Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / openssh / 2f95d43dc222ce194622b706682e8de07c9cfb42 / . / regress / keys-command.sh
blob: 33b6e7b423df681bee0841ade6fdd53ca67d73f0 [file] [log] [blame]
dtucker@openbsd.org47f8ff12019-07-25 08:48:11 +0000[diff] [blame]1# $OpenBSD: keys-command.sh,v 1.6 2019/07/25 08:48:11 dtucker Exp $
Damien Miller771c43c2012-12-03 10:12:13 +1100[diff] [blame]2# Placed in the Public Domain.
3
4tid="authorized keys from command"
5
bluhm@openbsd.orgce44c972016-09-26 21:34:38 +0000[diff] [blame]6if [ -z "$SUDO" -a ! -w /var/run ]; then
Damien Miller771c43c2012-12-03 10:12:13 +1100[diff] [blame]7 echo "skipped (SUDO not set)"
8 echo "need SUDO to create file in /var/run, test won't work without"
9 exit 0
10fi
11
djm@openbsd.org84452c52015-05-21 06:40:02 +0000[diff] [blame]12rm -f $OBJ/keys-command-args
13
14touch $OBJ/keys-command-args
15chmod a+rw $OBJ/keys-command-args
16
dtucker@openbsd.org47f8ff12019-07-25 08:48:11 +0000[diff] [blame]17expected_key_text=`awk '{ print $2 }' < $OBJ/ssh-ed25519.pub`
18expected_key_fp=`$SSHKEYGEN -lf $OBJ/ssh-ed25519.pub | awk '{ print $2 }'`
djm@openbsd.org84452c52015-05-21 06:40:02 +0000[diff] [blame]19
Damien Miller771c43c2012-12-03 10:12:13 +1100[diff] [blame]20# Establish a AuthorizedKeysCommand in /var/run where it will have
21# acceptable directory permissions.
dtucker@openbsd.orge4ae3452018-11-22 08:48:32 +0000[diff] [blame]22KEY_COMMAND="/var/run/keycommand_${LOGNAME}.$$"
23trap "${SUDO} rm -f ${KEY_COMMAND}" 0
djm@openbsd.org84452c52015-05-21 06:40:02 +0000[diff] [blame]24cat << _EOF | $SUDO sh -c "rm -f '$KEY_COMMAND' ; cat > '$KEY_COMMAND'"
Damien Miller771c43c2012-12-03 10:12:13 +1100[diff] [blame]25#!/bin/sh
djm@openbsd.org84452c52015-05-21 06:40:02 +0000[diff] [blame]26echo args: "\$@" >> $OBJ/keys-command-args
27echo "$PATH" | grep -q mekmitasdigoat && exit 7
Darren Tucker3dfb8772012-12-07 13:03:10 +1100[diff] [blame]28test "x\$1" != "x${LOGNAME}" && exit 1
djm@openbsd.org84452c52015-05-21 06:40:02 +0000[diff] [blame]29if test $# -eq 6 ; then
30 test "x\$2" != "xblah" && exit 2
31 test "x\$3" != "x${expected_key_text}" && exit 3
32 test "x\$4" != "xssh-rsa" && exit 4
33 test "x\$5" != "x${expected_key_fp}" && exit 5
34 test "x\$6" != "xblah" && exit 6
35fi
Damien Miller771c43c2012-12-03 10:12:13 +1100[diff] [blame]36exec cat "$OBJ/authorized_keys_${LOGNAME}"
37_EOF
38$SUDO chmod 0755 "$KEY_COMMAND"
39
Damien Miller1acc0582016-02-23 16:12:13 +1100[diff] [blame]40if ! $OBJ/check-perm -m keys-command $KEY_COMMAND ; then
41 echo "skipping: $KEY_COMMAND is unsuitable as AuthorizedKeysCommand"
42 $SUDO rm -f $KEY_COMMAND
43 exit 0
44fi
45
Darren Tucker3dfb8772012-12-07 13:03:10 +1100[diff] [blame]46if [ -x $KEY_COMMAND ]; then
djm@openbsd.org84452c52015-05-21 06:40:02 +0000[diff] [blame]47 cp $OBJ/sshd_proxy $OBJ/sshd_proxy.bak
48
49 verbose "AuthorizedKeysCommand with arguments"
50 (
51 grep -vi AuthorizedKeysFile $OBJ/sshd_proxy.bak
52 echo AuthorizedKeysFile none
53 echo AuthorizedKeysCommand $KEY_COMMAND %u blah %k %t %f blah
54 echo AuthorizedKeysCommandUser ${LOGNAME}
55 ) > $OBJ/sshd_proxy
56
57 # Ensure that $PATH is sanitised in sshd
58 env PATH=$PATH:/sbin/mekmitasdigoat \
59 ${SSH} -F $OBJ/ssh_proxy somehost true
60 if [ $? -ne 0 ]; then
61 fail "connect failed"
62 fi
63
64 verbose "AuthorizedKeysCommand without arguments"
65 # Check legacy behavior of no-args resulting in username being passed.
66 (
67 grep -vi AuthorizedKeysFile $OBJ/sshd_proxy.bak
68 echo AuthorizedKeysFile none
69 echo AuthorizedKeysCommand $KEY_COMMAND
70 echo AuthorizedKeysCommandUser ${LOGNAME}
71 ) > $OBJ/sshd_proxy
72
73 # Ensure that $PATH is sanitised in sshd
74 env PATH=$PATH:/sbin/mekmitasdigoat \
75 ${SSH} -F $OBJ/ssh_proxy somehost true
Darren Tucker3dfb8772012-12-07 13:03:10 +1100[diff] [blame]76 if [ $? -ne 0 ]; then
77 fail "connect failed"
78 fi
79else
80 echo "SKIPPED: $KEY_COMMAND not executable (/var/run mounted noexec?)"
Damien Miller771c43c2012-12-03 10:12:13 +1100[diff] [blame]81fi