crypto/openssh/regress/keys-command.sh

   1 #       $OpenBSD: keys-command.sh,v 1.3 2015/05/21 06:40:02 djm Exp $
   2 #       Placed in the Public Domain.
   3
   4 tid="authorized keys from command"
   5
   6 if test -z "$SUDO" ; then
   7         echo "skipped (SUDO not set)"
   8         echo "need SUDO to create file in /var/run, test won't work without"
   9         exit 0
  10 fi
  11
  12 rm -f $OBJ/keys-command-args
  13
  14 touch $OBJ/keys-command-args
  15 chmod a+rw $OBJ/keys-command-args
  16
  17 expected_key_text=`awk '{ print $2 }' < $OBJ/rsa.pub`
  18 expected_key_fp=`$SSHKEYGEN -lf $OBJ/rsa.pub | awk '{ print $2 }'`
  19
  20 # Establish a AuthorizedKeysCommand in /var/run where it will have
  21 # acceptable directory permissions.
  22 KEY_COMMAND="/var/run/keycommand_${LOGNAME}"
  23 cat << _EOF | $SUDO sh -c "rm -f '$KEY_COMMAND' ; cat > '$KEY_COMMAND'"
  24 #!/bin/sh
  25 echo args: "\$@" >> $OBJ/keys-command-args
  26 echo "$PATH" | grep -q mekmitasdigoat && exit 7
  27 test "x\$1" != "x${LOGNAME}" && exit 1
  28 if test $# -eq 6 ; then
  29         test "x\$2" != "xblah" && exit 2
  30         test "x\$3" != "x${expected_key_text}" && exit 3
  31         test "x\$4" != "xssh-rsa" && exit 4
  32         test "x\$5" != "x${expected_key_fp}" && exit 5
  33         test "x\$6" != "xblah" && exit 6
  34 fi
  35 exec cat "$OBJ/authorized_keys_${LOGNAME}"
  36 _EOF
  37 $SUDO chmod 0755 "$KEY_COMMAND"
  38
  39 if ! $OBJ/check-perm -m keys-command $KEY_COMMAND ; then
  40         echo "skipping: $KEY_COMMAND is unsuitable as AuthorizedKeysCommand"
  41         $SUDO rm -f $KEY_COMMAND
  42         exit 0
  43 fi
  44
  45 if [ -x $KEY_COMMAND ]; then
  46         cp $OBJ/sshd_proxy $OBJ/sshd_proxy.bak
  47
  48         verbose "AuthorizedKeysCommand with arguments"
  49         (
  50                 grep -vi AuthorizedKeysFile $OBJ/sshd_proxy.bak
  51                 echo AuthorizedKeysFile none
  52                 echo AuthorizedKeysCommand $KEY_COMMAND %u blah %k %t %f blah
  53                 echo AuthorizedKeysCommandUser ${LOGNAME}
  54         ) > $OBJ/sshd_proxy
  55
  56         # Ensure that $PATH is sanitised in sshd
  57         env PATH=$PATH:/sbin/mekmitasdigoat \
  58             ${SSH} -F $OBJ/ssh_proxy somehost true
  59         if [ $? -ne 0 ]; then
  60                 fail "connect failed"
  61         fi
  62
  63         verbose "AuthorizedKeysCommand without arguments"
  64         # Check legacy behavior of no-args resulting in username being passed.
  65         (
  66                 grep -vi AuthorizedKeysFile $OBJ/sshd_proxy.bak
  67                 echo AuthorizedKeysFile none
  68                 echo AuthorizedKeysCommand $KEY_COMMAND
  69                 echo AuthorizedKeysCommandUser ${LOGNAME}
  70         ) > $OBJ/sshd_proxy
  71
  72         # Ensure that $PATH is sanitised in sshd
  73         env PATH=$PATH:/sbin/mekmitasdigoat \
  74             ${SSH} -F $OBJ/ssh_proxy somehost true
  75         if [ $? -ne 0 ]; then
  76                 fail "connect failed"
  77         fi
  78 else
  79         echo "SKIPPED: $KEY_COMMAND not executable (/var/run mounted noexec?)"
  80 fi
  81
  82 $SUDO rm -f $KEY_COMMAND