summaryrefslogtreecommitdiffstats
path: root/regress/key-options.sh
diff options
context:
space:
mode:
Diffstat (limited to 'regress/key-options.sh')
-rw-r--r--regress/key-options.sh124
1 files changed, 124 insertions, 0 deletions
diff --git a/regress/key-options.sh b/regress/key-options.sh
new file mode 100644
index 0000000..097f46e
--- /dev/null
+++ b/regress/key-options.sh
@@ -0,0 +1,124 @@
+# $OpenBSD: key-options.sh,v 1.9 2018/07/03 13:53:26 djm Exp $
+# Placed in the Public Domain.
+
+tid="key options"
+
+origkeys="$OBJ/authkeys_orig"
+authkeys="$OBJ/authorized_keys_${USER}"
+cp $authkeys $origkeys
+
+# Allocating ptys can require privileges on some platforms.
+skip_pty=""
+if ! config_defined HAVE_OPENPTY && [ "x$SUDO" == "x" ]; then
+ skip_pty="no openpty(3) and SUDO not set"
+fi
+
+# Test command= forced command
+for c in 'command="echo bar"' 'no-pty,command="echo bar"'; do
+ sed "s/.*/$c &/" $origkeys >$authkeys
+ verbose "key option $c"
+ r=`${SSH} -q -F $OBJ/ssh_proxy somehost echo foo`
+ if [ "$r" = "foo" ]; then
+ fail "key option forced command not restricted"
+ fi
+ if [ "$r" != "bar" ]; then
+ fail "key option forced command not executed"
+ fi
+done
+
+# Test no-pty
+expect_pty_succeed() {
+ which=$1
+ opts=$2
+ rm -f $OBJ/data
+ sed "s/.*/$opts &/" $origkeys >$authkeys
+ verbose "key option pty $which"
+ [ "x$skip_pty" != "x" ] && verbose "skipped because $skip_pty" && return
+ ${SSH} -ttq -F $OBJ/ssh_proxy somehost "tty > $OBJ/data; exit 0"
+ if [ $? -ne 0 ] ; then
+ fail "key option failed $which"
+ else
+ r=`cat $OBJ/data`
+ case "$r" in
+ /dev/*) ;;
+ *) fail "key option failed $which (pty $r)" ;;
+ esac
+ fi
+}
+expect_pty_fail() {
+ which=$1
+ opts=$2
+ rm -f $OBJ/data
+ sed "s/.*/$opts &/" $origkeys >$authkeys
+ verbose "key option pty $which"
+ [ "x$skip_pty" != "x" ] && verbose "skipped because $skip_pty" && return
+ ${SSH} -ttq -F $OBJ/ssh_proxy somehost "tty > $OBJ/data; exit 0"
+ if [ $? -eq 0 ]; then
+ r=`cat $OBJ/data`
+ if [ -e "$r" ]; then
+ fail "key option failed $which (pty $r)"
+ fi
+ case "$r" in
+ /dev/*) fail "key option failed $which (pty $r)" ;;
+ *) ;;
+ esac
+ fi
+}
+# First ensure that we can allocate a pty by default.
+expect_pty_succeed "default" ""
+expect_pty_fail "no-pty" "no-pty"
+expect_pty_fail "restrict" "restrict"
+expect_pty_succeed "restrict,pty" "restrict,pty"
+
+# Test environment=
+# XXX this can fail if ~/.ssh/environment exists for the user running the test
+echo 'PermitUserEnvironment yes' >> $OBJ/sshd_proxy
+sed 's/.*/environment="FOO=bar" &/' $origkeys >$authkeys
+verbose "key option environment"
+r=`${SSH} -q -F $OBJ/ssh_proxy somehost 'echo $FOO'`
+if [ "$r" != "bar" ]; then
+ fail "key option environment not set"
+fi
+
+# Test from= restriction
+start_sshd
+for f in 127.0.0.1 '127.0.0.0\/8'; do
+ cat $origkeys >$authkeys
+ ${SSH} -q -F $OBJ/ssh_proxy somehost true
+ if [ $? -ne 0 ]; then
+ fail "key option failed without restriction"
+ fi
+
+ sed 's/.*/from="'"$f"'" &/' $origkeys >$authkeys
+ from=`head -1 $authkeys | cut -f1 -d ' '`
+ verbose "key option $from"
+ r=`${SSH} -q -F $OBJ/ssh_proxy somehost 'echo true'`
+ if [ "$r" = "true" ]; then
+ fail "key option $from not restricted"
+ fi
+
+ r=`${SSH} -q -F $OBJ/ssh_config somehost 'echo true'`
+ if [ "$r" != "true" ]; then
+ fail "key option $from not allowed but should be"
+ fi
+done
+
+check_valid_before() {
+ which=$1
+ opts=$2
+ expect=$3
+ sed "s/.*/$opts &/" $origkeys >$authkeys
+ verbose "key option expiry-time $which"
+ ${SSH} -q -F $OBJ/ssh_proxy somehost true
+ r=$?
+ case "$expect" in
+ fail) test $r -eq 0 && fail "key option succeeded $which" ;;
+ pass) test $r -ne 0 && fail "key option failed $which" ;;
+ *) fatal "unknown expectation $expect" ;;
+ esac
+}
+check_valid_before "default" "" "pass"
+check_valid_before "invalid" 'expiry-time="INVALID"' "fail"
+check_valid_before "expired" 'expiry-time="19990101"' "fail"
+check_valid_before "valid" 'expiry-time="20380101"' "pass"
+