1# $OpenBSD: key-options.sh,v 1.9 2018/07/03 13:53:26 djm Exp $ 2# Placed in the Public Domain. 3 4tid="key options" 5 6origkeys="$OBJ/authkeys_orig" 7authkeys="$OBJ/authorized_keys_${USER}" 8cp $authkeys $origkeys 9 10# Test command= forced command 11for c in 'command="echo bar"' 'no-pty,command="echo bar"'; do 12 sed "s/.*/$c &/" $origkeys >$authkeys 13 verbose "key option $c" 14 r=`${SSH} -q -F $OBJ/ssh_proxy somehost echo foo` 15 if [ "$r" = "foo" ]; then 16 fail "key option forced command not restricted" 17 fi 18 if [ "$r" != "bar" ]; then 19 fail "key option forced command not executed" 20 fi 21done 22 23# Test no-pty 24expect_pty_succeed() { 25 which=$1 26 opts=$2 27 rm -f $OBJ/data 28 sed "s/.*/$opts &/" $origkeys >$authkeys 29 verbose "key option pty $which" 30 config_defined HAVE_OPENPTY || verbose "skipped for no openpty(3)" 31 ${SSH} -ttq -F $OBJ/ssh_proxy somehost "tty > $OBJ/data; exit 0" 32 if [ $? -ne 0 ] ; then 33 fail "key option failed $which" 34 else 35 r=`cat $OBJ/data` 36 case "$r" in 37 /dev/*) ;; 38 *) fail "key option failed $which (pty $r)" ;; 39 esac 40 fi 41} 42expect_pty_fail() { 43 which=$1 44 opts=$2 45 rm -f $OBJ/data 46 sed "s/.*/$opts &/" $origkeys >$authkeys 47 verbose "key option pty $which" 48 config_defined HAVE_OPENPTY || verbose "skipped for no openpty(3)" 49 ${SSH} -ttq -F $OBJ/ssh_proxy somehost "tty > $OBJ/data; exit 0" 50 if [ $? -eq 0 ]; then 51 r=`cat $OBJ/data` 52 if [ -e "$r" ]; then 53 fail "key option failed $which (pty $r)" 54 fi 55 case "$r" in 56 /dev/*) fail "key option failed $which (pty $r)" ;; 57 *) ;; 58 esac 59 fi 60} 61# First ensure that we can allocate a pty by default. 62expect_pty_succeed "default" "" 63expect_pty_fail "no-pty" "no-pty" 64expect_pty_fail "restrict" "restrict" 65expect_pty_succeed "restrict,pty" "restrict,pty" 66 67# Test environment= 68# XXX this can fail if ~/.ssh/environment exists for the user running the test 69echo 'PermitUserEnvironment yes' >> $OBJ/sshd_proxy 70sed 's/.*/environment="FOO=bar" &/' $origkeys >$authkeys 71verbose "key option environment" 72r=`${SSH} -q -F $OBJ/ssh_proxy somehost 'echo $FOO'` 73if [ "$r" != "bar" ]; then 74 fail "key option environment not set" 75fi 76 77# Test from= restriction 78start_sshd 79for f in 127.0.0.1 '127.0.0.0\/8'; do 80 cat $origkeys >$authkeys 81 ${SSH} -q -F $OBJ/ssh_proxy somehost true 82 if [ $? -ne 0 ]; then 83 fail "key option failed without restriction" 84 fi 85 86 sed 's/.*/from="'"$f"'" &/' $origkeys >$authkeys 87 from=`head -1 $authkeys | cut -f1 -d ' '` 88 verbose "key option $from" 89 r=`${SSH} -q -F $OBJ/ssh_proxy somehost 'echo true'` 90 if [ "$r" = "true" ]; then 91 fail "key option $from not restricted" 92 fi 93 94 r=`${SSH} -q -F $OBJ/ssh_config somehost 'echo true'` 95 if [ "$r" != "true" ]; then 96 fail "key option $from not allowed but should be" 97 fi 98done 99 100check_valid_before() { 101 which=$1 102 opts=$2 103 expect=$3 104 sed "s/.*/$opts &/" $origkeys >$authkeys 105 verbose "key option expiry-time $which" 106 ${SSH} -q -F $OBJ/ssh_proxy somehost true 107 r=$? 108 case "$expect" in 109 fail) test $r -eq 0 && fail "key option succeeded $which" ;; 110 pass) test $r -ne 0 && fail "key option failed $which" ;; 111 *) fatal "unknown expectation $expect" ;; 112 esac 113} 114check_valid_before "default" "" "pass" 115check_valid_before "invalid" 'expiry-time="INVALID"' "fail" 116check_valid_before "expired" 'expiry-time="19990101"' "fail" 117check_valid_before "valid" 'expiry-time="20380101"' "pass" 118 119