Bugzilla – Attachment 3265 Details for
Bug 2858
sshd -T requires -C when "Match" is used in sshd_config
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Fix sshd -T w/out -C
sshd-T-criteria.patch (text/plain), 5.62 KB, created by
Darren Tucker
on 2019-04-18 19:42:28 AEST
(
hide
)
Description:
Fix sshd -T w/out -C
Filename:
MIME Type:
Creator:
Darren Tucker
Created:
2019-04-18 19:42:28 AEST
Size:
5.62 KB
patch
obsolete
>Index: usr.bin/ssh/servconf.c >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/servconf.c,v >retrieving revision 1.350 >diff -u -p -r1.350 servconf.c >--- usr.bin/ssh/servconf.c 25 Mar 2019 22:33:44 -0000 1.350 >+++ usr.bin/ssh/servconf.c 18 Apr 2019 09:25:15 -0000 >@@ -985,7 +985,7 @@ match_cfg_line(char **condition, int lin > return -1; > } > if (strcasecmp(attrib, "user") == 0) { >- if (ci == NULL) { >+ if (ci == NULL || (ci->test && ci->user == NULL)) { > result = 0; > continue; > } >@@ -997,7 +997,7 @@ match_cfg_line(char **condition, int lin > debug("user %.100s matched 'User %.100s' at " > "line %d", ci->user, arg, line); > } else if (strcasecmp(attrib, "group") == 0) { >- if (ci == NULL) { >+ if (ci == NULL || (ci->test && ci->user == NULL)) { > result = 0; > continue; > } >@@ -1010,7 +1010,7 @@ match_cfg_line(char **condition, int lin > result = 0; > } > } else if (strcasecmp(attrib, "host") == 0) { >- if (ci == NULL) { >+ if (ci == NULL || (ci->test && ci->host == NULL)) { > result = 0; > continue; > } >@@ -1022,7 +1022,7 @@ match_cfg_line(char **condition, int lin > debug("connection from %.100s matched 'Host " > "%.100s' at line %d", ci->host, arg, line); > } else if (strcasecmp(attrib, "address") == 0) { >- if (ci == NULL) { >+ if (ci == NULL || (ci->test && ci->address == NULL)) { > result = 0; > continue; > } >@@ -1041,7 +1041,7 @@ match_cfg_line(char **condition, int lin > return -1; > } > } else if (strcasecmp(attrib, "localaddress") == 0){ >- if (ci == NULL) { >+ if (ci == NULL || (ci->test && ci->laddress == NULL)) { > result = 0; > continue; > } >@@ -1067,7 +1067,7 @@ match_cfg_line(char **condition, int lin > arg); > return -1; > } >- if (ci == NULL) { >+ if (ci == NULL || (ci->test && ci->lport == -1)) { > result = 0; > continue; > } >@@ -1081,10 +1081,12 @@ match_cfg_line(char **condition, int lin > else > result = 0; > } else if (strcasecmp(attrib, "rdomain") == 0) { >- if (ci == NULL || ci->rdomain == NULL) { >+ if (ci == NULL || (ci->test && ci->rdomain == NULL)) { > result = 0; > continue; > } >+ if (ci->rdomain == NULL) >+ match_test_missing_fatal("RDomain", "rdomain"); > if (match_pattern_list(ci->rdomain, arg, 0) != 1) > result = 0; > else >Index: usr.bin/ssh/servconf.h >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/servconf.h,v >retrieving revision 1.139 >diff -u -p -r1.139 servconf.h >--- usr.bin/ssh/servconf.h 19 Jan 2019 21:37:48 -0000 1.139 >+++ usr.bin/ssh/servconf.h 18 Apr 2019 09:25:15 -0000 >@@ -219,6 +219,8 @@ struct connection_info { > const char *laddress; /* local address */ > int lport; /* local port */ > const char *rdomain; /* routing domain if available */ >+ int test; /* test mode, allow some attributes to be >+ * unspecified */ > }; > > >Index: usr.bin/ssh/sshd.c >=================================================================== >RCS file: /cvs/src/usr.bin/ssh/sshd.c,v >retrieving revision 1.533 >diff -u -p -r1.533 sshd.c >--- usr.bin/ssh/sshd.c 1 Mar 2019 02:32:39 -0000 1.533 >+++ usr.bin/ssh/sshd.c 18 Apr 2019 09:25:15 -0000 >@@ -1714,6 +1714,7 @@ main(int ac, char **av) > */ > if (connection_info == NULL) > connection_info = get_connection_info(ssh, 0, 0); >+ connection_info->test = 1; > parse_server_match_config(&options, connection_info); > dump_config(&options); > } >Index: regress/usr.bin/ssh/cfgmatch.sh >=================================================================== >RCS file: /cvs/src/regress/usr.bin/ssh/cfgmatch.sh,v >retrieving revision 1.11 >diff -u -p -r1.11 cfgmatch.sh >--- regress/usr.bin/ssh/cfgmatch.sh 4 Oct 2017 18:50:23 -0000 1.11 >+++ regress/usr.bin/ssh/cfgmatch.sh 18 Apr 2019 09:25:15 -0000 >@@ -51,9 +51,10 @@ echo "AuthorizedKeysFile /dev/null $OBJ/ > echo "Match Address 127.0.0.1" >>$OBJ/sshd_proxy > echo "PermitOpen 127.0.0.1:2 127.0.0.1:3 127.0.0.1:$PORT" >>$OBJ/sshd_proxy > >-start_sshd >+${SUDO} ${SSHD} -f $OBJ/sshd_config -T >/dev/null || \ >+ fail "config w/match fails config test" > >-#set -x >+start_sshd > > # Test Match + PermitOpen in sshd_config. This should be permitted > trace "match permitopen localhost" >@@ -113,3 +114,45 @@ start_client -F $OBJ/ssh_proxy > ${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \ > fail "nomatch override permitopen" > stop_client >+ >+# Test parsing of available Match criteria (with the exception of Group which >+# requires knowledge of actual group memberships user running the test). >+params="user:user:u1 host:host:h1 address:addr:1.2.3.4 \ >+ localaddress:laddr:5.6.7.8 rdomain:rdomain:rdom1" >+cp $OBJ/sshd_proxy_bak $OBJ/sshd_config >+echo 'Banner /nomatch' >>$OBJ/sshd_config >+for i in $params; do >+ config=`echo $i | cut -f1 -d:` >+ criteria=`echo $i | cut -f2 -d:` >+ value=`echo $i | cut -f3 -d:` >+ cat >>$OBJ/sshd_config <<EOD >+ Match $config $value >+ Banner /$value >+EOD >+done >+ >+${SUDO} ${SSHD} -f $OBJ/sshd_config -T >/dev/null || \ >+ fail "validate config for w/out spec" >+ >+# Test matching each criteria. >+for i in $params; do >+ testcriteria=`echo $i | cut -f2 -d:` >+ expected=/`echo $i | cut -f3 -d:` >+ spec="" >+ for j in $params; do >+ config=`echo $j | cut -f1 -d:` >+ criteria=`echo $j | cut -f2 -d:` >+ value=`echo $j | cut -f3 -d:` >+ if [ "$criteria" = "$testcriteria" ]; then >+ spec="$criteria=$value,$spec" >+ else >+ spec="$criteria=1$value,$spec" >+ fi >+ done >+ trace "test spec $spec" >+ result=`${SUDO} ${SSHD} -f $OBJ/sshd_config -T -C "$spec" | \ >+ awk '$1=="banner"{print $2}'` >+ if [ "$result" != "$expected" ]; then >+ fail "match $config expected $expected got $result" >+ fi >+done
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=3265">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 2858
:
3150
| 3265