1 # $OpenBSD: addrmatch.sh,v 1.3 2010/02/09 04:57:36 djm Exp $ 2 # Placed in the Public Domain. 3 4 tid="address match" 5 6 mv $OBJ/sshd_proxy $OBJ/sshd_proxy_bak 7 8 run_trial() 9 { 10 user="$1"; addr="$2"; host="$3"; expected="$4"; descr="$5" 11 12 verbose "test $descr for $user $addr $host" 13 result=`${SSHD} -f $OBJ/sshd_proxy -T \ 14 -C user=${user},addr=${addr},host=${host} | \ 15 awk '/^passwordauthentication/ {print $2}'` 16 if [ "$result" != "$expected" ]; then 17 fail "failed for $user $addr $host: expected $expected, got $result" 18 fi 19 } 20 21 cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy 22 cat >>$OBJ/sshd_proxy <<EOD 23 PasswordAuthentication no 24 Match Address 192.168.0.0/16,!192.168.30.0/24,10.0.0.0/8,host.example.com 25 PasswordAuthentication yes 26 Match Address 1.1.1.1,::1,!::3,2000::/16 27 PasswordAuthentication yes 28 EOD 29 30 run_trial user 192.168.0.1 somehost yes "permit, first entry" 31 run_trial user 192.168.30.1 somehost no "deny, negative match" 32 run_trial user 19.0.0.1 somehost no "deny, no match" 33 run_trial user 10.255.255.254 somehost yes "permit, list middle" 34 run_trial user 192.168.30.1 192.168.0.1 no "deny, faked IP in hostname" 35 run_trial user 1.1.1.1 somehost.example.com yes "permit, bare IP4 address" 36 test "$TEST_SSH_IPV6" = "no" && exit 37 run_trial user ::1 somehost.example.com yes "permit, bare IP6 address" 38 run_trial user ::2 somehost.exaple.com no "deny IPv6" 39 run_trial user ::3 somehost no "deny IP6 negated" 40 run_trial user ::4 somehost no "deny, IP6 no match" 41 run_trial user 2000::1 somehost yes "permit, IP6 network" 42 run_trial user 2001::1 somehost no "deny, IP6 network" 43 44 cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy 45 rm $OBJ/sshd_proxy_bak 46
