mirror of
git://anongit.mindrot.org/openssh.git
synced 2024-12-24 19:02:06 +00:00
upstream commit
regress test for AuthorizedKeysCommand arguments Upstream-Regress-ID: bbd65c13c6b3be9a442ec115800bff9625898f12
This commit is contained in:
parent
bcc50d8161
commit
84452c5d03
@ -1,4 +1,4 @@
|
||||
# $OpenBSD: keys-command.sh,v 1.2 2012/12/06 06:06:54 dtucker Exp $
|
||||
# $OpenBSD: keys-command.sh,v 1.3 2015/05/21 06:40:02 djm Exp $
|
||||
# Placed in the Public Domain.
|
||||
|
||||
tid="authorized keys from command"
|
||||
@ -9,26 +9,63 @@ if test -z "$SUDO" ; then
|
||||
exit 0
|
||||
fi
|
||||
|
||||
rm -f $OBJ/keys-command-args
|
||||
|
||||
touch $OBJ/keys-command-args
|
||||
chmod a+rw $OBJ/keys-command-args
|
||||
|
||||
expected_key_text=`awk '{ print $2 }' < $OBJ/rsa.pub`
|
||||
expected_key_fp=`$SSHKEYGEN -lf $OBJ/rsa.pub | awk '{ print $2 }'`
|
||||
|
||||
# Establish a AuthorizedKeysCommand in /var/run where it will have
|
||||
# acceptable directory permissions.
|
||||
KEY_COMMAND="/var/run/keycommand_${LOGNAME}"
|
||||
cat << _EOF | $SUDO sh -c "cat > '$KEY_COMMAND'"
|
||||
cat << _EOF | $SUDO sh -c "rm -f '$KEY_COMMAND' ; cat > '$KEY_COMMAND'"
|
||||
#!/bin/sh
|
||||
echo args: "\$@" >> $OBJ/keys-command-args
|
||||
echo "$PATH" | grep -q mekmitasdigoat && exit 7
|
||||
test "x\$1" != "x${LOGNAME}" && exit 1
|
||||
if test $# -eq 6 ; then
|
||||
test "x\$2" != "xblah" && exit 2
|
||||
test "x\$3" != "x${expected_key_text}" && exit 3
|
||||
test "x\$4" != "xssh-rsa" && exit 4
|
||||
test "x\$5" != "x${expected_key_fp}" && exit 5
|
||||
test "x\$6" != "xblah" && exit 6
|
||||
fi
|
||||
exec cat "$OBJ/authorized_keys_${LOGNAME}"
|
||||
_EOF
|
||||
$SUDO chmod 0755 "$KEY_COMMAND"
|
||||
|
||||
cp $OBJ/sshd_proxy $OBJ/sshd_proxy.bak
|
||||
(
|
||||
grep -vi AuthorizedKeysFile $OBJ/sshd_proxy.bak
|
||||
echo AuthorizedKeysFile none
|
||||
echo AuthorizedKeysCommand $KEY_COMMAND
|
||||
echo AuthorizedKeysCommandUser ${LOGNAME}
|
||||
) > $OBJ/sshd_proxy
|
||||
|
||||
if [ -x $KEY_COMMAND ]; then
|
||||
${SSH} -F $OBJ/ssh_proxy somehost true
|
||||
cp $OBJ/sshd_proxy $OBJ/sshd_proxy.bak
|
||||
|
||||
verbose "AuthorizedKeysCommand with arguments"
|
||||
(
|
||||
grep -vi AuthorizedKeysFile $OBJ/sshd_proxy.bak
|
||||
echo AuthorizedKeysFile none
|
||||
echo AuthorizedKeysCommand $KEY_COMMAND %u blah %k %t %f blah
|
||||
echo AuthorizedKeysCommandUser ${LOGNAME}
|
||||
) > $OBJ/sshd_proxy
|
||||
|
||||
# Ensure that $PATH is sanitised in sshd
|
||||
env PATH=$PATH:/sbin/mekmitasdigoat \
|
||||
${SSH} -F $OBJ/ssh_proxy somehost true
|
||||
if [ $? -ne 0 ]; then
|
||||
fail "connect failed"
|
||||
fi
|
||||
|
||||
verbose "AuthorizedKeysCommand without arguments"
|
||||
# Check legacy behavior of no-args resulting in username being passed.
|
||||
(
|
||||
grep -vi AuthorizedKeysFile $OBJ/sshd_proxy.bak
|
||||
echo AuthorizedKeysFile none
|
||||
echo AuthorizedKeysCommand $KEY_COMMAND
|
||||
echo AuthorizedKeysCommandUser ${LOGNAME}
|
||||
) > $OBJ/sshd_proxy
|
||||
|
||||
# Ensure that $PATH is sanitised in sshd
|
||||
env PATH=$PATH:/sbin/mekmitasdigoat \
|
||||
${SSH} -F $OBJ/ssh_proxy somehost true
|
||||
if [ $? -ne 0 ]; then
|
||||
fail "connect failed"
|
||||
fi
|
||||
|
Loading…
Reference in New Issue
Block a user