xref: /freebsd/crypto/openssh/regress/keys-command.sh (revision 2a58b312b62f908ec92311d1bd8536dbaeb8e55b)
1#	$OpenBSD: keys-command.sh,v 1.8 2021/09/30 04:22:50 dtucker Exp $
2#	Placed in the Public Domain.
3
4tid="authorized keys from command"
5
6if [ -z "$SUDO" -a ! -w /var/run ]; then
7	skip "need SUDO to create file in /var/run, test won't work without"
8fi
9
10rm -f $OBJ/keys-command-args
11
12touch $OBJ/keys-command-args
13chmod a+rw $OBJ/keys-command-args
14
15expected_key_text=`awk '{ print $2 }' < $OBJ/ssh-ed25519.pub`
16expected_key_fp=`$SSHKEYGEN -lf $OBJ/ssh-ed25519.pub | awk '{ print $2 }'`
17
18# Establish a AuthorizedKeysCommand in /var/run where it will have
19# acceptable directory permissions.
20KEY_COMMAND="/var/run/keycommand_${LOGNAME}.$$"
21trap "${SUDO} rm -f ${KEY_COMMAND}" 0
22cat << _EOF | $SUDO sh -c "rm -f '$KEY_COMMAND' ; cat > '$KEY_COMMAND'"
23#!/bin/sh
24echo args: "\$@" >> $OBJ/keys-command-args
25echo "$PATH" | grep -q mekmitasdigoat && exit 7
26test "x\$1" != "x${LOGNAME}" && exit 1
27if test $# -eq 6 ; then
28	test "x\$2" != "xblah" && exit 2
29	test "x\$3" != "x${expected_key_text}" && exit 3
30	test "x\$4" != "xssh-rsa" && exit 4
31	test "x\$5" != "x${expected_key_fp}" && exit 5
32	test "x\$6" != "xblah" && exit 6
33fi
34exec cat "$OBJ/authorized_keys_${LOGNAME}"
35_EOF
36$SUDO chmod 0755 "$KEY_COMMAND"
37
38if ! $OBJ/check-perm -m keys-command $KEY_COMMAND ; then
39	echo "skipping: $KEY_COMMAND is unsuitable as AuthorizedKeysCommand"
40	$SUDO rm -f $KEY_COMMAND
41	exit 0
42fi
43
44if [ -x $KEY_COMMAND ]; then
45	cp $OBJ/sshd_proxy $OBJ/sshd_proxy.bak
46
47	verbose "AuthorizedKeysCommand with arguments"
48	(
49		grep -vi AuthorizedKeysFile $OBJ/sshd_proxy.bak
50		echo AuthorizedKeysFile none
51		echo AuthorizedKeysCommand $KEY_COMMAND %u blah %k %t %f blah
52		echo AuthorizedKeysCommandUser ${LOGNAME}
53	) > $OBJ/sshd_proxy
54
55	# Ensure that $PATH is sanitised in sshd
56	env PATH=$PATH:/sbin/mekmitasdigoat \
57	    ${SSH} -F $OBJ/ssh_proxy somehost true
58	if [ $? -ne 0 ]; then
59		fail "connect failed"
60	fi
61
62	verbose "AuthorizedKeysCommand without arguments"
63	# Check legacy behavior of no-args resulting in username being passed.
64	(
65		grep -vi AuthorizedKeysFile $OBJ/sshd_proxy.bak
66		echo AuthorizedKeysFile none
67		echo AuthorizedKeysCommand $KEY_COMMAND
68		echo AuthorizedKeysCommandUser ${LOGNAME}
69	) > $OBJ/sshd_proxy
70
71	# Ensure that $PATH is sanitised in sshd
72	env PATH=$PATH:/sbin/mekmitasdigoat \
73	    ${SSH} -F $OBJ/ssh_proxy somehost true
74	if [ $? -ne 0 ]; then
75		fail "connect failed"
76	fi
77else
78	skip "$KEY_COMMAND not executable (/var/run mounted noexec?)"
79fi
80