p${base}02 -o 'ConnectionAttempts=4' \
+ somehost cat ${DATA} > ${COPY}
+test -s ${COPY} || fail "failed copy of ${DATA}"
+cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}"
+
+${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost
+
+trace "transfer over chained unix domain socket forwards and check result"
+rm -f $OBJ/unix-[123].fwd
+rm -f $CTL $CTL.[123]
+${SSH} -S $CTL -M -f -F $OBJ/ssh_config -R${base}01:[$OBJ/unix-1.fwd] somehost sleep 10
+${SSH} -S $CTL.1 -M -f -F $OBJ/ssh_config -L[$OBJ/unix-1.fwd]:[$OBJ/unix-2.fwd] somehost sleep 10
+${SSH} -S $CTL.2 -M -f -F $OBJ/ssh_config -R[$OBJ/unix-2.fwd]:[$OBJ/unix-3.fwd] somehost sleep 10
+${SSH} -S $CTL.3 -M -f -F $OBJ/ssh_config -L[$OBJ/unix-3.fwd]:127.0.0.1:$PORT somehost sleep 10
+${SSH} -F $OBJ/ssh_config -p${base}01 -o 'ConnectionAttempts=4' \
+ somehost cat ${DATA} > ${COPY}
+test -s ${COPY} || fail "failed copy ${DATA}"
+cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}"
+
+${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost
+${SSH} -F $OBJ/ssh_config -S $CTL.1 -O exit somehost
+${SSH} -F $OBJ/ssh_config -S $CTL.2 -O exit somehost
+${SSH} -F $OBJ/ssh_config -S $CTL.3 -O exit somehost
+
-# $OpenBSD: host-expand.sh,v 1.4 2015/03/03 22:35:19 markus Exp $
+# $OpenBSD: host-expand.sh,v 1.5 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="expand %h and %n"
127.0.0.1
EOE
-for p in ${SSH_PROTOCOLS}; do
- verbose "test $tid: proto $p"
- ${SSH} -F $OBJ/ssh_proxy -$p somehost true >$OBJ/actual
- diff $OBJ/expect $OBJ/actual || fail "$tid proto $p"
-done
+${SSH} -F $OBJ/ssh_proxy somehost true >$OBJ/actual
+diff $OBJ/expect $OBJ/actual || fail "$tid"
-# $OpenBSD: hostkey-agent.sh,v 1.6 2015/07/10 06:23:25 markus Exp $
+# $OpenBSD: hostkey-agent.sh,v 1.7 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="hostkey agent"
cp $OBJ/known_hosts.orig $OBJ/known_hosts
SSH_CONNECTION=`${SSH} $opts host 'echo $SSH_CONNECTION'`
if [ $? -ne 0 ]; then
- fail "protocol $p privsep=$ps failed"
+ fail "privsep=$ps failed"
fi
if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then
fail "bad SSH_CONNECTION key type $k privsep=$ps"
-# $OpenBSD: integrity.sh,v 1.22 2017/04/28 04:16:27 dtucker Exp $
+# $OpenBSD: integrity.sh,v 1.23 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="integrity"
macopt="-m $m -c aes128-ctr"
fi
verbose "test $tid: $m @$off"
- ${SSH} $macopt -2F $OBJ/ssh_proxy -o "$pxy" \
+ ${SSH} $macopt -F $OBJ/ssh_proxy -o "$pxy" \
-oServerAliveInterval=1 -oServerAliveCountMax=30 \
999.999.999.999 'printf "%4096s" " "' >/dev/null
if [ $? -eq 0 ]; then
-# $OpenBSD: key-options.sh,v 1.3 2015/03/03 22:35:19 markus Exp $
+# $OpenBSD: key-options.sh,v 1.4 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="key options"
cp $authkeys $origkeys
# Test command= forced command
-for p in ${SSH_PROTOCOLS}; do
- for c in 'command="echo bar"' 'no-pty,command="echo bar"'; do
+for c in 'command="echo bar"' 'no-pty,command="echo bar"'; do
sed "s/.*/$c &/" $origkeys >$authkeys
- verbose "key option proto $p $c"
- r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost echo foo`
+ verbose "key option $c"
+ r=`${SSH} -q -F $OBJ/ssh_proxy somehost echo foo`
if [ "$r" = "foo" ]; then
fail "key option forced command not restricted"
fi
if [ "$r" != "bar" ]; then
fail "key option forced command not executed"
fi
- done
done
# Test no-pty
sed 's/.*/no-pty &/' $origkeys >$authkeys
-for p in ${SSH_PROTOCOLS}; do
- verbose "key option proto $p no-pty"
- r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost tty`
- if [ -f "$r" ]; then
- fail "key option failed proto $p no-pty (pty $r)"
- fi
-done
+verbose "key option proto no-pty"
+r=`${SSH} -q -F $OBJ/ssh_proxy somehost tty`
+if [ -f "$r" ]; then
+ fail "key option failed no-pty (pty $r)"
+fi
# Test environment=
echo 'PermitUserEnvironment yes' >> $OBJ/sshd_proxy
sed 's/.*/environment="FOO=bar" &/' $origkeys >$authkeys
-for p in ${SSH_PROTOCOLS}; do
- verbose "key option proto $p environment"
- r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost 'echo $FOO'`
- if [ "$r" != "bar" ]; then
- fail "key option environment not set"
- fi
-done
+verbose "key option environment"
+r=`${SSH} -q -F $OBJ/ssh_proxy somehost 'echo $FOO'`
+if [ "$r" != "bar" ]; then
+ fail "key option environment not set"
+fi
# Test from= restriction
start_sshd
-for p in ${SSH_PROTOCOLS}; do
- for f in 127.0.0.1 '127.0.0.0\/8'; do
+for f in 127.0.0.1 '127.0.0.0\/8'; do
cat $origkeys >$authkeys
- ${SSH} -$p -q -F $OBJ/ssh_proxy somehost true
+ ${SSH} -q -F $OBJ/ssh_proxy somehost true
if [ $? -ne 0 ]; then
- fail "key option proto $p failed without restriction"
+ fail "key option failed without restriction"
fi
sed 's/.*/from="'"$f"'" &/' $origkeys >$authkeys
from=`head -1 $authkeys | cut -f1 -d ' '`
- verbose "key option proto $p $from"
- r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost 'echo true'`
+ verbose "key option $from"
+ r=`${SSH} -q -F $OBJ/ssh_proxy somehost 'echo true'`
if [ "$r" = "true" ]; then
- fail "key option proto $p $from not restricted"
+ fail "key option $from not restricted"
fi
- r=`${SSH} -$p -q -F $OBJ/ssh_config somehost 'echo true'`
+ r=`${SSH} -q -F $OBJ/ssh_config somehost 'echo true'`
if [ "$r" != "true" ]; then
- fail "key option proto $p $from not allowed but should be"
+ fail "key option $from not allowed but should be"
fi
- done
done
rm -f "$origkeys"
-# $OpenBSD: keygen-change.sh,v 1.5 2015/03/03 22:35:19 markus Exp $
+# $OpenBSD: keygen-change.sh,v 1.6 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="change passphrase for key"
S2="2secret"
KEYTYPES=`${SSH} -Q key-plain`
-if ssh_version 1; then
- KEYTYPES="${KEYTYPES} rsa1"
-fi
for t in $KEYTYPES; do
# generate user key for agent
-# $OpenBSD: keyscan.sh,v 1.5 2015/09/11 03:44:21 djm Exp $
+# $OpenBSD: keyscan.sh,v 1.6 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="keyscan"
start_sshd
KEYTYPES=`${SSH} -Q key-plain`
-if ssh_version 1; then
- KEYTYPES="${KEYTYPES} rsa1"
-fi
-
for t in $KEYTYPES; do
trace "keyscan type $t"
${SSHKEYSCAN} -t $t -p $PORT 127.0.0.1 127.0.0.1 127.0.0.1 \
-# $OpenBSD: localcommand.sh,v 1.3 2015/03/03 22:35:19 markus Exp $
+# $OpenBSD: localcommand.sh,v 1.4 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="localcommand"
echo 'PermitLocalCommand yes' >> $OBJ/ssh_proxy
echo 'LocalCommand echo foo' >> $OBJ/ssh_proxy
-for p in ${SSH_PROTOCOLS}; do
- verbose "test $tid: proto $p localcommand"
- a=`${SSH} -F $OBJ/ssh_proxy -$p somehost true`
- if [ "$a" != "foo" ] ; then
- fail "$tid proto $p"
- fi
-done
+verbose "test $tid: proto $p localcommand"
+a=`${SSH} -F $OBJ/ssh_proxy somehost true`
+if [ "$a" != "foo" ] ; then
+ fail "$tid proto $p"
+fi
-/* $OpenBSD: kexfuzz.c,v 1.3 2016/10/11 21:49:54 djm Exp $ */
+/* $OpenBSD: kexfuzz.c,v 1.4 2017/04/30 23:34:55 djm Exp $ */
/*
* Fuzz harness for KEX code
*
close(fd);
/* XXX check that it is a private key */
/* XXX support certificates */
- if (key == NULL || key->type == KEY_UNSPEC || key->type == KEY_RSA1)
+ if (key == NULL || key->type == KEY_UNSPEC)
badusage("Invalid key file (-k flag)");
/* Replace (fuzz) mode */
-# $OpenBSD: multiplex.sh,v 1.27 2014/12/22 06:14:29 djm Exp $
+# $OpenBSD: multiplex.sh,v 1.28 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
CTL=$OBJ/ctl-sock
${SSH} -F $OBJ/ssh_config -S $CTL otherhost exit $s
r=$?
if [ $r -ne $s ]; then
- fail "exit code mismatch for protocol $p: $r != $s"
+ fail "exit code mismatch: $r != $s"
fi
# same with early close of stdout/err
exec sh -c \'"sleep 2; exec > /dev/null 2>&1; sleep 3; exit $s"\'
r=$?
if [ $r -ne $s ]; then
- fail "exit code (with sleep) mismatch for protocol $p: $r != $s"
+ fail "exit code (with sleep) mismatch: $r != $s"
fi
done
-# $OpenBSD: principals-command.sh,v 1.3 2016/09/26 21:34:38 bluhm Exp $
+# $OpenBSD: principals-command.sh,v 1.4 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="authorized principals command"
# Empty authorized_principals
verbose "$tid: ${_prefix} empty authorized_principals"
echo > $OBJ/authorized_principals_$USER
- ${SSH} -2i $OBJ/cert_user_key \
+ ${SSH} -i $OBJ/cert_user_key \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect succeeded unexpectedly"
# Wrong authorized_principals
verbose "$tid: ${_prefix} wrong authorized_principals"
echo gregorsamsa > $OBJ/authorized_principals_$USER
- ${SSH} -2i $OBJ/cert_user_key \
+ ${SSH} -i $OBJ/cert_user_key \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect succeeded unexpectedly"
# Correct authorized_principals
verbose "$tid: ${_prefix} correct authorized_principals"
echo mekmitasdigoat > $OBJ/authorized_principals_$USER
- ${SSH} -2i $OBJ/cert_user_key \
+ ${SSH} -i $OBJ/cert_user_key \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -ne 0 ]; then
fail "ssh cert connect failed"
# authorized_principals with bad key option
verbose "$tid: ${_prefix} authorized_principals bad key opt"
echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
- ${SSH} -2i $OBJ/cert_user_key \
+ ${SSH} -i $OBJ/cert_user_key \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect succeeded unexpectedly"
verbose "$tid: ${_prefix} authorized_principals command=false"
echo 'command="false" mekmitasdigoat' > \
$OBJ/authorized_principals_$USER
- ${SSH} -2i $OBJ/cert_user_key \
+ ${SSH} -i $OBJ/cert_user_key \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect succeeded unexpectedly"
verbose "$tid: ${_prefix} authorized_principals command=true"
echo 'command="true" mekmitasdigoat' > \
$OBJ/authorized_principals_$USER
- ${SSH} -2i $OBJ/cert_user_key \
+ ${SSH} -i $OBJ/cert_user_key \
-F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
if [ $? -ne 0 ]; then
fail "ssh cert connect failed"
printf 'cert-authority,principals="gregorsamsa" '
cat $OBJ/user_ca_key.pub
) > $OBJ/authorized_keys_$USER
- ${SSH} -2i $OBJ/cert_user_key \
+ ${SSH} -i $OBJ/cert_user_key \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -eq 0 ]; then
fail "ssh cert connect succeeded unexpectedly"
printf 'cert-authority,principals="mekmitasdigoat" '
cat $OBJ/user_ca_key.pub
) > $OBJ/authorized_keys_$USER
- ${SSH} -2i $OBJ/cert_user_key \
+ ${SSH} -i $OBJ/cert_user_key \
-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
if [ $? -ne 0 ]; then
fail "ssh cert connect failed"
-# $OpenBSD: proto-mismatch.sh,v 1.4 2015/03/03 22:35:19 markus Exp $
+# $OpenBSD: proto-mismatch.sh,v 1.5 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="protocol version mismatch"
mismatch ()
{
- server=$1
client=$2
- banner=`echo ${client} | ${SSHD} -o "Protocol=${server}" -i -f ${OBJ}/sshd_proxy`
+ banner=`echo ${client} | ${SSHD} -i -f ${OBJ}/sshd_proxy`
r=$?
trace "sshd prints ${banner}"
if [ $r -ne 255 ]; then
- fail "sshd prints ${banner} and accepts connect with version ${client}"
+ fail "sshd prints ${banner} but accepts version ${client}"
fi
}
-mismatch 2 SSH-1.5-HALLO
-if ssh_version 1; then
- mismatch 1 SSH-2.0-HALLO
-fi
+mismatch SSH-1.5-HALLO
-# $OpenBSD: proto-version.sh,v 1.5 2015/03/03 22:35:19 markus Exp $
+# $OpenBSD: proto-version.sh,v 1.6 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="sshd version with different protocol combinations"
# we just start sshd in inetd mode and check the banner
check_version ()
{
- version=$1
expect=$2
- banner=`printf '' | ${SSHD} -o "Protocol=${version}" -i -f ${OBJ}/sshd_proxy`
+ banner=`printf '' | ${SSHD} -i -f ${OBJ}/sshd_proxy`
case ${banner} in
SSH-1.99-*)
proto=199
;;
esac
if [ ${expect} -ne ${proto} ]; then
- fail "wrong protocol version ${banner} for ${version}"
+ fail "wrong protocol version ${banner}"
fi
}
-check_version 2 20
-if ssh_version 1; then
- check_version 2,1 199
- check_version 1,2 199
- check_version 1 15
-fi
+check_version 20
-# $OpenBSD: proxy-connect.sh,v 1.9 2016/02/17 02:24:17 djm Exp $
+# $OpenBSD: proxy-connect.sh,v 1.10 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="proxy connect"
mv $OBJ/sshd_proxy $OBJ/sshd_proxy.orig
for ps in no yes; do
- cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
- echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy
-
- for p in ${SSH_PROTOCOLS}; do
- for c in no yes; do
- verbose "plain username protocol $p privsep=$ps comp=$c"
- opts="-$p -oCompression=$c -F $OBJ/ssh_proxy"
- SSH_CONNECTION=`${SSH} $opts 999.999.999.999 'echo $SSH_CONNECTION'`
- if [ $? -ne 0 ]; then
- fail "ssh proxyconnect protocol $p privsep=$ps comp=$c failed"
- fi
- if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then
- fail "bad SSH_CONNECTION protocol $p privsep=$ps comp=$c: " \
- "$SSH_CONNECTION"
- fi
- done
- done
+ cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
+ echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy
+ for c in no yes; do
+ verbose "plain username privsep=$ps comp=$c"
+ opts="-oCompression=$c -F $OBJ/ssh_proxy"
+ SSH_CONNECTION=`${SSH} $opts 999.999.999.999 'echo $SSH_CONNECTION'`
+ if [ $? -ne 0 ]; then
+ fail "ssh proxyconnect privsep=$ps comp=$c failed"
+ fi
+ if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then
+ fail "bad SSH_CONNECTION privsep=$ps comp=$c: " \
+ "$SSH_CONNECTION"
+ fi
+ done
done
-for p in ${SSH_PROTOCOLS}; do
- verbose "username with style protocol $p"
- ${SSH} -$p -F $OBJ/ssh_proxy ${USER}:style@999.999.999.999 true || \
- fail "ssh proxyconnect protocol $p failed"
-done
+verbose "username with style"
+${SSH} -F $OBJ/ssh_proxy ${USER}:style@999.999.999.999 true || \
+ fail "ssh proxyconnect failed"
-# $OpenBSD: putty-transfer.sh,v 1.4 2016/11/25 03:02:01 dtucker Exp $
+# $OpenBSD: putty-transfer.sh,v 1.5 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="putty transfer data"
fatal "putty interop tests not enabled"
fi
-# XXX support protocol 1 too
-for p in 2; do
- for c in 0 1 ; do
- verbose "$tid: proto $p compression $c"
+for c in 0 1 ; do
+ verbose "$tid: compression $c"
+ rm -f ${COPY}
+ cp ${OBJ}/.putty/sessions/localhost_proxy \
+ ${OBJ}/.putty/sessions/compression_$c
+ echo "Compression=$c" >> ${OBJ}/.putty/sessions/kex_$k
+ env HOME=$PWD ${PLINK} -load compression_$c -batch \
+ -i putty.rsa cat ${DATA} > ${COPY}
+ if [ $? -ne 0 ]; then
+ fail "ssh cat $DATA failed"
+ fi
+ cmp ${DATA} ${COPY} || fail "corrupted copy"
+
+ for s in 10 100 1k 32k 64k 128k 256k; do
+ trace "compression $c dd-size ${s}"
rm -f ${COPY}
- cp ${OBJ}/.putty/sessions/localhost_proxy \
- ${OBJ}/.putty/sessions/compression_$c
- echo "Compression=$c" >> ${OBJ}/.putty/sessions/kex_$k
- env HOME=$PWD ${PLINK} -load compression_$c -batch \
- -i putty.rsa$p cat ${DATA} > ${COPY}
+ dd if=$DATA obs=${s} 2> /dev/null | \
+ env HOME=$PWD ${PLINK} -load compression_$c \
+ -batch -i putty.rsa \
+ "cat > ${COPY}"
if [ $? -ne 0 ]; then
fail "ssh cat $DATA failed"
fi
- cmp ${DATA} ${COPY} || fail "corrupted copy"
-
- for s in 10 100 1k 32k 64k 128k 256k; do
- trace "proto $p compression $c dd-size ${s}"
- rm -f ${COPY}
- dd if=$DATA obs=${s} 2> /dev/null | \
- env HOME=$PWD ${PLINK} -load compression_$c \
- -batch -i putty.rsa$p \
- "cat > ${COPY}"
- if [ $? -ne 0 ]; then
- fail "ssh cat $DATA failed"
- fi
- cmp $DATA ${COPY} || fail "corrupted copy"
- done
+ cmp $DATA ${COPY} || fail "corrupted copy"
done
done
rm -f ${COPY}
-# $OpenBSD: reconfigure.sh,v 1.5 2015/03/03 22:35:19 markus Exp $
+# $OpenBSD: reconfigure.sh,v 1.6 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="simple connect after reconfigure"
start_sshd
trace "connect before restart"
-for p in ${SSH_PROTOCOLS} ; do
- ${SSH} -o "Protocol=$p" -F $OBJ/ssh_config somehost true
- if [ $? -ne 0 ]; then
- fail "ssh connect with protocol $p failed before reconfigure"
- fi
-done
+${SSH} -F $OBJ/ssh_config somehost true
+if [ $? -ne 0 ]; then
+ fail "ssh connect with failed before reconfigure"
+fi
$SUDO kill -HUP `cat $PIDFILE`
sleep 1
test -f $PIDFILE || fatal "sshd did not restart"
trace "connect after restart"
-for p in ${SSH_PROTOCOLS} ; do
- ${SSH} -o "Protocol=$p" -F $OBJ/ssh_config somehost true
- if [ $? -ne 0 ]; then
- fail "ssh connect with protocol $p failed after reconfigure"
- fi
-done
+${SSH} -F $OBJ/ssh_config somehost true
+if [ $? -ne 0 ]; then
+ fail "ssh connect with failed after reconfigure"
+fi
-# $OpenBSD: reexec.sh,v 1.10 2016/12/16 01:06:27 dtucker Exp $
+# $OpenBSD: reexec.sh,v 1.11 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="reexec tests"
copy_tests ()
{
rm -f ${COPY}
- for p in ${SSH_PROTOCOLS} ; do
- verbose "$tid: proto $p"
- ${SSH} -nqo "Protocol=$p" -F $OBJ/ssh_config somehost \
- cat ${DATA} > ${COPY}
- if [ $? -ne 0 ]; then
- fail "ssh cat $DATA failed"
- fi
- cmp ${DATA} ${COPY} || fail "corrupted copy"
- rm -f ${COPY}
- done
+ ${SSH} -nq -F $OBJ/ssh_config somehost \
+ cat ${DATA} > ${COPY}
+ if [ $? -ne 0 ]; then
+ fail "ssh cat $DATA failed"
+ fi
+ cmp ${DATA} ${COPY} || fail "corrupted copy"
+ rm -f ${COPY}
}
verbose "test config passing"
stop_sshd
-
-# $OpenBSD: stderr-after-eof.sh,v 1.2 2013/05/17 04:29:14 dtucker Exp $
+# $OpenBSD: stderr-after-eof.sh,v 1.3 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="stderr data after eof"
(date;echo $i) | md5 >> ${DATA}
done
-${SSH} -2 -F $OBJ/ssh_proxy otherhost \
+${SSH} -F $OBJ/ssh_proxy otherhost \
exec sh -c \'"exec > /dev/null; sleep 2; cat ${DATA} 1>&2 $s"\' \
2> ${COPY}
r=$?
-# $OpenBSD: stderr-data.sh,v 1.4 2015/03/03 22:35:19 markus Exp $
+# $OpenBSD: stderr-data.sh,v 1.5 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="stderr data transfer"
for n in '' -n; do
-for p in ${SSH_PROTOCOLS}; do
- verbose "test $tid: proto $p ($n)"
- ${SSH} $n -$p -F $OBJ/ssh_proxy otherhost \
- exec sh -c \'"exec > /dev/null; sleep 3; cat ${DATA} 1>&2 $s"\' \
+ verbose "test $tid: ($n)"
+ ${SSH} $n -F $OBJ/ssh_proxy otherhost exec \
+ sh -c \'"exec > /dev/null; sleep 3; cat ${DATA} 1>&2 $s"\' \
2> ${COPY}
r=$?
if [ $r -ne 0 ]; then
cmp ${DATA} ${COPY} || fail "stderr corrupt"
rm -f ${COPY}
- ${SSH} $n -$p -F $OBJ/ssh_proxy otherhost \
- exec sh -c \'"echo a; exec > /dev/null; sleep 3; cat ${DATA} 1>&2 $s"\' \
+ ${SSH} $n -F $OBJ/ssh_proxy otherhost exec \
+ sh -c \'"echo a; exec > /dev/null; sleep 3; cat ${DATA} 1>&2 $s"\' \
> /dev/null 2> ${COPY}
r=$?
if [ $r -ne 0 ]; then
cmp ${DATA} ${COPY} || fail "stderr corrupt"
rm -f ${COPY}
done
-done
-# $OpenBSD: test-exec.sh,v 1.59 2017/02/07 23:03:11 dtucker Exp $
+# $OpenBSD: test-exec.sh,v 1.60 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
USER=`id -un`
CONCH="${TEST_SSH_CONCH}"
fi
-SSH_PROTOCOLS=2
-#SSH_PROTOCOLS=`$SSH -Q protocol-version`
-if [ "x$TEST_SSH_PROTOCOLS" != "x" ]; then
- SSH_PROTOCOLS="${TEST_SSH_PROTOCOLS}"
-fi
-
# Path to sshd must be absolute for rexec
case "$SSHD" in
/*) ;;
exit $RESULT
}
-ssh_version ()
-{
- echo ${SSH_PROTOCOLS} | grep -q "$1"
-}
-
RESULT=0
PIDFILE=$OBJ/pidfile
trap fatal 3 2
-if ssh_version 1; then
- PROTO="2,1"
-else
- PROTO="2"
-fi
-
# create server config
cat << EOF > $OBJ/sshd_config
Port $PORT
rm -f $OBJ/known_hosts $OBJ/authorized_keys_$USER
-if ssh_version 1; then
- SSH_KEYTYPES="rsa rsa1"
-else
- SSH_KEYTYPES="rsa ed25519"
-fi
+SSH_KEYTYPES="rsa ed25519"
+
trace "generate keys"
for t in ${SSH_KEYTYPES}; do
# generate user key
-# $OpenBSD: transfer.sh,v 1.3 2015/03/03 22:35:19 markus Exp $
+# $OpenBSD: transfer.sh,v 1.4 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="transfer data"
-for p in ${SSH_PROTOCOLS}; do
- verbose "$tid: proto $p"
+rm -f ${COPY}
+${SSH} -n -q -F $OBJ/ssh_proxy somehost cat ${DATA} > ${COPY}
+if [ $? -ne 0 ]; then
+ fail "ssh cat $DATA failed"
+fi
+cmp ${DATA} ${COPY} || fail "corrupted copy"
+
+for s in 10 100 1k 32k 64k 128k 256k; do
+ trace "dd-size ${s}"
rm -f ${COPY}
- ${SSH} -n -q -$p -F $OBJ/ssh_proxy somehost cat ${DATA} > ${COPY}
+ dd if=$DATA obs=${s} 2> /dev/null | \
+ ${SSH} -q -F $OBJ/ssh_proxy somehost "cat > ${COPY}"
if [ $? -ne 0 ]; then
fail "ssh cat $DATA failed"
fi
- cmp ${DATA} ${COPY} || fail "corrupted copy"
-
- for s in 10 100 1k 32k 64k 128k 256k; do
- trace "proto $p dd-size ${s}"
- rm -f ${COPY}
- dd if=$DATA obs=${s} 2> /dev/null | \
- ${SSH} -q -$p -F $OBJ/ssh_proxy somehost "cat > ${COPY}"
- if [ $? -ne 0 ]; then
- fail "ssh cat $DATA failed"
- fi
- cmp $DATA ${COPY} || fail "corrupted copy"
- done
+ cmp $DATA ${COPY} || fail "corrupted copy"
done
rm -f ${COPY}
-# $OpenBSD: try-ciphers.sh,v 1.25 2015/03/24 20:22:17 markus Exp $
+# $OpenBSD: try-ciphers.sh,v 1.26 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="try ciphers"
for c in `${SSH} -Q cipher`; do
n=0
for m in `${SSH} -Q mac`; do
- trace "proto 2 cipher $c mac $m"
- verbose "test $tid: proto 2 cipher $c mac $m"
+ trace "cipher $c mac $m"
+ verbose "test $tid: cipher $c mac $m"
cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
echo "Ciphers=$c" >> $OBJ/sshd_proxy
echo "MACs=$m" >> $OBJ/sshd_proxy
- ${SSH} -F $OBJ/ssh_proxy -2 -m $m -c $c somehost true
+ ${SSH} -F $OBJ/ssh_proxy -m $m -c $c somehost true
if [ $? -ne 0 ]; then
- fail "ssh -2 failed with mac $m cipher $c"
+ fail "ssh failed with mac $m cipher $c"
fi
# No point trying all MACs for AEAD ciphers since they
# are ignored.
done
done
-if ssh_version 1; then
- ciphers="3des blowfish"
-else
- ciphers=""
-fi
-for c in $ciphers; do
- trace "proto 1 cipher $c"
- verbose "test $tid: proto 1 cipher $c"
- ${SSH} -F $OBJ/ssh_proxy -1 -c $c somehost true
- if [ $? -ne 0 ]; then
- fail "ssh -1 failed with cipher $c"
- fi
-done
-
-# $OpenBSD: yes-head.sh,v 1.5 2015/03/03 22:35:19 markus Exp $
+# $OpenBSD: yes-head.sh,v 1.6 2017/04/30 23:34:55 djm Exp $
# Placed in the Public Domain.
tid="yes pipe head"
-for p in ${SSH_PROTOCOLS}; do
- lines=`${SSH} -$p -F $OBJ/ssh_proxy thishost 'yes | head -2000' | (sleep 3 ; wc -l)`
- if [ $? -ne 0 ]; then
- fail "yes|head test failed"
- lines = 0;
- fi
- if [ $lines -ne 2000 ]; then
- fail "yes|head returns $lines lines instead of 2000"
- fi
-done
+lines=`${SSH} -F $OBJ/ssh_proxy thishost 'yes | head -2000' | (sleep 3 ; wc -l)`
+if [ $? -ne 0 ]; then
+ fail "yes|head test failed"
+ lines = 0;
+fi
+if [ $lines -ne 2000 ]; then
+ fail "yes|head returns $lines lines instead of 2000"
+fi
projects / openbsd / commitdiff