1*ce3adf43SDag-Erling Smørgrav# $OpenBSD: key-options.sh,v 1.2 2008/06/30 08:07:34 djm Exp $ 2*ce3adf43SDag-Erling Smørgrav# Placed in the Public Domain. 3*ce3adf43SDag-Erling Smørgrav 4*ce3adf43SDag-Erling Smørgravtid="key options" 5*ce3adf43SDag-Erling Smørgrav 6*ce3adf43SDag-Erling Smørgravorigkeys="$OBJ/authkeys_orig" 7*ce3adf43SDag-Erling Smørgravauthkeys="$OBJ/authorized_keys_${USER}" 8*ce3adf43SDag-Erling Smørgravcp $authkeys $origkeys 9*ce3adf43SDag-Erling Smørgrav 10*ce3adf43SDag-Erling Smørgrav# Test command= forced command 11*ce3adf43SDag-Erling Smørgravfor p in 1 2; do 12*ce3adf43SDag-Erling Smørgrav for c in 'command="echo bar"' 'no-pty,command="echo bar"'; do 13*ce3adf43SDag-Erling Smørgrav sed "s/.*/$c &/" $origkeys >$authkeys 14*ce3adf43SDag-Erling Smørgrav verbose "key option proto $p $c" 15*ce3adf43SDag-Erling Smørgrav r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost echo foo` 16*ce3adf43SDag-Erling Smørgrav if [ "$r" = "foo" ]; then 17*ce3adf43SDag-Erling Smørgrav fail "key option forced command not restricted" 18*ce3adf43SDag-Erling Smørgrav fi 19*ce3adf43SDag-Erling Smørgrav if [ "$r" != "bar" ]; then 20*ce3adf43SDag-Erling Smørgrav fail "key option forced command not executed" 21*ce3adf43SDag-Erling Smørgrav fi 22*ce3adf43SDag-Erling Smørgrav done 23*ce3adf43SDag-Erling Smørgravdone 24*ce3adf43SDag-Erling Smørgrav 25*ce3adf43SDag-Erling Smørgrav# Test no-pty 26*ce3adf43SDag-Erling Smørgravsed 's/.*/no-pty &/' $origkeys >$authkeys 27*ce3adf43SDag-Erling Smørgravfor p in 1 2; do 28*ce3adf43SDag-Erling Smørgrav verbose "key option proto $p no-pty" 29*ce3adf43SDag-Erling Smørgrav r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost tty` 30*ce3adf43SDag-Erling Smørgrav if [ -f "$r" ]; then 31*ce3adf43SDag-Erling Smørgrav fail "key option failed proto $p no-pty (pty $r)" 32*ce3adf43SDag-Erling Smørgrav fi 33*ce3adf43SDag-Erling Smørgravdone 34*ce3adf43SDag-Erling Smørgrav 35*ce3adf43SDag-Erling Smørgrav# Test environment= 36*ce3adf43SDag-Erling Smørgravecho 'PermitUserEnvironment yes' >> $OBJ/sshd_proxy 37*ce3adf43SDag-Erling Smørgravsed 's/.*/environment="FOO=bar" &/' $origkeys >$authkeys 38*ce3adf43SDag-Erling Smørgravfor p in 1 2; do 39*ce3adf43SDag-Erling Smørgrav verbose "key option proto $p environment" 40*ce3adf43SDag-Erling Smørgrav r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost 'echo $FOO'` 41*ce3adf43SDag-Erling Smørgrav if [ "$r" != "bar" ]; then 42*ce3adf43SDag-Erling Smørgrav fail "key option environment not set" 43*ce3adf43SDag-Erling Smørgrav fi 44*ce3adf43SDag-Erling Smørgravdone 45*ce3adf43SDag-Erling Smørgrav 46*ce3adf43SDag-Erling Smørgrav# Test from= restriction 47*ce3adf43SDag-Erling Smørgravstart_sshd 48*ce3adf43SDag-Erling Smørgravfor p in 1 2; do 49*ce3adf43SDag-Erling Smørgrav for f in 127.0.0.1 '127.0.0.0\/8'; do 50*ce3adf43SDag-Erling Smørgrav cat $origkeys >$authkeys 51*ce3adf43SDag-Erling Smørgrav ${SSH} -$p -q -F $OBJ/ssh_proxy somehost true 52*ce3adf43SDag-Erling Smørgrav if [ $? -ne 0 ]; then 53*ce3adf43SDag-Erling Smørgrav fail "key option proto $p failed without restriction" 54*ce3adf43SDag-Erling Smørgrav fi 55*ce3adf43SDag-Erling Smørgrav 56*ce3adf43SDag-Erling Smørgrav sed 's/.*/from="'"$f"'" &/' $origkeys >$authkeys 57*ce3adf43SDag-Erling Smørgrav from=`head -1 $authkeys | cut -f1 -d ' '` 58*ce3adf43SDag-Erling Smørgrav verbose "key option proto $p $from" 59*ce3adf43SDag-Erling Smørgrav r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost 'echo true'` 60*ce3adf43SDag-Erling Smørgrav if [ "$r" = "true" ]; then 61*ce3adf43SDag-Erling Smørgrav fail "key option proto $p $from not restricted" 62*ce3adf43SDag-Erling Smørgrav fi 63*ce3adf43SDag-Erling Smørgrav 64*ce3adf43SDag-Erling Smørgrav r=`${SSH} -$p -q -F $OBJ/ssh_config somehost 'echo true'` 65*ce3adf43SDag-Erling Smørgrav if [ "$r" != "true" ]; then 66*ce3adf43SDag-Erling Smørgrav fail "key option proto $p $from not allowed but should be" 67*ce3adf43SDag-Erling Smørgrav fi 68*ce3adf43SDag-Erling Smørgrav done 69*ce3adf43SDag-Erling Smørgravdone 70*ce3adf43SDag-Erling Smørgrav 71*ce3adf43SDag-Erling Smørgravrm -f "$origkeys" 72