crypto/openssh/regress/key-options.sh

   1 #       $OpenBSD: key-options.sh,v 1.9 2018/07/03 13:53:26 djm Exp $
   2 #       Placed in the Public Domain.
   3
   4 tid="key options"
   5
   6 origkeys="$OBJ/authkeys_orig"
   7 authkeys="$OBJ/authorized_keys_${USER}"
   8 cp $authkeys $origkeys
   9
  10 # Test command= forced command
  11 for c in 'command="echo bar"' 'no-pty,command="echo bar"'; do
  12         sed "s/.*/$c &/" $origkeys >$authkeys
  13         verbose "key option $c"
  14         r=`${SSH} -q -F $OBJ/ssh_proxy somehost echo foo`
  15         if [ "$r" = "foo" ]; then
  16                 fail "key option forced command not restricted"
  17         fi
  18         if [ "$r" != "bar" ]; then
  19                 fail "key option forced command not executed"
  20         fi
  21 done
  22
  23 # Test no-pty
  24 expect_pty_succeed() {
  25         which=$1
  26         opts=$2
  27         rm -f $OBJ/data
  28         sed "s/.*/$opts &/" $origkeys >$authkeys
  29         verbose "key option pty $which"
  30         config_defined HAVE_OPENPTY || verbose "skipped for no openpty(3)"
  31         ${SSH} -ttq -F $OBJ/ssh_proxy somehost "tty > $OBJ/data; exit 0"
  32         if [ $? -ne 0 ] ; then
  33                 fail "key option failed $which"
  34         else
  35                 r=`cat $OBJ/data`
  36                 case "$r" in
  37                 /dev/*) ;;
  38                 *)      fail "key option failed $which (pty $r)" ;;
  39                 esac
  40         fi
  41 }
  42 expect_pty_fail() {
  43         which=$1
  44         opts=$2
  45         rm -f $OBJ/data
  46         sed "s/.*/$opts &/" $origkeys >$authkeys
  47         verbose "key option pty $which"
  48         config_defined HAVE_OPENPTY || verbose "skipped for no openpty(3)"
  49         ${SSH} -ttq -F $OBJ/ssh_proxy somehost "tty > $OBJ/data; exit 0"
  50         if [ $? -eq 0 ]; then
  51                 r=`cat $OBJ/data`
  52                 if [ -e "$r" ]; then
  53                         fail "key option failed $which (pty $r)"
  54                 fi
  55                 case "$r" in
  56                 /dev/*) fail "key option failed $which (pty $r)" ;;
  57                 *)      ;;
  58                 esac
  59         fi
  60 }
  61 # First ensure that we can allocate a pty by default.
  62 expect_pty_succeed "default" ""
  63 expect_pty_fail "no-pty" "no-pty"
  64 expect_pty_fail "restrict" "restrict"
  65 expect_pty_succeed "restrict,pty" "restrict,pty"
  66
  67 # Test environment=
  68 # XXX this can fail if ~/.ssh/environment exists for the user running the test
  69 echo 'PermitUserEnvironment yes' >> $OBJ/sshd_proxy
  70 sed 's/.*/environment="FOO=bar" &/' $origkeys >$authkeys
  71 verbose "key option environment"
  72 r=`${SSH} -q -F $OBJ/ssh_proxy somehost 'echo $FOO'`
  73 if [ "$r" != "bar" ]; then
  74         fail "key option environment not set"
  75 fi
  76
  77 # Test from= restriction
  78 start_sshd
  79 for f in 127.0.0.1 '127.0.0.0\/8'; do
  80         cat  $origkeys >$authkeys
  81         ${SSH} -q -F $OBJ/ssh_proxy somehost true
  82         if [ $? -ne 0 ]; then
  83                 fail "key option failed without restriction"
  84         fi
  85
  86         sed 's/.*/from="'"$f"'" &/' $origkeys >$authkeys
  87         from=`head -1 $authkeys | cut -f1 -d ' '`
  88         verbose "key option $from"
  89         r=`${SSH} -q -F $OBJ/ssh_proxy somehost 'echo true'`
  90         if [ "$r" = "true" ]; then
  91                 fail "key option $from not restricted"
  92         fi
  93
  94         r=`${SSH} -q -F $OBJ/ssh_config somehost 'echo true'`
  95         if [ "$r" != "true" ]; then
  96                 fail "key option $from not allowed but should be"
  97         fi
  98 done
  99
 100 check_valid_before() {
 101         which=$1
 102         opts=$2
 103         expect=$3
 104         sed "s/.*/$opts &/" $origkeys >$authkeys
 105         verbose "key option expiry-time $which"
 106         ${SSH} -q -F $OBJ/ssh_proxy somehost true
 107         r=$?
 108         case "$expect" in
 109         fail)   test $r -eq 0 && fail "key option succeeded $which" ;;
 110         pass)   test $r -ne 0 && fail "key option failed $which" ;;
 111         *)      fatal "unknown expectation $expect" ;;
 112         esac
 113 }
 114 check_valid_before "default"    ""                              "pass"
 115 check_valid_before "invalid"    'expiry-time="INVALID"'         "fail"
 116 check_valid_before "expired"    'expiry-time="19990101"'        "fail"
 117 check_valid_before "valid"      'expiry-time="20380101"'        "pass"
 118