blob: 825ab25a064803e1ac1dc05e53342a29d8a5bb8e (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
|
# $OpenBSD: forcecommand.sh,v 1.7 2023/11/01 02:08:38 dtucker Exp $
# Placed in the Public Domain.
tid="forced command"
cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
authorized_keys() {
cmd=$1
cp /dev/null $OBJ/authorized_keys_$USER
for t in ${SSH_KEYTYPES}; do
test -z "$cmd" || \
printf "command=\"$cmd\" " >>$OBJ/authorized_keys_$USER
cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
done
}
trace "test config with sftp"
authorized_keys
rm -f $OBJ/ssh_proxy.tmp
echo "@get $OBJ/ssh_proxy $OBJ/ssh_proxy.tmp" | \
${SFTP} -S ${SSH} -b - -qF $OBJ/ssh_proxy somehost 2>/dev/null || \
fail "sftp failed"
test -f "$OBJ/ssh_proxy.tmp" || fail "sftp did not download file"
rm -f $OBJ/ssh_proxy.tmp
trace "forced command in key option"
authorized_keys true
${SSH} -F $OBJ/ssh_proxy somehost false || fail "forced command in key option"
authorized_keys false
cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
echo "ForceCommand true" >> $OBJ/sshd_proxy
trace "forced command in sshd_config overrides key option"
${SSH} -F $OBJ/ssh_proxy somehost false || fail "forced command config"
authorized_keys
cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
echo "ForceCommand false" >> $OBJ/sshd_proxy
trace "force command overriding subsystem"
echo "@get $OBJ/ssh_proxy $OBJ/ssh_proxy.tmp" | \
${SFTP} -S ${SSH} -F $OBJ/ssh_proxy -oLoglevel=quiet somehost && \
fail "sftp succeeded"
echo "Match User $USER" >> $OBJ/sshd_proxy
echo " ForceCommand true" >> $OBJ/sshd_proxy
trace "forced command with match"
${SSH} -F $OBJ/ssh_proxy somehost false || fail "forced command match"
trace "force command in match overriding subsystem"
echo "@get $OBJ/ssh_proxy $OBJ/ssh_proxy.tmp" | \
${SFTP} -S ${SSH} -F $OBJ/ssh_proxy -oLoglevel=quiet somehost && \
fail "sftp succeeded"
trace "force command to sftpserver"
grep -vi subsystem $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
echo "Subsystem sftp /bin/false" >> $OBJ/sshd_proxy
echo "ForceCommand ${SFTPSERVER}" >> $OBJ/sshd_proxy
rm -f $OBJ/ssh_proxy.tmp
echo "@get $OBJ/ssh_proxy $OBJ/ssh_proxy.tmp" | \
${SFTP} -S ${SSH} -b - -qF $OBJ/ssh_proxy somehost 2>/dev/null || \
fail "sftp failed"
test -f "$OBJ/ssh_proxy.tmp" || fail "sftp did not download file"
rm -f $OBJ/ssh_proxy.tmp
|