1# $OpenBSD: key-options.sh,v 1.9 2018/07/03 13:53:26 djm Exp $ 2# Placed in the Public Domain. 3 4tid="key options" 5 6origkeys="$OBJ/authkeys_orig" 7authkeys="$OBJ/authorized_keys_${USER}" 8cp $authkeys $origkeys 9 10# Allocating ptys can require privileges on some platforms. 11skip_pty="" 12if ! config_defined HAVE_OPENPTY && [ "x$SUDO" = "x" ]; then 13 skip_pty="no openpty(3) and SUDO not set" 14fi 15 16# Test command= forced command 17for c in 'command="echo bar"' 'no-pty,command="echo bar"'; do 18 sed "s/.*/$c &/" $origkeys >$authkeys 19 verbose "key option $c" 20 r=`${SSH} -q -F $OBJ/ssh_proxy somehost echo foo` 21 if [ "$r" = "foo" ]; then 22 fail "key option forced command not restricted" 23 fi 24 if [ "$r" != "bar" ]; then 25 fail "key option forced command not executed" 26 fi 27done 28 29# Test no-pty 30expect_pty_succeed() { 31 which=$1 32 opts=$2 33 rm -f $OBJ/data 34 sed "s/.*/$opts &/" $origkeys >$authkeys 35 verbose "key option pty $which" 36 [ "x$skip_pty" != "x" ] && verbose "skipped because $skip_pty" && return 37 ${SSH} -ttq -F $OBJ/ssh_proxy somehost "tty > $OBJ/data; exit 0" 38 if [ $? -ne 0 ] ; then 39 fail "key option failed $which" 40 else 41 r=`cat $OBJ/data` 42 case "$r" in 43 /dev/*) ;; 44 *) fail "key option failed $which (pty $r)" ;; 45 esac 46 fi 47} 48expect_pty_fail() { 49 which=$1 50 opts=$2 51 rm -f $OBJ/data 52 sed "s/.*/$opts &/" $origkeys >$authkeys 53 verbose "key option pty $which" 54 [ "x$skip_pty" != "x" ] && verbose "skipped because $skip_pty" && return 55 ${SSH} -ttq -F $OBJ/ssh_proxy somehost "tty > $OBJ/data; exit 0" 56 if [ $? -eq 0 ]; then 57 r=`cat $OBJ/data` 58 if [ -e "$r" ]; then 59 fail "key option failed $which (pty $r)" 60 fi 61 case "$r" in 62 /dev/*) fail "key option failed $which (pty $r)" ;; 63 *) ;; 64 esac 65 fi 66} 67# First ensure that we can allocate a pty by default. 68expect_pty_succeed "default" "" 69expect_pty_fail "no-pty" "no-pty" 70expect_pty_fail "restrict" "restrict" 71expect_pty_succeed "restrict,pty" "restrict,pty" 72 73# Test environment= 74# XXX this can fail if ~/.ssh/environment exists for the user running the test 75echo 'PermitUserEnvironment yes' >> $OBJ/sshd_proxy 76sed 's/.*/environment="FOO=bar" &/' $origkeys >$authkeys 77verbose "key option environment" 78r=`${SSH} -q -F $OBJ/ssh_proxy somehost 'echo $FOO'` 79if [ "$r" != "bar" ]; then 80 fail "key option environment not set" 81fi 82 83# Test from= restriction 84start_sshd 85for f in 127.0.0.1 '127.0.0.0\/8'; do 86 cat $origkeys >$authkeys 87 ${SSH} -q -F $OBJ/ssh_proxy somehost true 88 if [ $? -ne 0 ]; then 89 fail "key option failed without restriction" 90 fi 91 92 sed 's/.*/from="'"$f"'" &/' $origkeys >$authkeys 93 from=`head -1 $authkeys | cut -f1 -d ' '` 94 verbose "key option $from" 95 r=`${SSH} -q -F $OBJ/ssh_proxy somehost 'echo true'` 96 if [ "$r" = "true" ]; then 97 fail "key option $from not restricted" 98 fi 99 100 r=`${SSH} -q -F $OBJ/ssh_config somehost 'echo true'` 101 if [ "$r" != "true" ]; then 102 fail "key option $from not allowed but should be" 103 fi 104done 105 106check_valid_before() { 107 which=$1 108 opts=$2 109 expect=$3 110 sed "s/.*/$opts &/" $origkeys >$authkeys 111 verbose "key option expiry-time $which" 112 ${SSH} -q -F $OBJ/ssh_proxy somehost true 113 r=$? 114 case "$expect" in 115 fail) test $r -eq 0 && fail "key option succeeded $which" ;; 116 pass) test $r -ne 0 && fail "key option failed $which" ;; 117 *) fatal "unknown expectation $expect" ;; 118 esac 119} 120check_valid_before "default" "" "pass" 121check_valid_before "invalid" 'expiry-time="INVALID"' "fail" 122check_valid_before "expired" 'expiry-time="19990101"' "fail" 123check_valid_before "valid" 'expiry-time="20380101"' "pass" 124 125