From 771c43cee6343f757884030ff92f1156b2ef399f Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Mon, 3 Dec 2012 10:12:13 +1100
Subject:    - djm@cvs.openbsd.org 2012/11/22 22:49:30      [regress/Makefile
 regress/keys-command.sh]      regress for AuthorizedKeysCommand; hints from
 markus@

---
 regress/keys-command.sh | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)
 create mode 100644 regress/keys-command.sh

(limited to 'regress/keys-command.sh')

diff --git a/regress/keys-command.sh b/regress/keys-command.sh
new file mode 100644
index 000000000..09f4db4b7
--- /dev/null
+++ b/regress/keys-command.sh
@@ -0,0 +1,33 @@
+#	$OpenBSD: keys-command.sh,v 1.1 2012/11/22 22:49:30 djm Exp $
+#	Placed in the Public Domain.
+
+tid="authorized keys from command"
+
+if test -z "$SUDO" ; then
+	echo "skipped (SUDO not set)"
+	echo "need SUDO to create file in /var/run, test won't work without"
+	exit 0
+fi
+
+# Establish a AuthorizedKeysCommand in /var/run where it will have
+# acceptable directory permissions.
+KEY_COMMAND="/var/run/keycommand_${LOGNAME}"
+cat << _EOF | $SUDO sh -c "cat > '$KEY_COMMAND'"
+#!/bin/sh
+test "x\$1" -ne "x${LOGNAME}" && exit 1
+exec cat "$OBJ/authorized_keys_${LOGNAME}"
+_EOF
+$SUDO chmod 0755 "$KEY_COMMAND"
+
+cp $OBJ/sshd_proxy $OBJ/sshd_proxy.bak
+(
+	grep -vi AuthorizedKeysFile $OBJ/sshd_proxy.bak
+	echo AuthorizedKeysFile none
+	echo AuthorizedKeysCommand $KEY_COMMAND
+	echo AuthorizedKeysCommandUser ${LOGNAME}
+) > $OBJ/sshd_proxy
+
+${SSH} -F $OBJ/ssh_proxy somehost true
+if [ $? -ne 0 ]; then
+	fail "connect failed"
+fi
-- 
cgit v1.2.3


From 3dfb877046b40638ac7c88de9bb07091eb463205 Mon Sep 17 00:00:00 2001
From: Darren Tucker <dtucker@zip.com.au>
Date: Fri, 7 Dec 2012 13:03:10 +1100
Subject:    - dtucker@cvs.openbsd.org 2012/12/06 06:06:54     
 [regress/keys-command.sh]      Fix some problems with the keys-command test: 
      - use string comparison rather than numeric comparison       - check for
 existing KEY_COMMAND file and don't clobber if it exists       - clean up
 KEY_COMMAND file if we do create it.       - check that KEY_COMMAND is
 executable (which it won't be if eg /var/run         is mounted noexec).     
 ok djm.

---
 ChangeLog               | 12 ++++++++++++
 regress/keys-command.sh | 16 +++++++++++-----
 2 files changed, 23 insertions(+), 5 deletions(-)

(limited to 'regress/keys-command.sh')

diff --git a/ChangeLog b/ChangeLog
index b572f6006..be3118146 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,15 @@
+20121207
+ - (dtucker) OpenBSD CVS Sync
+   - dtucker@cvs.openbsd.org 2012/12/06 06:06:54
+     [regress/keys-command.sh]
+     Fix some problems with the keys-command test:
+      - use string comparison rather than numeric comparison
+      - check for existing KEY_COMMAND file and don't clobber if it exists
+      - clean up KEY_COMMAND file if we do create it.
+      - check that KEY_COMMAND is executable (which it won't be if eg /var/run
+        is mounted noexec).
+     ok djm.
+
 20121205
  - (tim) [defines.h] Some platforms are missing ULLONG_MAX. Feedback djm@.
 
diff --git a/regress/keys-command.sh b/regress/keys-command.sh
index 09f4db4b7..b595a434f 100644
--- a/regress/keys-command.sh
+++ b/regress/keys-command.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: keys-command.sh,v 1.1 2012/11/22 22:49:30 djm Exp $
+#	$OpenBSD: keys-command.sh,v 1.2 2012/12/06 06:06:54 dtucker Exp $
 #	Placed in the Public Domain.
 
 tid="authorized keys from command"
@@ -14,7 +14,7 @@ fi
 KEY_COMMAND="/var/run/keycommand_${LOGNAME}"
 cat << _EOF | $SUDO sh -c "cat > '$KEY_COMMAND'"
 #!/bin/sh
-test "x\$1" -ne "x${LOGNAME}" && exit 1
+test "x\$1" != "x${LOGNAME}" && exit 1
 exec cat "$OBJ/authorized_keys_${LOGNAME}"
 _EOF
 $SUDO chmod 0755 "$KEY_COMMAND"
@@ -27,7 +27,13 @@ cp $OBJ/sshd_proxy $OBJ/sshd_proxy.bak
 	echo AuthorizedKeysCommandUser ${LOGNAME}
 ) > $OBJ/sshd_proxy
 
-${SSH} -F $OBJ/ssh_proxy somehost true
-if [ $? -ne 0 ]; then
-	fail "connect failed"
+if [ -x $KEY_COMMAND ]; then
+	${SSH} -F $OBJ/ssh_proxy somehost true
+	if [ $? -ne 0 ]; then
+		fail "connect failed"
+	fi
+else
+	echo "SKIPPED: $KEY_COMMAND not executable (/var/run mounted noexec?)"
 fi
+
+$SUDO rm -f $KEY_COMMAND
-- 
cgit v1.2.3