1*0fdf8faeSEd Maste# $OpenBSD: key-options.sh,v 1.10 2024/03/25 02:07:08 dtucker Exp $ 2ce3adf43SDag-Erling Smørgrav# Placed in the Public Domain. 3ce3adf43SDag-Erling Smørgrav 4ce3adf43SDag-Erling Smørgravtid="key options" 5ce3adf43SDag-Erling Smørgrav 6ce3adf43SDag-Erling Smørgravorigkeys="$OBJ/authkeys_orig" 7ce3adf43SDag-Erling Smørgravauthkeys="$OBJ/authorized_keys_${USER}" 8ce3adf43SDag-Erling Smørgravcp $authkeys $origkeys 9ce3adf43SDag-Erling Smørgrav 1019261079SEd Maste# Allocating ptys can require privileges on some platforms. 1119261079SEd Masteskip_pty="" 1219261079SEd Masteif ! config_defined HAVE_OPENPTY && [ "x$SUDO" = "x" ]; then 1319261079SEd Maste skip_pty="no openpty(3) and SUDO not set" 1419261079SEd Mastefi 1519261079SEd Maste 16ce3adf43SDag-Erling Smørgrav# Test command= forced command 17ce3adf43SDag-Erling Smørgravfor c in 'command="echo bar"' 'no-pty,command="echo bar"'; do 18ce3adf43SDag-Erling Smørgrav sed "s/.*/$c &/" $origkeys >$authkeys 194f52dfbbSDag-Erling Smørgrav verbose "key option $c" 204f52dfbbSDag-Erling Smørgrav r=`${SSH} -q -F $OBJ/ssh_proxy somehost echo foo` 21ce3adf43SDag-Erling Smørgrav if [ "$r" = "foo" ]; then 22ce3adf43SDag-Erling Smørgrav fail "key option forced command not restricted" 23ce3adf43SDag-Erling Smørgrav fi 24ce3adf43SDag-Erling Smørgrav if [ "$r" != "bar" ]; then 25ce3adf43SDag-Erling Smørgrav fail "key option forced command not executed" 26ce3adf43SDag-Erling Smørgrav fi 27ce3adf43SDag-Erling Smørgravdone 28ce3adf43SDag-Erling Smørgrav 29ce3adf43SDag-Erling Smørgrav# Test no-pty 3047dd1d1bSDag-Erling Smørgravexpect_pty_succeed() { 3147dd1d1bSDag-Erling Smørgrav which=$1 3247dd1d1bSDag-Erling Smørgrav opts=$2 3347dd1d1bSDag-Erling Smørgrav rm -f $OBJ/data 3447dd1d1bSDag-Erling Smørgrav sed "s/.*/$opts &/" $origkeys >$authkeys 3547dd1d1bSDag-Erling Smørgrav verbose "key option pty $which" 3619261079SEd Maste [ "x$skip_pty" != "x" ] && verbose "skipped because $skip_pty" && return 3747dd1d1bSDag-Erling Smørgrav ${SSH} -ttq -F $OBJ/ssh_proxy somehost "tty > $OBJ/data; exit 0" 3847dd1d1bSDag-Erling Smørgrav if [ $? -ne 0 ] ; then 3947dd1d1bSDag-Erling Smørgrav fail "key option failed $which" 4047dd1d1bSDag-Erling Smørgrav else 4147dd1d1bSDag-Erling Smørgrav r=`cat $OBJ/data` 4247dd1d1bSDag-Erling Smørgrav case "$r" in 4347dd1d1bSDag-Erling Smørgrav /dev/*) ;; 4447dd1d1bSDag-Erling Smørgrav *) fail "key option failed $which (pty $r)" ;; 4547dd1d1bSDag-Erling Smørgrav esac 46ce3adf43SDag-Erling Smørgrav fi 4747dd1d1bSDag-Erling Smørgrav} 4847dd1d1bSDag-Erling Smørgravexpect_pty_fail() { 4947dd1d1bSDag-Erling Smørgrav which=$1 5047dd1d1bSDag-Erling Smørgrav opts=$2 5147dd1d1bSDag-Erling Smørgrav rm -f $OBJ/data 5247dd1d1bSDag-Erling Smørgrav sed "s/.*/$opts &/" $origkeys >$authkeys 5347dd1d1bSDag-Erling Smørgrav verbose "key option pty $which" 5419261079SEd Maste [ "x$skip_pty" != "x" ] && verbose "skipped because $skip_pty" && return 5547dd1d1bSDag-Erling Smørgrav ${SSH} -ttq -F $OBJ/ssh_proxy somehost "tty > $OBJ/data; exit 0" 5647dd1d1bSDag-Erling Smørgrav if [ $? -eq 0 ]; then 5747dd1d1bSDag-Erling Smørgrav r=`cat $OBJ/data` 5847dd1d1bSDag-Erling Smørgrav if [ -e "$r" ]; then 5947dd1d1bSDag-Erling Smørgrav fail "key option failed $which (pty $r)" 6047dd1d1bSDag-Erling Smørgrav fi 6147dd1d1bSDag-Erling Smørgrav case "$r" in 6247dd1d1bSDag-Erling Smørgrav /dev/*) fail "key option failed $which (pty $r)" ;; 6347dd1d1bSDag-Erling Smørgrav *) ;; 6447dd1d1bSDag-Erling Smørgrav esac 6547dd1d1bSDag-Erling Smørgrav fi 6647dd1d1bSDag-Erling Smørgrav} 6747dd1d1bSDag-Erling Smørgrav# First ensure that we can allocate a pty by default. 6847dd1d1bSDag-Erling Smørgravexpect_pty_succeed "default" "" 6947dd1d1bSDag-Erling Smørgravexpect_pty_fail "no-pty" "no-pty" 7047dd1d1bSDag-Erling Smørgravexpect_pty_fail "restrict" "restrict" 7147dd1d1bSDag-Erling Smørgravexpect_pty_succeed "restrict,pty" "restrict,pty" 72ce3adf43SDag-Erling Smørgrav 73ce3adf43SDag-Erling Smørgrav# Test environment= 74190cef3dSDag-Erling Smørgrav# XXX this can fail if ~/.ssh/environment exists for the user running the test 75ce3adf43SDag-Erling Smørgravecho 'PermitUserEnvironment yes' >> $OBJ/sshd_proxy 76ce3adf43SDag-Erling Smørgravsed 's/.*/environment="FOO=bar" &/' $origkeys >$authkeys 774f52dfbbSDag-Erling Smørgravverbose "key option environment" 784f52dfbbSDag-Erling Smørgravr=`${SSH} -q -F $OBJ/ssh_proxy somehost 'echo $FOO'` 79ce3adf43SDag-Erling Smørgravif [ "$r" != "bar" ]; then 80ce3adf43SDag-Erling Smørgrav fail "key option environment not set" 81ce3adf43SDag-Erling Smørgravfi 82ce3adf43SDag-Erling Smørgrav 83ce3adf43SDag-Erling Smørgrav# Test from= restriction 84ce3adf43SDag-Erling Smørgravstart_sshd 85ce3adf43SDag-Erling Smørgravfor f in 127.0.0.1 '127.0.0.0\/8'; do 86ce3adf43SDag-Erling Smørgrav cat $origkeys >$authkeys 874f52dfbbSDag-Erling Smørgrav ${SSH} -q -F $OBJ/ssh_proxy somehost true 88ce3adf43SDag-Erling Smørgrav if [ $? -ne 0 ]; then 894f52dfbbSDag-Erling Smørgrav fail "key option failed without restriction" 90ce3adf43SDag-Erling Smørgrav fi 91ce3adf43SDag-Erling Smørgrav 92ce3adf43SDag-Erling Smørgrav sed 's/.*/from="'"$f"'" &/' $origkeys >$authkeys 93ce3adf43SDag-Erling Smørgrav from=`head -1 $authkeys | cut -f1 -d ' '` 944f52dfbbSDag-Erling Smørgrav verbose "key option $from" 954f52dfbbSDag-Erling Smørgrav r=`${SSH} -q -F $OBJ/ssh_proxy somehost 'echo true'` 96ce3adf43SDag-Erling Smørgrav if [ "$r" = "true" ]; then 974f52dfbbSDag-Erling Smørgrav fail "key option $from not restricted" 98ce3adf43SDag-Erling Smørgrav fi 99ce3adf43SDag-Erling Smørgrav 1004f52dfbbSDag-Erling Smørgrav r=`${SSH} -q -F $OBJ/ssh_config somehost 'echo true'` 101ce3adf43SDag-Erling Smørgrav if [ "$r" != "true" ]; then 1024f52dfbbSDag-Erling Smørgrav fail "key option $from not allowed but should be" 103ce3adf43SDag-Erling Smørgrav fi 104ce3adf43SDag-Erling Smørgravdone 105ce3adf43SDag-Erling Smørgrav 10647dd1d1bSDag-Erling Smørgravcheck_valid_before() { 10747dd1d1bSDag-Erling Smørgrav which=$1 10847dd1d1bSDag-Erling Smørgrav opts=$2 10947dd1d1bSDag-Erling Smørgrav expect=$3 11047dd1d1bSDag-Erling Smørgrav sed "s/.*/$opts &/" $origkeys >$authkeys 11147dd1d1bSDag-Erling Smørgrav verbose "key option expiry-time $which" 11247dd1d1bSDag-Erling Smørgrav ${SSH} -q -F $OBJ/ssh_proxy somehost true 11347dd1d1bSDag-Erling Smørgrav r=$? 11447dd1d1bSDag-Erling Smørgrav case "$expect" in 11547dd1d1bSDag-Erling Smørgrav fail) test $r -eq 0 && fail "key option succeeded $which" ;; 11647dd1d1bSDag-Erling Smørgrav pass) test $r -ne 0 && fail "key option failed $which" ;; 11747dd1d1bSDag-Erling Smørgrav *) fatal "unknown expectation $expect" ;; 11847dd1d1bSDag-Erling Smørgrav esac 11947dd1d1bSDag-Erling Smørgrav} 12047dd1d1bSDag-Erling Smørgravcheck_valid_before "default" "" "pass" 12147dd1d1bSDag-Erling Smørgravcheck_valid_before "invalid" 'expiry-time="INVALID"' "fail" 12247dd1d1bSDag-Erling Smørgravcheck_valid_before "expired" 'expiry-time="19990101"' "fail" 12347dd1d1bSDag-Erling Smørgravcheck_valid_before "valid" 'expiry-time="20380101"' "pass" 12447dd1d1bSDag-Erling Smørgrav 125