crypto/openssh/regress/keys-command.sh

   1 #       $OpenBSD: keys-command.sh,v 1.3 2015/05/21 06:40:02 djm Exp $
   2 #       Placed in the Public Domain.
   3
   4 tid="authorized keys from command"
   5
   6 if test -z "$SUDO" ; then
   7         echo "skipped (SUDO not set)"
   8         echo "need SUDO to create file in /var/run, test won't work without"
   9         exit 0
  10 fi
  11
  12 rm -f $OBJ/keys-command-args
  13
  14 touch $OBJ/keys-command-args
  15 chmod a+rw $OBJ/keys-command-args
  16
  17 expected_key_text=`awk '{ print $2 }' < $OBJ/rsa.pub`
  18 expected_key_fp=`$SSHKEYGEN -lf $OBJ/rsa.pub | awk '{ print $2 }'`
  19
  20 # Establish a AuthorizedKeysCommand in /var/run where it will have
  21 # acceptable directory permissions.
  22 KEY_COMMAND="/var/run/keycommand_${LOGNAME}"
  23 cat << _EOF | $SUDO sh -c "rm -f '$KEY_COMMAND' ; cat > '$KEY_COMMAND'"
  24 #!/bin/sh
  25 echo args: "\$@" >> $OBJ/keys-command-args
  26 echo "$PATH" | grep -q mekmitasdigoat && exit 7
  27 test "x\$1" != "x${LOGNAME}" && exit 1
  28 if test $# -eq 6 ; then
  29         test "x\$2" != "xblah" && exit 2
  30         test "x\$3" != "x${expected_key_text}" && exit 3
  31         test "x\$4" != "xssh-rsa" && exit 4
  32         test "x\$5" != "x${expected_key_fp}" && exit 5
  33         test "x\$6" != "xblah" && exit 6
  34 fi
  35 exec cat "$OBJ/authorized_keys_${LOGNAME}"
  36 _EOF
  37 $SUDO chmod 0755 "$KEY_COMMAND"
  38
  39 if [ -x $KEY_COMMAND ]; then
  40         cp $OBJ/sshd_proxy $OBJ/sshd_proxy.bak
  41
  42         verbose "AuthorizedKeysCommand with arguments"
  43         (
  44                 grep -vi AuthorizedKeysFile $OBJ/sshd_proxy.bak
  45                 echo AuthorizedKeysFile none
  46                 echo AuthorizedKeysCommand $KEY_COMMAND %u blah %k %t %f blah
  47                 echo AuthorizedKeysCommandUser ${LOGNAME}
  48         ) > $OBJ/sshd_proxy
  49
  50         # Ensure that $PATH is sanitised in sshd
  51         env PATH=$PATH:/sbin/mekmitasdigoat \
  52             ${SSH} -F $OBJ/ssh_proxy somehost true
  53         if [ $? -ne 0 ]; then
  54                 fail "connect failed"
  55         fi
  56
  57         verbose "AuthorizedKeysCommand without arguments"
  58         # Check legacy behavior of no-args resulting in username being passed.
  59         (
  60                 grep -vi AuthorizedKeysFile $OBJ/sshd_proxy.bak
  61                 echo AuthorizedKeysFile none
  62                 echo AuthorizedKeysCommand $KEY_COMMAND
  63                 echo AuthorizedKeysCommandUser ${LOGNAME}
  64         ) > $OBJ/sshd_proxy
  65
  66         # Ensure that $PATH is sanitised in sshd
  67         env PATH=$PATH:/sbin/mekmitasdigoat \
  68             ${SSH} -F $OBJ/ssh_proxy somehost true
  69         if [ $? -ne 0 ]; then
  70                 fail "connect failed"
  71         fi
  72 else
  73         echo "SKIPPED: $KEY_COMMAND not executable (/var/run mounted noexec?)"
  74 fi
  75
  76 $SUDO rm -f $KEY_COMMAND