upstream commit

regress test for AuthorizedKeysCommand arguments Upstream-Regress-ID: bbd65c13c6b3be9a442ec115800bff9625898f12
author: djm@openbsd.org <djm@openbsd.org> 2015-05-21 06:40:02 +0000
committer: Damien Miller <djm@mindrot.org> 2015-05-21 16:46:40 +1000
commit: 84452c5d03c21f9bfb28c234e0dc1dc67dd817b1 (patch)
tree: 6d0db94e189e385ddfbaf172923e427cb3e4994f /regress/keys-command.sh
parent: bcc50d816187fa9a03907ac1f3a52f04a52e10d1 (diff)
1 files changed, 48 insertions, 11 deletions
diff --git a/regress/keys-command.sh b/regress/keys-command.sh
index b595a434f..700273b66 100644
--- a/regress/keys-command.sh
+++ b/regress/keys-command.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: keys-command.sh,v 1.2 2012/12/06 06:06:54 dtucker Exp $
+#       $OpenBSD: keys-command.sh,v 1.3 2015/05/21 06:40:02 djm Exp $
 #       Placed in the Public Domain.
 tid="authorized keys from command"
@@ -9,26 +9,63 @@ if test -z "$SUDO" ; then
        exit 0
 fi
+rm -f $OBJ/keys-command-args
+touch $OBJ/keys-command-args
+chmod a+rw $OBJ/keys-command-args
+expected_key_text=`awk '{ print $2 }' < $OBJ/rsa.pub`
+expected_key_fp=`$SSHKEYGEN -lf $OBJ/rsa.pub | awk '{ print $2 }'`
 # Establish a AuthorizedKeysCommand in /var/run where it will have
 # acceptable directory permissions.
 KEY_COMMAND="/var/run/keycommand_${LOGNAME}"
-cat << _EOF | $SUDO sh -c "cat > '$KEY_COMMAND'"
+cat << _EOF | $SUDO sh -c "rm -f '$KEY_COMMAND' ; cat > '$KEY_COMMAND'"
 #!/bin/sh
+echo args: "\$@" >> $OBJ/keys-command-args
+echo "$PATH" | grep -q mekmitasdigoat && exit 7
 test "x\$1" != "x${LOGNAME}" && exit 1
+if test $# -eq 6 ; then
+        test "x\$2" != "xblah" && exit 2
+        test "x\$3" != "x${expected_key_text}" && exit 3
+        test "x\$4" != "xssh-rsa" && exit 4
+        test "x\$5" != "x${expected_key_fp}" && exit 5
+        test "x\$6" != "xblah" && exit 6
+fi
 exec cat "$OBJ/authorized_keys_${LOGNAME}"
 _EOF
 $SUDO chmod 0755 "$KEY_COMMAND"
-cp $OBJ/sshd_proxy $OBJ/sshd_proxy.bak
-(
-        grep -vi AuthorizedKeysFile $OBJ/sshd_proxy.bak
-        echo AuthorizedKeysFile none
-        echo AuthorizedKeysCommand $KEY_COMMAND
-        echo AuthorizedKeysCommandUser ${LOGNAME}
-) > $OBJ/sshd_proxy
 if [ -x $KEY_COMMAND ]; then
-        ${SSH} -F $OBJ/ssh_proxy somehost true
+        cp $OBJ/sshd_proxy $OBJ/sshd_proxy.bak
+        verbose "AuthorizedKeysCommand with arguments"
+        (
+                grep -vi AuthorizedKeysFile $OBJ/sshd_proxy.bak
+                echo AuthorizedKeysFile none
+                echo AuthorizedKeysCommand $KEY_COMMAND %u blah %k %t %f blah
+                echo AuthorizedKeysCommandUser ${LOGNAME}
+        ) > $OBJ/sshd_proxy
+        # Ensure that $PATH is sanitised in sshd
+        env PATH=$PATH:/sbin/mekmitasdigoat \
+            ${SSH} -F $OBJ/ssh_proxy somehost true
+        if [ $? -ne 0 ]; then
+                fail "connect failed"
+        fi
+        verbose "AuthorizedKeysCommand without arguments"
+        # Check legacy behavior of no-args resulting in username being passed.
+        (
+                grep -vi AuthorizedKeysFile $OBJ/sshd_proxy.bak
+                echo AuthorizedKeysFile none
+                echo AuthorizedKeysCommand $KEY_COMMAND
+                echo AuthorizedKeysCommandUser ${LOGNAME}
+        ) > $OBJ/sshd_proxy
+        # Ensure that $PATH is sanitised in sshd
+        env PATH=$PATH:/sbin/mekmitasdigoat \
+            ${SSH} -F $OBJ/ssh_proxy somehost true
        if [ $? -ne 0 ]; then
                fail "connect failed"
        fi
author	djm@openbsd.org <djm@openbsd.org>	2015-05-21 06:40:02 +0000
committer	Damien Miller <djm@mindrot.org>	2015-05-21 16:46:40 +1000
commit	84452c5d03c21f9bfb28c234e0dc1dc67dd817b1 (patch)
tree	6d0db94e189e385ddfbaf172923e427cb3e4994f /regress/keys-command.sh
parent	bcc50d816187fa9a03907ac1f3a52f04a52e10d1 (diff)

diff --git a/regress/keys-command.sh b/regress/keys-command.sh index b595a434f..700273b66 100644 --- a/regress/keys-command.sh +++ b/regress/keys-command.sh
@@ -1,4 +1,4 @@
1	# $OpenBSD: keys-command.sh,v 1.2 2012/12/06 06:06:54 dtucker Exp $	1	# $OpenBSD: keys-command.sh,v 1.3 2015/05/21 06:40:02 djm Exp $
2	# Placed in the Public Domain.	2	# Placed in the Public Domain.
3		3
4	tid="authorized keys from command"	4	tid="authorized keys from command"
@@ -9,26 +9,63 @@ if test -z "$SUDO" ; then
9	exit 0	9	exit 0
10	fi	10	fi
11		11
		12	rm -f $OBJ/keys-command-args
		13
		14	touch $OBJ/keys-command-args
		15	chmod a+rw $OBJ/keys-command-args
		16
		17	expected_key_text=`awk '{ print $2 }' < $OBJ/rsa.pub`
		18	expected_key_fp=`$SSHKEYGEN -lf $OBJ/rsa.pub \| awk '{ print $2 }'`
		19
12	# Establish a AuthorizedKeysCommand in /var/run where it will have	20	# Establish a AuthorizedKeysCommand in /var/run where it will have
13	# acceptable directory permissions.	21	# acceptable directory permissions.
14	KEY_COMMAND="/var/run/keycommand_${LOGNAME}"	22	KEY_COMMAND="/var/run/keycommand_${LOGNAME}"
15	cat << _EOF \| $SUDO sh -c "cat > '$KEY_COMMAND'"	23	cat << _EOF \| $SUDO sh -c "rm -f '$KEY_COMMAND' ; cat > '$KEY_COMMAND'"
16	#!/bin/sh	24	#!/bin/sh
		25	echo args: "\$@" >> $OBJ/keys-command-args
		26	echo "$PATH" \| grep -q mekmitasdigoat && exit 7
17	test "x\$1" != "x${LOGNAME}" && exit 1	27	test "x\$1" != "x${LOGNAME}" && exit 1
		28	if test $# -eq 6 ; then
		29	test "x\$2" != "xblah" && exit 2
		30	test "x\$3" != "x${expected_key_text}" && exit 3
		31	test "x\$4" != "xssh-rsa" && exit 4
		32	test "x\$5" != "x${expected_key_fp}" && exit 5
		33	test "x\$6" != "xblah" && exit 6
		34	fi
18	exec cat "$OBJ/authorized_keys_${LOGNAME}"	35	exec cat "$OBJ/authorized_keys_${LOGNAME}"
19	_EOF	36	_EOF
20	$SUDO chmod 0755 "$KEY_COMMAND"	37	$SUDO chmod 0755 "$KEY_COMMAND"
21		38
22	cp $OBJ/sshd_proxy $OBJ/sshd_proxy.bak
23	(
24	grep -vi AuthorizedKeysFile $OBJ/sshd_proxy.bak
25	echo AuthorizedKeysFile none
26	echo AuthorizedKeysCommand $KEY_COMMAND
27	echo AuthorizedKeysCommandUser ${LOGNAME}
28	) > $OBJ/sshd_proxy
29
30	if [ -x $KEY_COMMAND ]; then	39	if [ -x $KEY_COMMAND ]; then
31	${SSH} -F $OBJ/ssh_proxy somehost true	40	cp $OBJ/sshd_proxy $OBJ/sshd_proxy.bak
		41
		42	verbose "AuthorizedKeysCommand with arguments"
		43	(
		44	grep -vi AuthorizedKeysFile $OBJ/sshd_proxy.bak
		45	echo AuthorizedKeysFile none
		46	echo AuthorizedKeysCommand $KEY_COMMAND %u blah %k %t %f blah
		47	echo AuthorizedKeysCommandUser ${LOGNAME}
		48	) > $OBJ/sshd_proxy
		49
		50	# Ensure that $PATH is sanitised in sshd
		51	env PATH=$PATH:/sbin/mekmitasdigoat \
		52	${SSH} -F $OBJ/ssh_proxy somehost true
		53	if [ $? -ne 0 ]; then
		54	fail "connect failed"
		55	fi
		56
		57	verbose "AuthorizedKeysCommand without arguments"
		58	# Check legacy behavior of no-args resulting in username being passed.
		59	(
		60	grep -vi AuthorizedKeysFile $OBJ/sshd_proxy.bak
		61	echo AuthorizedKeysFile none
		62	echo AuthorizedKeysCommand $KEY_COMMAND
		63	echo AuthorizedKeysCommandUser ${LOGNAME}
		64	) > $OBJ/sshd_proxy
		65
		66	# Ensure that $PATH is sanitised in sshd
		67	env PATH=$PATH:/sbin/mekmitasdigoat \
		68	${SSH} -F $OBJ/ssh_proxy somehost true
32	if [ $? -ne 0 ]; then	69	if [ $? -ne 0 ]; then
33	fail "connect failed"	70	fail "connect failed"
34	fi	71	fi