keys-command.sh revision 296853
150276Speter# $OpenBSD: keys-command.sh,v 1.3 2015/05/21 06:40:02 djm Exp $ 2166124Srafan# Placed in the Public Domain. 350276Speter 450276Spetertid="authorized keys from command" 550276Speter 650276Speterif test -z "$SUDO" ; then 750276Speter echo "skipped (SUDO not set)" 850276Speter echo "need SUDO to create file in /var/run, test won't work without" 950276Speter exit 0 1050276Speterfi 1150276Speter 1250276Speterrm -f $OBJ/keys-command-args 1350276Speter 1450276Spetertouch $OBJ/keys-command-args 1550276Speterchmod a+rw $OBJ/keys-command-args 1650276Speter 1750276Speterexpected_key_text=`awk '{ print $2 }' < $OBJ/rsa.pub` 1850276Speterexpected_key_fp=`$SSHKEYGEN -lf $OBJ/rsa.pub | awk '{ print $2 }'` 1950276Speter 2050276Speter# Establish a AuthorizedKeysCommand in /var/run where it will have 2150276Speter# acceptable directory permissions. 2250276SpeterKEY_COMMAND="/var/run/keycommand_${LOGNAME}" 2350276Spetercat << _EOF | $SUDO sh -c "rm -f '$KEY_COMMAND' ; cat > '$KEY_COMMAND'" 2450276Speter#!/bin/sh 2550276Speterecho args: "\$@" >> $OBJ/keys-command-args 2650276Speterecho "$PATH" | grep -q mekmitasdigoat && exit 7 2750276Spetertest "x\$1" != "x${LOGNAME}" && exit 1 2850276Speterif test $# -eq 6 ; then 2950276Speter test "x\$2" != "xblah" && exit 2 30166124Srafan test "x\$3" != "x${expected_key_text}" && exit 3 3150276Speter test "x\$4" != "xssh-rsa" && exit 4 32166124Srafan test "x\$5" != "x${expected_key_fp}" && exit 5 3350276Speter test "x\$6" != "xblah" && exit 6 3450276Speterfi 35166124Srafanexec cat "$OBJ/authorized_keys_${LOGNAME}" 3650276Speter_EOF 3750276Speter$SUDO chmod 0755 "$KEY_COMMAND" 3850276Speter 3950276Speterif ! $OBJ/check-perm -m keys-command $KEY_COMMAND ; then 4050276Speter echo "skipping: $KEY_COMMAND is unsuitable as AuthorizedKeysCommand" 4150276Speter $SUDO rm -f $KEY_COMMAND 4250276Speter exit 0 4350276Speterfi 4450276Speter 4550276Speterif [ -x $KEY_COMMAND ]; then 4650276Speter cp $OBJ/sshd_proxy $OBJ/sshd_proxy.bak 4750276Speter 4850276Speter verbose "AuthorizedKeysCommand with arguments" 4950276Speter ( 5076726Speter grep -vi AuthorizedKeysFile $OBJ/sshd_proxy.bak 51166124Srafan echo AuthorizedKeysFile none 5250276Speter echo AuthorizedKeysCommand $KEY_COMMAND %u blah %k %t %f blah 5350276Speter echo AuthorizedKeysCommandUser ${LOGNAME} 5450276Speter ) > $OBJ/sshd_proxy 5550276Speter 5650276Speter # Ensure that $PATH is sanitised in sshd 57166124Srafan env PATH=$PATH:/sbin/mekmitasdigoat \ 58166124Srafan ${SSH} -F $OBJ/ssh_proxy somehost true 5950276Speter if [ $? -ne 0 ]; then 6050276Speter fail "connect failed" 6150276Speter fi 62166124Srafan 6350276Speter verbose "AuthorizedKeysCommand without arguments" 6450276Speter # Check legacy behavior of no-args resulting in username being passed. 6550276Speter ( 6650276Speter grep -vi AuthorizedKeysFile $OBJ/sshd_proxy.bak 67166124Srafan echo AuthorizedKeysFile none 6850276Speter echo AuthorizedKeysCommand $KEY_COMMAND 69166124Srafan echo AuthorizedKeysCommandUser ${LOGNAME} 7050276Speter ) > $OBJ/sshd_proxy 7150276Speter 7250276Speter # Ensure that $PATH is sanitised in sshd 7350276Speter env PATH=$PATH:/sbin/mekmitasdigoat \ 74166124Srafan ${SSH} -F $OBJ/ssh_proxy somehost true 7550276Speter if [ $? -ne 0 ]; then 7650276Speter fail "connect failed" 77166124Srafan fi 7850276Speterelse 7950276Speter echo "SKIPPED: $KEY_COMMAND not executable (/var/run mounted noexec?)" 8050276Speterfi 8150276Speter 82166124Srafan$SUDO rm -f $KEY_COMMAND 83166124Srafan