1# $OpenBSD: keys-command.sh,v 1.6 2019/07/25 08:48:11 dtucker Exp $ 2# Placed in the Public Domain. 3 4tid="authorized keys from command" 5 6if [ -z "$SUDO" -a ! -w /var/run ]; then 7 echo "skipped (SUDO not set)" 8 echo "need SUDO to create file in /var/run, test won't work without" 9 exit 0 10fi 11 12rm -f $OBJ/keys-command-args 13 14touch $OBJ/keys-command-args 15chmod a+rw $OBJ/keys-command-args 16 17expected_key_text=`awk '{ print $2 }' < $OBJ/ssh-ed25519.pub` 18expected_key_fp=`$SSHKEYGEN -lf $OBJ/ssh-ed25519.pub | awk '{ print $2 }'` 19 20# Establish a AuthorizedKeysCommand in /var/run where it will have 21# acceptable directory permissions. 22KEY_COMMAND="/var/run/keycommand_${LOGNAME}.$$" 23trap "${SUDO} rm -f ${KEY_COMMAND}" 0 24cat << _EOF | $SUDO sh -c "rm -f '$KEY_COMMAND' ; cat > '$KEY_COMMAND'" 25#!/bin/sh 26echo args: "\$@" >> $OBJ/keys-command-args 27echo "$PATH" | grep -q mekmitasdigoat && exit 7 28test "x\$1" != "x${LOGNAME}" && exit 1 29if test $# -eq 6 ; then 30 test "x\$2" != "xblah" && exit 2 31 test "x\$3" != "x${expected_key_text}" && exit 3 32 test "x\$4" != "xssh-rsa" && exit 4 33 test "x\$5" != "x${expected_key_fp}" && exit 5 34 test "x\$6" != "xblah" && exit 6 35fi 36exec cat "$OBJ/authorized_keys_${LOGNAME}" 37_EOF 38$SUDO chmod 0755 "$KEY_COMMAND" 39 40if ! $OBJ/check-perm -m keys-command $KEY_COMMAND ; then 41 echo "skipping: $KEY_COMMAND is unsuitable as AuthorizedKeysCommand" 42 $SUDO rm -f $KEY_COMMAND 43 exit 0 44fi 45 46if [ -x $KEY_COMMAND ]; then 47 cp $OBJ/sshd_proxy $OBJ/sshd_proxy.bak 48 49 verbose "AuthorizedKeysCommand with arguments" 50 ( 51 grep -vi AuthorizedKeysFile $OBJ/sshd_proxy.bak 52 echo AuthorizedKeysFile none 53 echo AuthorizedKeysCommand $KEY_COMMAND %u blah %k %t %f blah 54 echo AuthorizedKeysCommandUser ${LOGNAME} 55 ) > $OBJ/sshd_proxy 56 57 # Ensure that $PATH is sanitised in sshd 58 env PATH=$PATH:/sbin/mekmitasdigoat \ 59 ${SSH} -F $OBJ/ssh_proxy somehost true 60 if [ $? -ne 0 ]; then 61 fail "connect failed" 62 fi 63 64 verbose "AuthorizedKeysCommand without arguments" 65 # Check legacy behavior of no-args resulting in username being passed. 66 ( 67 grep -vi AuthorizedKeysFile $OBJ/sshd_proxy.bak 68 echo AuthorizedKeysFile none 69 echo AuthorizedKeysCommand $KEY_COMMAND 70 echo AuthorizedKeysCommandUser ${LOGNAME} 71 ) > $OBJ/sshd_proxy 72 73 # Ensure that $PATH is sanitised in sshd 74 env PATH=$PATH:/sbin/mekmitasdigoat \ 75 ${SSH} -F $OBJ/ssh_proxy somehost true 76 if [ $? -ne 0 ]; then 77 fail "connect failed" 78 fi 79else 80 echo "SKIPPED: $KEY_COMMAND not executable (/var/run mounted noexec?)" 81fi 82