diff options
Diffstat (limited to 'regress/key-options.sh')
-rw-r--r-- | regress/key-options.sh | 124 |
1 files changed, 124 insertions, 0 deletions
diff --git a/regress/key-options.sh b/regress/key-options.sh new file mode 100644 index 0000000..097f46e --- /dev/null +++ b/regress/key-options.sh @@ -0,0 +1,124 @@ +# $OpenBSD: key-options.sh,v 1.9 2018/07/03 13:53:26 djm Exp $ +# Placed in the Public Domain. + +tid="key options" + +origkeys="$OBJ/authkeys_orig" +authkeys="$OBJ/authorized_keys_${USER}" +cp $authkeys $origkeys + +# Allocating ptys can require privileges on some platforms. +skip_pty="" +if ! config_defined HAVE_OPENPTY && [ "x$SUDO" == "x" ]; then + skip_pty="no openpty(3) and SUDO not set" +fi + +# Test command= forced command +for c in 'command="echo bar"' 'no-pty,command="echo bar"'; do + sed "s/.*/$c &/" $origkeys >$authkeys + verbose "key option $c" + r=`${SSH} -q -F $OBJ/ssh_proxy somehost echo foo` + if [ "$r" = "foo" ]; then + fail "key option forced command not restricted" + fi + if [ "$r" != "bar" ]; then + fail "key option forced command not executed" + fi +done + +# Test no-pty +expect_pty_succeed() { + which=$1 + opts=$2 + rm -f $OBJ/data + sed "s/.*/$opts &/" $origkeys >$authkeys + verbose "key option pty $which" + [ "x$skip_pty" != "x" ] && verbose "skipped because $skip_pty" && return + ${SSH} -ttq -F $OBJ/ssh_proxy somehost "tty > $OBJ/data; exit 0" + if [ $? -ne 0 ] ; then + fail "key option failed $which" + else + r=`cat $OBJ/data` + case "$r" in + /dev/*) ;; + *) fail "key option failed $which (pty $r)" ;; + esac + fi +} +expect_pty_fail() { + which=$1 + opts=$2 + rm -f $OBJ/data + sed "s/.*/$opts &/" $origkeys >$authkeys + verbose "key option pty $which" + [ "x$skip_pty" != "x" ] && verbose "skipped because $skip_pty" && return + ${SSH} -ttq -F $OBJ/ssh_proxy somehost "tty > $OBJ/data; exit 0" + if [ $? -eq 0 ]; then + r=`cat $OBJ/data` + if [ -e "$r" ]; then + fail "key option failed $which (pty $r)" + fi + case "$r" in + /dev/*) fail "key option failed $which (pty $r)" ;; + *) ;; + esac + fi +} +# First ensure that we can allocate a pty by default. +expect_pty_succeed "default" "" +expect_pty_fail "no-pty" "no-pty" +expect_pty_fail "restrict" "restrict" +expect_pty_succeed "restrict,pty" "restrict,pty" + +# Test environment= +# XXX this can fail if ~/.ssh/environment exists for the user running the test +echo 'PermitUserEnvironment yes' >> $OBJ/sshd_proxy +sed 's/.*/environment="FOO=bar" &/' $origkeys >$authkeys +verbose "key option environment" +r=`${SSH} -q -F $OBJ/ssh_proxy somehost 'echo $FOO'` +if [ "$r" != "bar" ]; then + fail "key option environment not set" +fi + +# Test from= restriction +start_sshd +for f in 127.0.0.1 '127.0.0.0\/8'; do + cat $origkeys >$authkeys + ${SSH} -q -F $OBJ/ssh_proxy somehost true + if [ $? -ne 0 ]; then + fail "key option failed without restriction" + fi + + sed 's/.*/from="'"$f"'" &/' $origkeys >$authkeys + from=`head -1 $authkeys | cut -f1 -d ' '` + verbose "key option $from" + r=`${SSH} -q -F $OBJ/ssh_proxy somehost 'echo true'` + if [ "$r" = "true" ]; then + fail "key option $from not restricted" + fi + + r=`${SSH} -q -F $OBJ/ssh_config somehost 'echo true'` + if [ "$r" != "true" ]; then + fail "key option $from not allowed but should be" + fi +done + +check_valid_before() { + which=$1 + opts=$2 + expect=$3 + sed "s/.*/$opts &/" $origkeys >$authkeys + verbose "key option expiry-time $which" + ${SSH} -q -F $OBJ/ssh_proxy somehost true + r=$? + case "$expect" in + fail) test $r -eq 0 && fail "key option succeeded $which" ;; + pass) test $r -ne 0 && fail "key option failed $which" ;; + *) fatal "unknown expectation $expect" ;; + esac +} +check_valid_before "default" "" "pass" +check_valid_before "invalid" 'expiry-time="INVALID"' "fail" +check_valid_before "expired" 'expiry-time="19990101"' "fail" +check_valid_before "valid" 'expiry-time="20380101"' "pass" + |