xref: /freebsd/crypto/openssh/regress/key-options.sh (revision e8d8bef961a50d4dc22501cde4fb9fb0be1b2532)
1#	$OpenBSD: key-options.sh,v 1.9 2018/07/03 13:53:26 djm Exp $
2#	Placed in the Public Domain.
3
4tid="key options"
5
6origkeys="$OBJ/authkeys_orig"
7authkeys="$OBJ/authorized_keys_${USER}"
8cp $authkeys $origkeys
9
10# Test command= forced command
11for c in 'command="echo bar"' 'no-pty,command="echo bar"'; do
12	sed "s/.*/$c &/" $origkeys >$authkeys
13	verbose "key option $c"
14	r=`${SSH} -q -F $OBJ/ssh_proxy somehost echo foo`
15	if [ "$r" = "foo" ]; then
16		fail "key option forced command not restricted"
17	fi
18	if [ "$r" != "bar" ]; then
19		fail "key option forced command not executed"
20	fi
21done
22
23# Test no-pty
24expect_pty_succeed() {
25	which=$1
26	opts=$2
27	rm -f $OBJ/data
28	sed "s/.*/$opts &/" $origkeys >$authkeys
29	verbose "key option pty $which"
30	config_defined HAVE_OPENPTY || verbose "skipped for no openpty(3)"
31	${SSH} -ttq -F $OBJ/ssh_proxy somehost "tty > $OBJ/data; exit 0"
32	if [ $? -ne 0 ] ; then
33		fail "key option failed $which"
34	else
35		r=`cat $OBJ/data`
36		case "$r" in
37		/dev/*) ;;
38		*)	fail "key option failed $which (pty $r)" ;;
39		esac
40	fi
41}
42expect_pty_fail() {
43	which=$1
44	opts=$2
45	rm -f $OBJ/data
46	sed "s/.*/$opts &/" $origkeys >$authkeys
47	verbose "key option pty $which"
48	config_defined HAVE_OPENPTY || verbose "skipped for no openpty(3)"
49	${SSH} -ttq -F $OBJ/ssh_proxy somehost "tty > $OBJ/data; exit 0"
50	if [ $? -eq 0 ]; then
51		r=`cat $OBJ/data`
52		if [ -e "$r" ]; then
53			fail "key option failed $which (pty $r)"
54		fi
55		case "$r" in
56		/dev/*)	fail "key option failed $which (pty $r)" ;;
57		*)	;;
58		esac
59	fi
60}
61# First ensure that we can allocate a pty by default.
62expect_pty_succeed "default" ""
63expect_pty_fail "no-pty" "no-pty"
64expect_pty_fail "restrict" "restrict"
65expect_pty_succeed "restrict,pty" "restrict,pty"
66
67# Test environment=
68# XXX this can fail if ~/.ssh/environment exists for the user running the test
69echo 'PermitUserEnvironment yes' >> $OBJ/sshd_proxy
70sed 's/.*/environment="FOO=bar" &/' $origkeys >$authkeys
71verbose "key option environment"
72r=`${SSH} -q -F $OBJ/ssh_proxy somehost 'echo $FOO'`
73if [ "$r" != "bar" ]; then
74	fail "key option environment not set"
75fi
76
77# Test from= restriction
78start_sshd
79for f in 127.0.0.1 '127.0.0.0\/8'; do
80	cat  $origkeys >$authkeys
81	${SSH} -q -F $OBJ/ssh_proxy somehost true
82	if [ $? -ne 0 ]; then
83		fail "key option failed without restriction"
84	fi
85
86	sed 's/.*/from="'"$f"'" &/' $origkeys >$authkeys
87	from=`head -1 $authkeys | cut -f1 -d ' '`
88	verbose "key option $from"
89	r=`${SSH} -q -F $OBJ/ssh_proxy somehost 'echo true'`
90	if [ "$r" = "true" ]; then
91		fail "key option $from not restricted"
92	fi
93
94	r=`${SSH} -q -F $OBJ/ssh_config somehost 'echo true'`
95	if [ "$r" != "true" ]; then
96		fail "key option $from not allowed but should be"
97	fi
98done
99
100check_valid_before() {
101	which=$1
102	opts=$2
103	expect=$3
104	sed "s/.*/$opts &/" $origkeys >$authkeys
105	verbose "key option expiry-time $which"
106	${SSH} -q -F $OBJ/ssh_proxy somehost true
107	r=$?
108	case "$expect" in
109	fail)	test $r -eq 0 && fail "key option succeeded $which" ;;
110	pass)	test $r -ne 0 && fail "key option failed $which" ;;
111	*)	fatal "unknown expectation $expect" ;;
112	esac
113}
114check_valid_before "default"	""				"pass"
115check_valid_before "invalid"	'expiry-time="INVALID"'		"fail"
116check_valid_before "expired"	'expiry-time="19990101"'	"fail"
117check_valid_before "valid"	'expiry-time="20380101"'	"pass"
118
119