From e045e0c62ae29fb7a2ed175c973fda32e60ee43d Mon Sep 17 00:00:00 2001
From: Darren Tucker <dtucker@zip.com.au>
Date: Wed, 11 Jun 2008 09:38:12 +1000
Subject:    - dtucker@cvs.openbsd.org 2008/06/10 23:13:43      [Makefile
 regress/key-options.sh]      Add regress test for key options.  ok djm@

---
 ChangeLog              |  5 +++-
 regress/key-options.sh | 71 ++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 75 insertions(+), 1 deletion(-)
 create mode 100644 regress/key-options.sh

diff --git a/ChangeLog b/ChangeLog
index dd3335bc2..2e1473d91 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -58,6 +58,9 @@
    - dtucker@cvs.openbsd.org 2008/06/10 23:21:34
      [bufaux.c]
      Use '\0' for a nul byte rather than unadorned 0.  ok djm@
+   - dtucker@cvs.openbsd.org 2008/06/10 23:13:43
+     [Makefile regress/key-options.sh]
+     Add regress test for key options.  ok djm@
  - (dtucker) [openbsd-compat/fake-rfc2553.h] Add sin6_scope_id to sockaddr_in6
    since the new CIDR code in addmatch.c references it.
  - (dtucker) [Makefile.in configure.ac regress/addrmatch.sh] Skip IPv6
@@ -4150,4 +4153,4 @@
    OpenServer 6 and add osr5bigcrypt support so when someone migrates
    passwords between UnixWare and OpenServer they will still work. OK dtucker@
 
-$Id: ChangeLog,v 1.4964 2008/06/10 23:35:37 dtucker Exp $
+$Id: ChangeLog,v 1.4965 2008/06/10 23:38:12 dtucker Exp $
diff --git a/regress/key-options.sh b/regress/key-options.sh
new file mode 100644
index 000000000..b4dd47057
--- /dev/null
+++ b/regress/key-options.sh
@@ -0,0 +1,71 @@
+#	$OpenBSD: key-options.sh,v 1.1 2008/06/10 23:13:43 dtucker Exp $
+#	Placed in the Public Domain.
+
+tid="key options"
+
+origkeys="$OBJ/authkeys_orig"
+authkeys="$OBJ/authorized_keys_${USER}"
+cp $authkeys $origkeys
+
+# Test command= forced command
+for p in 1 2; do
+    for c in 'command="echo bar"' 'no-pty,command="echo bar"'; do
+	sed "s/.*/$c &/" $origkeys >$authkeys
+	verbose "key option proto $p $c"
+	r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost echo foo`
+	if [ "$r" = "foo" ]; then
+		fail "key option forced command not restricted"
+	fi
+	if [ "$r" != "bar" ]; then
+		fail "key option forced command not executed"
+	fi
+    done
+done
+
+# Test no-pty
+sed 's/.*/no-pty &/' $origkeys >$authkeys
+for p in 1 2; do
+	verbose "key option proto $p no-pty"
+	r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost tty`
+	if [ -f "$r" ]; then
+		fail "key option failed proto $p no-pty (pty $r)"
+	fi
+done
+
+# Test environment=
+echo 'PermitUserEnvironment yes' >> $OBJ/sshd_proxy
+sed 's/.*/environment="FOO=bar" &/' $origkeys >$authkeys
+for p in 1 2; do
+	verbose "key option proto $p environment"
+	r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost 'echo $FOO'`
+	if [ "$r" != "bar" ]; then
+		fail "key option environment not set"
+	fi
+done
+
+# Test from= restriction
+start_sshd
+for p in 1 2; do
+    for f in 127.0.0.1 '127.0.0.0\/8'; do
+	cat  $origkeys >$authkeys
+	${SSH} -$p -q -F $OBJ/ssh_proxy somehost true
+	if [ $? -ne 0 ]; then
+		fail "key option proto $p failed without restriction"
+	fi
+
+	sed 's/.*/from="'$f'" &/' $origkeys >$authkeys
+	from=`head -1 $authkeys | cut -f1 -d ' '`
+	verbose "key option proto $p $from"
+	r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost 'echo true'`
+	if [ "$r" == "true" ]; then
+		fail "key option proto $p $from not restricted"
+	fi
+
+	r=`${SSH} -$p -q -F $OBJ/ssh_config somehost 'echo true'`
+	if [ "$r" != "true" ]; then
+		fail "key option proto $p $from not allowed but should be"
+	fi
+    done
+done
+
+rm -f "$origkeys"
-- 
cgit v1.2.3