Attachment #3265 for bug #2858




			return -1;
		}
		if (strcasecmp(attrib, "user") == 0) {
			if (ci == NULL || (ci->test && ci->user == NULL)) {
				result = 0;
				continue;
			}

				debug("user %.100s matched 'User %.100s' at "
				    "line %d", ci->user, arg, line);
		} else if (strcasecmp(attrib, "group") == 0) {
			if (ci == NULL || (ci->test && ci->user == NULL)) {
				result = 0;
				continue;
			}

				result = 0;
			}
		} else if (strcasecmp(attrib, "host") == 0) {
			if (ci == NULL || (ci->test && ci->host == NULL)) {
				result = 0;
				continue;
			}

				debug("connection from %.100s matched 'Host "
				    "%.100s' at line %d", ci->host, arg, line);
		} else if (strcasecmp(attrib, "address") == 0) {
			if (ci == NULL || (ci->test && ci->address == NULL)) {
				result = 0;
				continue;
			}

				return -1;
			}
		} else if (strcasecmp(attrib, "localaddress") == 0){
			if (ci == NULL || (ci->test && ci->laddress == NULL)) {
				result = 0;
				continue;
			}

				    arg);
				return -1;
			}
			if (ci == NULL || (ci->test && ci->lport == -1)) {
				result = 0;
				continue;
			}

			else
				result = 0;
		} else if (strcasecmp(attrib, "rdomain") == 0) {
			if (ci == NULL || (ci->test && ci->rdomain == NULL)) {
				result = 0;
				continue;
			}
			if (ci->rdomain == NULL)
				match_test_missing_fatal("RDomain", "rdomain");
			if (match_pattern_list(ci->rdomain, arg, 0) != 1)
				result = 0;
			else

Lines 219-224 struct connection_info { Link Here

(-)usr.bin/ssh/servconf.h (+2 lines)
219	const char laddress; / local address */	219	const char laddress; / local address */
220	int lport; /* local port */	220	int lport; /* local port */
221	const char rdomain; / routing domain if available */	221	const char rdomain; / routing domain if available */
		222	int test; /* test mode, allow some attributes to be
		223	* unspecified */
222	};	224	};
223		225
224		226

Lines 1714-1719 main(int ac, char **av) Link Here

(-)usr.bin/ssh/sshd.c (+1 lines)
1714	*/	1714	*/
1715	if (connection_info == NULL)	1715	if (connection_info == NULL)
1716	connection_info = get_connection_info(ssh, 0, 0);	1716	connection_info = get_connection_info(ssh, 0, 0);
		1717	connection_info->test = 1;
1717	parse_server_match_config(&options, connection_info);	1718	parse_server_match_config(&options, connection_info);
1718	dump_config(&options);	1719	dump_config(&options);
1719	}	1720	}




echo "Match Address 127.0.0.1" >>$OBJ/sshd_proxy
echo "PermitOpen 127.0.0.1:2 127.0.0.1:3 127.0.0.1:$PORT" >>$OBJ/sshd_proxy

${SUDO} ${SSHD} -f $OBJ/sshd_config -T >/dev/null || \
    fail "config w/match fails config test"

start_sshd

# Test Match + PermitOpen in sshd_config.  This should be permitted
trace "match permitopen localhost"

${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \
    fail "nomatch override permitopen"
stop_client

# Test parsing of available Match criteria (with the exception of Group which
# requires knowledge of actual group memberships user running the test).
params="user:user:u1 host:host:h1 address:addr:1.2.3.4 \
    localaddress:laddr:5.6.7.8 rdomain:rdomain:rdom1"
cp $OBJ/sshd_proxy_bak $OBJ/sshd_config
echo 'Banner /nomatch' >>$OBJ/sshd_config
for i in $params; do
	config=`echo $i | cut -f1 -d:`
	criteria=`echo $i | cut -f2 -d:`
	value=`echo $i | cut -f3 -d:`
	cat >>$OBJ/sshd_config <<EOD
	    Match $config $value
	      Banner /$value
EOD
done

${SUDO} ${SSHD} -f $OBJ/sshd_config -T >/dev/null || \
    fail "validate config for w/out spec"

# Test matching each criteria.
for i in $params; do
	testcriteria=`echo $i | cut -f2 -d:`
	expected=/`echo $i | cut -f3 -d:`
	spec=""
	for j in $params; do
		config=`echo $j | cut -f1 -d:`
		criteria=`echo $j | cut -f2 -d:`
		value=`echo $j | cut -f3 -d:`
		if [ "$criteria" = "$testcriteria" ]; then
			spec="$criteria=$value,$spec"
		else
			spec="$criteria=1$value,$spec"
		fi
	done
	trace "test spec $spec"
	result=`${SUDO} ${SSHD} -f $OBJ/sshd_config -T -C "$spec" | \
	    awk '$1=="banner"{print $2}'`
	if [ "$result" != "$expected" ]; then
		fail "match $config expected $expected got $result"
	fi
done

Return to bug 2858

Lines 985-991 match_cfg_line(char **condition, int lin Link Here

(-)usr.bin/ssh/servconf.c (-7 / +9 lines)
985	return -1;	985	return -1;
986	}	986	}
987	if (strcasecmp(attrib, "user") == 0) {	987	if (strcasecmp(attrib, "user") == 0) {
988	if (ci == NULL) {	988	if (ci == NULL \|\| (ci->test && ci->user == NULL)) {
989	result = 0;	989	result = 0;
990	continue;	990	continue;
991	}	991	}
Lines 997-1003 match_cfg_line(char **condition, int lin Link Here
997	debug("user %.100s matched 'User %.100s' at "	997	debug("user %.100s matched 'User %.100s' at "
998	"line %d", ci->user, arg, line);	998	"line %d", ci->user, arg, line);
999	} else if (strcasecmp(attrib, "group") == 0) {	999	} else if (strcasecmp(attrib, "group") == 0) {
1000	if (ci == NULL) {	1000	if (ci == NULL \|\| (ci->test && ci->user == NULL)) {
1001	result = 0;	1001	result = 0;
1002	continue;	1002	continue;
1003	}	1003	}
Lines 1010-1016 match_cfg_line(char **condition, int lin Link Here
1010	result = 0;	1010	result = 0;
1011	}	1011	}
1012	} else if (strcasecmp(attrib, "host") == 0) {	1012	} else if (strcasecmp(attrib, "host") == 0) {
1013	if (ci == NULL) {	1013	if (ci == NULL \|\| (ci->test && ci->host == NULL)) {
1014	result = 0;	1014	result = 0;
1015	continue;	1015	continue;
1016	}	1016	}
Lines 1022-1028 match_cfg_line(char **condition, int lin Link Here
1022	debug("connection from %.100s matched 'Host "	1022	debug("connection from %.100s matched 'Host "
1023	"%.100s' at line %d", ci->host, arg, line);	1023	"%.100s' at line %d", ci->host, arg, line);
1024	} else if (strcasecmp(attrib, "address") == 0) {	1024	} else if (strcasecmp(attrib, "address") == 0) {
1025	if (ci == NULL) {	1025	if (ci == NULL \|\| (ci->test && ci->address == NULL)) {
1026	result = 0;	1026	result = 0;
1027	continue;	1027	continue;
1028	}	1028	}
Lines 1041-1047 match_cfg_line(char **condition, int lin Link Here
1041	return -1;	1041	return -1;
1042	}	1042	}
1043	} else if (strcasecmp(attrib, "localaddress") == 0){	1043	} else if (strcasecmp(attrib, "localaddress") == 0){
1044	if (ci == NULL) {	1044	if (ci == NULL \|\| (ci->test && ci->laddress == NULL)) {
1045	result = 0;	1045	result = 0;
1046	continue;	1046	continue;
1047	}	1047	}
Lines 1067-1073 match_cfg_line(char **condition, int lin Link Here
1067	arg);	1067	arg);
1068	return -1;	1068	return -1;
1069	}	1069	}
1070	if (ci == NULL) {	1070	if (ci == NULL \|\| (ci->test && ci->lport == -1)) {
1071	result = 0;	1071	result = 0;
1072	continue;	1072	continue;
1073	}	1073	}
Lines 1081-1090 match_cfg_line(char **condition, int lin Link Here
1081	else	1081	else
1082	result = 0;	1082	result = 0;
1083	} else if (strcasecmp(attrib, "rdomain") == 0) {	1083	} else if (strcasecmp(attrib, "rdomain") == 0) {
1084	if (ci == NULL \|\| ci->rdomain == NULL) {	1084	if (ci == NULL \|\| (ci->test && ci->rdomain == NULL)) {
1085	result = 0;	1085	result = 0;
1086	continue;	1086	continue;
1087	}	1087	}
		1088	if (ci->rdomain == NULL)
		1089	match_test_missing_fatal("RDomain", "rdomain");
1088	if (match_pattern_list(ci->rdomain, arg, 0) != 1)	1090	if (match_pattern_list(ci->rdomain, arg, 0) != 1)
1089	result = 0;	1091	result = 0;
1090	else	1092	else

Lines 51-59 echo "AuthorizedKeysFile /dev/null $OBJ/ Link Here

(-)regress/usr.bin/ssh/cfgmatch.sh (-2 / +45 lines)
51	echo "Match Address 127.0.0.1" >>$OBJ/sshd_proxy	51	echo "Match Address 127.0.0.1" >>$OBJ/sshd_proxy
52	echo "PermitOpen 127.0.0.1:2 127.0.0.1:3 127.0.0.1:$PORT" >>$OBJ/sshd_proxy	52	echo "PermitOpen 127.0.0.1:2 127.0.0.1:3 127.0.0.1:$PORT" >>$OBJ/sshd_proxy
53		53
54	start_sshd	54	${SUDO} ${SSHD} -f $OBJ/sshd_config -T >/dev/null \|\| \
		55	fail "config w/match fails config test"
55		56
56	#set -x	57	start_sshd
57		58
58	# Test Match + PermitOpen in sshd_config. This should be permitted	59	# Test Match + PermitOpen in sshd_config. This should be permitted
59	trace "match permitopen localhost"	60	trace "match permitopen localhost"
Lines 113-115 start_client -F $OBJ/ssh_proxy Link Here
113	${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true \|\| \	114	${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true \|\| \
114	fail "nomatch override permitopen"	115	fail "nomatch override permitopen"
115	stop_client	116	stop_client
		117
		118	# Test parsing of available Match criteria (with the exception of Group which
		119	# requires knowledge of actual group memberships user running the test).
		120	params="user:user:u1 host:host:h1 address:addr:1.2.3.4 \
		121	localaddress:laddr:5.6.7.8 rdomain:rdomain:rdom1"
		122	cp $OBJ/sshd_proxy_bak $OBJ/sshd_config
		123	echo 'Banner /nomatch' >>$OBJ/sshd_config
		124	for i in $params; do
		125	config=`echo $i \| cut -f1 -d:`
		126	criteria=`echo $i \| cut -f2 -d:`
		127	value=`echo $i \| cut -f3 -d:`
		128	cat >>$OBJ/sshd_config <<EOD
		129	Match $config $value
		130	Banner /$value
		131	EOD
		132	done
		133
		134	${SUDO} ${SSHD} -f $OBJ/sshd_config -T >/dev/null \|\| \
		135	fail "validate config for w/out spec"
		136
		137	# Test matching each criteria.
		138	for i in $params; do
		139	testcriteria=`echo $i \| cut -f2 -d:`
		140	expected=/`echo $i \| cut -f3 -d:`
		141	spec=""
		142	for j in $params; do
		143	config=`echo $j \| cut -f1 -d:`
		144	criteria=`echo $j \| cut -f2 -d:`
		145	value=`echo $j \| cut -f3 -d:`
		146	if [ "$criteria" = "$testcriteria" ]; then
		147	spec="$criteria=$value,$spec"
		148	else
		149	spec="$criteria=1$value,$spec"
		150	fi
		151	done
		152	trace "test spec $spec"
		153	result=`${SUDO} ${SSHD} -f $OBJ/sshd_config -T -C "$spec" \| \
		154	awk '$1=="banner"{print $2}'`
		155	if [ "$result" != "$expected" ]; then
		156	fail "match $config expected $expected got $result"
		157	fi
		158	done