crypto/openssh/regress/keys-command.sh

   1 #       $OpenBSD: keys-command.sh,v 1.6 2019/07/25 08:48:11 dtucker Exp $
   2 #       Placed in the Public Domain.
   3
   4 tid="authorized keys from command"
   5
   6 if [ -z "$SUDO" -a ! -w /var/run ]; then
   7         echo "skipped (SUDO not set)"
   8         echo "need SUDO to create file in /var/run, test won't work without"
   9         exit 0
  10 fi
  11
  12 rm -f $OBJ/keys-command-args
  13
  14 touch $OBJ/keys-command-args
  15 chmod a+rw $OBJ/keys-command-args
  16
  17 expected_key_text=`awk '{ print $2 }' < $OBJ/ssh-ed25519.pub`
  18 expected_key_fp=`$SSHKEYGEN -lf $OBJ/ssh-ed25519.pub | awk '{ print $2 }'`
  19
  20 # Establish a AuthorizedKeysCommand in /var/run where it will have
  21 # acceptable directory permissions.
  22 KEY_COMMAND="/var/run/keycommand_${LOGNAME}.$$"
  23 trap "${SUDO} rm -f ${KEY_COMMAND}" 0
  24 cat << _EOF | $SUDO sh -c "rm -f '$KEY_COMMAND' ; cat > '$KEY_COMMAND'"
  25 #!/bin/sh
  26 echo args: "\$@" >> $OBJ/keys-command-args
  27 echo "$PATH" | grep -q mekmitasdigoat && exit 7
  28 test "x\$1" != "x${LOGNAME}" && exit 1
  29 if test $# -eq 6 ; then
  30         test "x\$2" != "xblah" && exit 2
  31         test "x\$3" != "x${expected_key_text}" && exit 3
  32         test "x\$4" != "xssh-rsa" && exit 4
  33         test "x\$5" != "x${expected_key_fp}" && exit 5
  34         test "x\$6" != "xblah" && exit 6
  35 fi
  36 exec cat "$OBJ/authorized_keys_${LOGNAME}"
  37 _EOF
  38 $SUDO chmod 0755 "$KEY_COMMAND"
  39
  40 if ! $OBJ/check-perm -m keys-command $KEY_COMMAND ; then
  41         echo "skipping: $KEY_COMMAND is unsuitable as AuthorizedKeysCommand"
  42         $SUDO rm -f $KEY_COMMAND
  43         exit 0
  44 fi
  45
  46 if [ -x $KEY_COMMAND ]; then
  47         cp $OBJ/sshd_proxy $OBJ/sshd_proxy.bak
  48
  49         verbose "AuthorizedKeysCommand with arguments"
  50         (
  51                 grep -vi AuthorizedKeysFile $OBJ/sshd_proxy.bak
  52                 echo AuthorizedKeysFile none
  53                 echo AuthorizedKeysCommand $KEY_COMMAND %u blah %k %t %f blah
  54                 echo AuthorizedKeysCommandUser ${LOGNAME}
  55         ) > $OBJ/sshd_proxy
  56
  57         # Ensure that $PATH is sanitised in sshd
  58         env PATH=$PATH:/sbin/mekmitasdigoat \
  59             ${SSH} -F $OBJ/ssh_proxy somehost true
  60         if [ $? -ne 0 ]; then
  61                 fail "connect failed"
  62         fi
  63
  64         verbose "AuthorizedKeysCommand without arguments"
  65         # Check legacy behavior of no-args resulting in username being passed.
  66         (
  67                 grep -vi AuthorizedKeysFile $OBJ/sshd_proxy.bak
  68                 echo AuthorizedKeysFile none
  69                 echo AuthorizedKeysCommand $KEY_COMMAND
  70                 echo AuthorizedKeysCommandUser ${LOGNAME}
  71         ) > $OBJ/sshd_proxy
  72
  73         # Ensure that $PATH is sanitised in sshd
  74         env PATH=$PATH:/sbin/mekmitasdigoat \
  75             ${SSH} -F $OBJ/ssh_proxy somehost true
  76         if [ $? -ne 0 ]; then
  77                 fail "connect failed"
  78         fi
  79 else
  80         echo "SKIPPED: $KEY_COMMAND not executable (/var/run mounted noexec?)"
  81 fi