1 # $OpenBSD: key-options.sh,v 1.9 2018/07/03 13:53:26 djm Exp $
2 # Placed in the Public Domain.
6 origkeys="$OBJ/authkeys_orig"
7 authkeys="$OBJ/authorized_keys_${USER}"
10 # Test command= forced command
11 for c in 'command="echo bar"' 'no-pty,command="echo bar"'; do
12 sed "s/.*/$c &/" $origkeys >$authkeys
13 verbose "key option $c"
14 r=`${SSH} -q -F $OBJ/ssh_proxy somehost echo foo`
15 if [ "$r" = "foo" ]; then
16 fail "key option forced command not restricted"
18 if [ "$r" != "bar" ]; then
19 fail "key option forced command not executed"
24 expect_pty_succeed() {
28 sed "s/.*/$opts &/" $origkeys >$authkeys
29 verbose "key option pty $which"
30 config_defined HAVE_OPENPTY || verbose "skipped for no openpty(3)"
31 ${SSH} -ttq -F $OBJ/ssh_proxy somehost "tty > $OBJ/data; exit 0"
32 if [ $? -ne 0 ] ; then
33 fail "key option failed $which"
38 *) fail "key option failed $which (pty $r)" ;;
46 sed "s/.*/$opts &/" $origkeys >$authkeys
47 verbose "key option pty $which"
48 config_defined HAVE_OPENPTY || verbose "skipped for no openpty(3)"
49 ${SSH} -ttq -F $OBJ/ssh_proxy somehost "tty > $OBJ/data; exit 0"
53 fail "key option failed $which (pty $r)"
56 /dev/*) fail "key option failed $which (pty $r)" ;;
61 # First ensure that we can allocate a pty by default.
62 expect_pty_succeed "default" ""
63 expect_pty_fail "no-pty" "no-pty"
64 expect_pty_fail "restrict" "restrict"
65 expect_pty_succeed "restrict,pty" "restrict,pty"
68 # XXX this can fail if ~/.ssh/environment exists for the user running the test
69 echo 'PermitUserEnvironment yes' >> $OBJ/sshd_proxy
70 sed 's/.*/environment="FOO=bar" &/' $origkeys >$authkeys
71 verbose "key option environment"
72 r=`${SSH} -q -F $OBJ/ssh_proxy somehost 'echo $FOO'`
73 if [ "$r" != "bar" ]; then
74 fail "key option environment not set"
77 # Test from= restriction
79 for f in 127.0.0.1 '127.0.0.0\/8'; do
80 cat $origkeys >$authkeys
81 ${SSH} -q -F $OBJ/ssh_proxy somehost true
83 fail "key option failed without restriction"
86 sed 's/.*/from="'"$f"'" &/' $origkeys >$authkeys
87 from=`head -1 $authkeys | cut -f1 -d ' '`
88 verbose "key option $from"
89 r=`${SSH} -q -F $OBJ/ssh_proxy somehost 'echo true'`
90 if [ "$r" = "true" ]; then
91 fail "key option $from not restricted"
94 r=`${SSH} -q -F $OBJ/ssh_config somehost 'echo true'`
95 if [ "$r" != "true" ]; then
96 fail "key option $from not allowed but should be"
100 check_valid_before() {
104 sed "s/.*/$opts &/" $origkeys >$authkeys
105 verbose "key option expiry-time $which"
106 ${SSH} -q -F $OBJ/ssh_proxy somehost true
109 fail) test $r -eq 0 && fail "key option succeeded $which" ;;
110 pass) test $r -ne 0 && fail "key option failed $which" ;;
111 *) fatal "unknown expectation $expect" ;;
114 check_valid_before "default" "" "pass"
115 check_valid_before "invalid" 'expiry-time="INVALID"' "fail"
116 check_valid_before "expired" 'expiry-time="19990101"' "fail"
117 check_valid_before "valid" 'expiry-time="20380101"' "pass"