xref: /openbsd/regress/usr.bin/ssh/keys-command.sh (revision 264ca280) 
1#	$OpenBSD: keys-command.sh,v 1.3 2015/05/21 06:40:02 djm Exp $
2#	Placed in the Public Domain.
3
4tid="authorized keys from command"
5
6if [ -z "$SUDO" ]; then
7	fatal "need SUDO to create file in /var/run, test won't work without"
8fi
9
10rm -f $OBJ/keys-command-args
11
12touch $OBJ/keys-command-args
13chmod a+rw $OBJ/keys-command-args
14
15expected_key_text=`awk '{ print $2 }' < $OBJ/rsa.pub`
16expected_key_fp=`$SSHKEYGEN -lf $OBJ/rsa.pub | awk '{ print $2 }'`
17
18# Establish a AuthorizedKeysCommand in /var/run where it will have
19# acceptable directory permissions.
20KEY_COMMAND="/var/run/keycommand_${LOGNAME}"
21cat << _EOF | $SUDO sh -c "rm -f '$KEY_COMMAND' ; cat > '$KEY_COMMAND'"
22#!/bin/sh
23echo args: "\$@" >> $OBJ/keys-command-args
24echo "$PATH" | grep -q mekmitasdigoat && exit 7
25test "x\$1" != "x${LOGNAME}" && exit 1
26if test $# -eq 6 ; then
27	test "x\$2" != "xblah" && exit 2
28	test "x\$3" != "x${expected_key_text}" && exit 3
29	test "x\$4" != "xssh-rsa" && exit 4
30	test "x\$5" != "x${expected_key_fp}" && exit 5
31	test "x\$6" != "xblah" && exit 6
32fi
33exec cat "$OBJ/authorized_keys_${LOGNAME}"
34_EOF
35$SUDO chmod 0755 "$KEY_COMMAND"
36
37if [ -x $KEY_COMMAND ]; then
38	cp $OBJ/sshd_proxy $OBJ/sshd_proxy.bak
39
40	verbose "AuthorizedKeysCommand with arguments"
41	(
42		grep -vi AuthorizedKeysFile $OBJ/sshd_proxy.bak
43		echo AuthorizedKeysFile none
44		echo AuthorizedKeysCommand $KEY_COMMAND %u blah %k %t %f blah
45		echo AuthorizedKeysCommandUser ${LOGNAME}
46	) > $OBJ/sshd_proxy
47
48	# Ensure that $PATH is sanitised in sshd
49	env PATH=$PATH:/sbin/mekmitasdigoat \
50	    ${SSH} -F $OBJ/ssh_proxy somehost true
51	if [ $? -ne 0 ]; then
52		fail "connect failed"
53	fi
54
55	verbose "AuthorizedKeysCommand without arguments"
56	# Check legacy behavior of no-args resulting in username being passed.
57	(
58		grep -vi AuthorizedKeysFile $OBJ/sshd_proxy.bak
59		echo AuthorizedKeysFile none
60		echo AuthorizedKeysCommand $KEY_COMMAND
61		echo AuthorizedKeysCommandUser ${LOGNAME}
62	) > $OBJ/sshd_proxy
63
64	# Ensure that $PATH is sanitised in sshd
65	env PATH=$PATH:/sbin/mekmitasdigoat \
66	    ${SSH} -F $OBJ/ssh_proxy somehost true
67	if [ $? -ne 0 ]; then
68		fail "connect failed"
69	fi
70else
71	echo "SKIPPED: $KEY_COMMAND not executable (/var/run mounted noexec?)"
72fi
73
74$SUDO rm -f $KEY_COMMAND
75