Bugzilla – Attachment 2470 Details for
Bug 2267
Host matching uses modified hostname as well as original
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
Regress test
clientmatch.sh (text/plain), 2.96 KB, created by
Damien Miller
on 2014-09-05 12:53:47 AEST
(
hide
)
Description:
Regress test
Filename:
MIME Type:
Creator:
Damien Miller
Created:
2014-09-05 12:53:47 AEST
Size:
2.96 KB
patch
obsolete
># $OpenBSD$ ># Placed in the Public Domain. > ># XXX this test requires working DNS (or an edited /etc/hosts). Not sure how ># to fix this. ># To run manually: ># make SKIP_UNIT=1 LTESTS=clientmatch > >tid="ssh_config match" > >checkmatch() { > _host="$1" > _match="$2" > _label="$3" > ssh -GF $OBJ/ssh_config "$_host" | \ > grep -i "^${_match}\$" >/dev/null 2>&1 > test $? -ne 0 && fail "$_label" >} >checknomatch() { > _host="$1" > _match="$2" > _label="$3" > ssh -GF $OBJ/ssh_config "$_host" | \ > grep -i "^${_match}\$" >/dev/null 2>&1 > test $? -eq 0 && fail "$_label" >} > > ># Check that Host isn't affected by Hostname without canonicalisation >cat > $OBJ/ssh_config << EOF >Hostname blah >Host fuyu > Ciphers arcfour >Host * > Ciphers aes128-cbc >EOF > >checkmatch xxx 'ciphers aes128-cbc' 'hostname, wildcard' >checkmatch xxx 'hostname blah' 'hostname' >checkmatch fuyu 'ciphers arcfour' 'hostname, exact' > ># Check that Hostname is applied before Canonicalisation >cat > $OBJ/ssh_config << EOF >CanonicalizeHostname yes >CanonicalDomains mindrot.org >Hostname fuyu >Host fuyu.mindrot.org > MACs hmac-md5-96 > Ciphers blowfish-cbc >Host fuyu > Ciphers arcfour > MACs hmac-sha1 >Host * > Ciphers aes128-cbc >EOF > ># First two host entries shouldn't match on first pass >checkmatch xxx 'ciphers aes128-cbc' 'canon, wildcard' ># Host with canonical name should match on second pass >checkmatch xxx 'macs hmac-md5-96' 'canon+hostname host canon' ># Host with bare name should match on first pass >checkmatch fuyu 'ciphers arcfour' 'canon host exact' > ># Check that Hostname is applied before Canonicalisation >cat > $OBJ/ssh_config << EOF >CanonicalizeHostname yes >CanonicalDomains mindrot.org >Hostname fuyu >Match host fuyu.mindrot.org > MACs hmac-md5-96 > Ciphers blowfish-cbc > KEXAlgorithms ecdh-sha2-nistp521 >Match originalhost fuyu > Ciphers arcfour256 >Match host fuyu > Ciphers arcfour > MACs hmac-sha1 >Match all > Ciphers aes128-cbc >EOF > ># Third entry should match (on second pass) >checkmatch xxx 'ciphers arcfour' 'canon, hostname, match-host' ># Host with canonical name should match on second pass >checkmatch xxx 'kexalgorithms ecdh-sha2-nistp521' 'canon, match-host full' ># Host with bare name should match on first pass >checkmatch fuyu 'ciphers arcfour256' 'match originalhost' > ># Check "match canonical" never matches with canonicalisation off. ># Also "Match !all" >cat > $OBJ/ssh_config << EOF >Match canonical all > Ciphers aes128-cbc >Match !all > Ciphers aes128-cbc >EOF >checknomatch fuyu 'ciphers aes128-cbc' 'match canon with no canon' > ># Check "Match canonical" >cat > $OBJ/ssh_config << EOF >CanonicalizeHostname yes >CanonicalDomains mindrot.org >Match canonical originalhost fuyu > Ciphers arcfour >Match canonical host fuyu.mindrot.org > Ciphers aes128-cbc >Match canonical all > Ciphers blowfish-cbc >Host xxx > Hostname fuyu >EOF > ># 1st pass: match final stanza, 2nd pass: match 2nd >checkmatch xxx 'ciphers aes128-cbc' 'canonical match rewritten hostname' ># 1st pass: nothing, 2nd pass: match 1st >checkmatch fuyu 'ciphers arcfour' 'canonical match, expanded hostname' > >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=2470">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 2267
:
2465
|
2466
|
2467
|
2469
| 2470