summaryrefslogtreecommitdiffstats
path: root/regress/keys-command.sh
blob: 33b6e7b423df681bee0841ade6fdd53ca67d73f0 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
#	$OpenBSD: keys-command.sh,v 1.6 2019/07/25 08:48:11 dtucker Exp $
#	Placed in the Public Domain.

tid="authorized keys from command"

if [ -z "$SUDO" -a ! -w /var/run ]; then
	echo "skipped (SUDO not set)"
	echo "need SUDO to create file in /var/run, test won't work without"
	exit 0
fi

rm -f $OBJ/keys-command-args

touch $OBJ/keys-command-args
chmod a+rw $OBJ/keys-command-args

expected_key_text=`awk '{ print $2 }' < $OBJ/ssh-ed25519.pub`
expected_key_fp=`$SSHKEYGEN -lf $OBJ/ssh-ed25519.pub | awk '{ print $2 }'`

# Establish a AuthorizedKeysCommand in /var/run where it will have
# acceptable directory permissions.
KEY_COMMAND="/var/run/keycommand_${LOGNAME}.$$"
trap "${SUDO} rm -f ${KEY_COMMAND}" 0
cat << _EOF | $SUDO sh -c "rm -f '$KEY_COMMAND' ; cat > '$KEY_COMMAND'"
#!/bin/sh
echo args: "\$@" >> $OBJ/keys-command-args
echo "$PATH" | grep -q mekmitasdigoat && exit 7
test "x\$1" != "x${LOGNAME}" && exit 1
if test $# -eq 6 ; then
	test "x\$2" != "xblah" && exit 2
	test "x\$3" != "x${expected_key_text}" && exit 3
	test "x\$4" != "xssh-rsa" && exit 4
	test "x\$5" != "x${expected_key_fp}" && exit 5
	test "x\$6" != "xblah" && exit 6
fi
exec cat "$OBJ/authorized_keys_${LOGNAME}"
_EOF
$SUDO chmod 0755 "$KEY_COMMAND"

if ! $OBJ/check-perm -m keys-command $KEY_COMMAND ; then
	echo "skipping: $KEY_COMMAND is unsuitable as AuthorizedKeysCommand"
	$SUDO rm -f $KEY_COMMAND
	exit 0
fi

if [ -x $KEY_COMMAND ]; then
	cp $OBJ/sshd_proxy $OBJ/sshd_proxy.bak

	verbose "AuthorizedKeysCommand with arguments"
	(
		grep -vi AuthorizedKeysFile $OBJ/sshd_proxy.bak
		echo AuthorizedKeysFile none
		echo AuthorizedKeysCommand $KEY_COMMAND %u blah %k %t %f blah
		echo AuthorizedKeysCommandUser ${LOGNAME}
	) > $OBJ/sshd_proxy

	# Ensure that $PATH is sanitised in sshd
	env PATH=$PATH:/sbin/mekmitasdigoat \
	    ${SSH} -F $OBJ/ssh_proxy somehost true
	if [ $? -ne 0 ]; then
		fail "connect failed"
	fi

	verbose "AuthorizedKeysCommand without arguments"
	# Check legacy behavior of no-args resulting in username being passed.
	(
		grep -vi AuthorizedKeysFile $OBJ/sshd_proxy.bak
		echo AuthorizedKeysFile none
		echo AuthorizedKeysCommand $KEY_COMMAND
		echo AuthorizedKeysCommandUser ${LOGNAME}
	) > $OBJ/sshd_proxy

	# Ensure that $PATH is sanitised in sshd
	env PATH=$PATH:/sbin/mekmitasdigoat \
	    ${SSH} -F $OBJ/ssh_proxy somehost true
	if [ $? -ne 0 ]; then
		fail "connect failed"
	fi
else
	echo "SKIPPED: $KEY_COMMAND not executable (/var/run mounted noexec?)"
fi