summaryrefslogtreecommitdiff
path: root/regress/test-exec.sh
diff options
context:
space:
mode:
Diffstat (limited to 'regress/test-exec.sh')
-rw-r--r--regress/test-exec.sh80
1 files changed, 72 insertions, 8 deletions
diff --git a/regress/test-exec.sh b/regress/test-exec.sh
index 508b93284..f5e3ee6f5 100644
--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
@@ -1,4 +1,4 @@
1# $OpenBSD: test-exec.sh,v 1.66 2019/07/05 04:12:46 dtucker Exp $ 1# $OpenBSD: test-exec.sh,v 1.75 2020/01/31 23:25:08 djm Exp $
2# Placed in the Public Domain. 2# Placed in the Public Domain.
3 3
4#SUDO=sudo 4#SUDO=sudo
@@ -80,6 +80,9 @@ PLINK=plink
80PUTTYGEN=puttygen 80PUTTYGEN=puttygen
81CONCH=conch 81CONCH=conch
82 82
83# Tools used by multiple tests
84NC=$OBJ/netcat
85
83if [ "x$TEST_SSH_SSH" != "x" ]; then 86if [ "x$TEST_SSH_SSH" != "x" ]; then
84 SSH="${TEST_SSH_SSH}" 87 SSH="${TEST_SSH_SSH}"
85fi 88fi
@@ -128,6 +131,12 @@ if [ "x$TEST_SSH_CONCH" != "x" ]; then
128 *) CONCH=`which ${TEST_SSH_CONCH} 2>/dev/null` ;; 131 *) CONCH=`which ${TEST_SSH_CONCH} 2>/dev/null` ;;
129 esac 132 esac
130fi 133fi
134if [ "x$TEST_SSH_PKCS11_HELPER" != "x" ]; then
135 SSH_PKCS11_HELPER="${TEST_SSH_PKCS11_HELPER}"
136fi
137if [ "x$TEST_SSH_SK_HELPER" != "x" ]; then
138 SSH_SK_HELPER="${TEST_SSH_SK_HELPER}"
139fi
131 140
132# Path to sshd must be absolute for rexec 141# Path to sshd must be absolute for rexec
133case "$SSHD" in 142case "$SSHD" in
@@ -230,6 +239,7 @@ echo "exec ${SSH} -E${TEST_SSH_LOGFILE} "'"$@"' >>$SSHLOGWRAP
230 239
231chmod a+rx $OBJ/ssh-log-wrapper.sh 240chmod a+rx $OBJ/ssh-log-wrapper.sh
232REAL_SSH="$SSH" 241REAL_SSH="$SSH"
242REAL_SSHD="$SSHD"
233SSH="$SSHLOGWRAP" 243SSH="$SSHLOGWRAP"
234 244
235# Some test data. We make a copy because some tests will overwrite it. 245# Some test data. We make a copy because some tests will overwrite it.
@@ -252,6 +262,7 @@ increase_datafile_size()
252 262
253# these should be used in tests 263# these should be used in tests
254export SSH SSHD SSHAGENT SSHADD SSHKEYGEN SSHKEYSCAN SFTP SFTPSERVER SCP 264export SSH SSHD SSHAGENT SSHADD SSHKEYGEN SSHKEYSCAN SFTP SFTPSERVER SCP
265export SSH_PKCS11_HELPER SSH_SK_HELPER
255#echo $SSH $SSHD $SSHAGENT $SSHADD $SSHKEYGEN $SSHKEYSCAN $SFTP $SFTPSERVER $SCP 266#echo $SSH $SSHD $SSHAGENT $SSHADD $SSHKEYGEN $SSHKEYSCAN $SFTP $SFTPSERVER $SCP
256 267
257# Portable specific functions 268# Portable specific functions
@@ -437,6 +448,31 @@ EOF
437# be abused to locally escalate privileges. 448# be abused to locally escalate privileges.
438if [ ! -z "$TEST_SSH_UNSAFE_PERMISSIONS" ]; then 449if [ ! -z "$TEST_SSH_UNSAFE_PERMISSIONS" ]; then
439 echo "StrictModes no" >> $OBJ/sshd_config 450 echo "StrictModes no" >> $OBJ/sshd_config
451else
452 # check and warn if excessive permissions are likely to cause failures.
453 unsafe=""
454 dir="${OBJ}"
455 while test ${dir} != "/"; do
456 if test -d "${dir}" && ! test -h "${dir}"; then
457 perms=`ls -ld ${dir}`
458 case "${perms}" in
459 ?????w????*|????????w?*) unsafe="${unsafe} ${dir}" ;;
460 esac
461 fi
462 dir=`dirname ${dir}`
463 done
464 if ! test -z "${unsafe}"; then
465 cat <<EOD
466
467WARNING: Unsafe (group or world writable) directory permissions found:
468${unsafe}
469
470These could be abused to locally escalate privileges. If you are
471sure that this is not a risk (eg there are no other users), you can
472bypass this check by setting TEST_SSH_UNSAFE_PERMISSIONS=1
473
474EOD
475 fi
440fi 476fi
441 477
442if [ ! -z "$TEST_SSH_SSHD_CONFOPTS" ]; then 478if [ ! -z "$TEST_SSH_SSHD_CONFOPTS" ]; then
@@ -475,8 +511,33 @@ fi
475 511
476rm -f $OBJ/known_hosts $OBJ/authorized_keys_$USER 512rm -f $OBJ/known_hosts $OBJ/authorized_keys_$USER
477 513
478SSH_KEYTYPES=`$SSH -Q key-plain` 514SSH_SK_PROVIDER=
515if [ -f "${SRC}/misc/sk-dummy/obj/sk-dummy.so" ] ; then
516 SSH_SK_PROVIDER="${SRC}/misc/sk-dummy/obj/sk-dummy.so"
517elif [ -f "${SRC}/misc/sk-dummy/sk-dummy.so" ] ; then
518 SSH_SK_PROVIDER="${SRC}/misc/sk-dummy/sk-dummy.so"
519fi
520export SSH_SK_PROVIDER
521
522if ! test -z "$SSH_SK_PROVIDER"; then
523 EXTRA_AGENT_ARGS='-P/*' # XXX want realpath(1)...
524 echo "SecurityKeyProvider $SSH_SK_PROVIDER" >> $OBJ/ssh_config
525 echo "SecurityKeyProvider $SSH_SK_PROVIDER" >> $OBJ/sshd_config
526 echo "SecurityKeyProvider $SSH_SK_PROVIDER" >> $OBJ/sshd_proxy
527fi
528export EXTRA_AGENT_ARGS
529
530maybe_filter_sk() {
531 if test -z "$SSH_SK_PROVIDER" ; then
532 grep -v ^sk
533 else
534 cat
535 fi
536}
479 537
538SSH_KEYTYPES=`$SSH -Q key-plain | maybe_filter_sk`
539SSH_HOSTKEY_TYPES=`$SSH -Q key-plain | maybe_filter_sk`
540
480for t in ${SSH_KEYTYPES}; do 541for t in ${SSH_KEYTYPES}; do
481 # generate user key 542 # generate user key
482 trace "generating key type $t" 543 trace "generating key type $t"
@@ -486,16 +547,18 @@ for t in ${SSH_KEYTYPES}; do
486 fail "ssh-keygen for $t failed" 547 fail "ssh-keygen for $t failed"
487 fi 548 fi
488 549
550 # setup authorized keys
551 cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
552 echo IdentityFile $OBJ/$t >> $OBJ/ssh_config
553done
554
555for t in ${SSH_HOSTKEY_TYPES}; do
489 # known hosts file for client 556 # known hosts file for client
490 ( 557 (
491 printf 'localhost-with-alias,127.0.0.1,::1 ' 558 printf 'localhost-with-alias,127.0.0.1,::1 '
492 cat $OBJ/$t.pub 559 cat $OBJ/$t.pub
493 ) >> $OBJ/known_hosts 560 ) >> $OBJ/known_hosts
494 561
495 # setup authorized keys
496 cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
497 echo IdentityFile $OBJ/$t >> $OBJ/ssh_config
498
499 # use key as host key, too 562 # use key as host key, too
500 $SUDO cp $OBJ/$t $OBJ/host.$t 563 $SUDO cp $OBJ/$t $OBJ/host.$t
501 echo HostKey $OBJ/host.$t >> $OBJ/sshd_config 564 echo HostKey $OBJ/host.$t >> $OBJ/sshd_config
@@ -564,7 +627,7 @@ fi
564# create a proxy version of the client config 627# create a proxy version of the client config
565( 628(
566 cat $OBJ/ssh_config 629 cat $OBJ/ssh_config
567 echo proxycommand ${SUDO} sh ${SRC}/sshd-log-wrapper.sh ${TEST_SSHD_LOGFILE} ${SSHD} -i -f $OBJ/sshd_proxy 630 echo proxycommand ${SUDO} env SSH_SK_HELPER=\"$SSH_SK_HELPER\" sh ${SRC}/sshd-log-wrapper.sh ${TEST_SSHD_LOGFILE} ${SSHD} -i -f $OBJ/sshd_proxy
568) > $OBJ/ssh_proxy 631) > $OBJ/ssh_proxy
569 632
570# check proxy config 633# check proxy config
@@ -574,7 +637,8 @@ start_sshd ()
574{ 637{
575 # start sshd 638 # start sshd
576 $SUDO ${SSHD} -f $OBJ/sshd_config "$@" -t || fatal "sshd_config broken" 639 $SUDO ${SSHD} -f $OBJ/sshd_config "$@" -t || fatal "sshd_config broken"
577 $SUDO ${SSHD} -f $OBJ/sshd_config "$@" -E$TEST_SSHD_LOGFILE 640 $SUDO env SSH_SK_HELPER="$SSH_SK_HELPER" \
641 ${SSHD} -f $OBJ/sshd_config "$@" -E$TEST_SSHD_LOGFILE
578 642
579 trace "wait for sshd" 643 trace "wait for sshd"
580 i=0; 644 i=0;