keys-command.sh revision 296853 
150276Speter#	$OpenBSD: keys-command.sh,v 1.3 2015/05/21 06:40:02 djm Exp $
2166124Srafan#	Placed in the Public Domain.
350276Speter
450276Spetertid="authorized keys from command"
550276Speter
650276Speterif test -z "$SUDO" ; then
750276Speter	echo "skipped (SUDO not set)"
850276Speter	echo "need SUDO to create file in /var/run, test won't work without"
950276Speter	exit 0
1050276Speterfi
1150276Speter
1250276Speterrm -f $OBJ/keys-command-args
1350276Speter
1450276Spetertouch $OBJ/keys-command-args
1550276Speterchmod a+rw $OBJ/keys-command-args
1650276Speter
1750276Speterexpected_key_text=`awk '{ print $2 }' < $OBJ/rsa.pub`
1850276Speterexpected_key_fp=`$SSHKEYGEN -lf $OBJ/rsa.pub | awk '{ print $2 }'`
1950276Speter
2050276Speter# Establish a AuthorizedKeysCommand in /var/run where it will have
2150276Speter# acceptable directory permissions.
2250276SpeterKEY_COMMAND="/var/run/keycommand_${LOGNAME}"
2350276Spetercat << _EOF | $SUDO sh -c "rm -f '$KEY_COMMAND' ; cat > '$KEY_COMMAND'"
2450276Speter#!/bin/sh
2550276Speterecho args: "\$@" >> $OBJ/keys-command-args
2650276Speterecho "$PATH" | grep -q mekmitasdigoat && exit 7
2750276Spetertest "x\$1" != "x${LOGNAME}" && exit 1
2850276Speterif test $# -eq 6 ; then
2950276Speter	test "x\$2" != "xblah" && exit 2
30166124Srafan	test "x\$3" != "x${expected_key_text}" && exit 3
3150276Speter	test "x\$4" != "xssh-rsa" && exit 4
32166124Srafan	test "x\$5" != "x${expected_key_fp}" && exit 5
3350276Speter	test "x\$6" != "xblah" && exit 6
3450276Speterfi
35166124Srafanexec cat "$OBJ/authorized_keys_${LOGNAME}"
3650276Speter_EOF
3750276Speter$SUDO chmod 0755 "$KEY_COMMAND"
3850276Speter
3950276Speterif ! $OBJ/check-perm -m keys-command $KEY_COMMAND ; then
4050276Speter	echo "skipping: $KEY_COMMAND is unsuitable as AuthorizedKeysCommand"
4150276Speter	$SUDO rm -f $KEY_COMMAND
4250276Speter	exit 0
4350276Speterfi
4450276Speter
4550276Speterif [ -x $KEY_COMMAND ]; then
4650276Speter	cp $OBJ/sshd_proxy $OBJ/sshd_proxy.bak
4750276Speter
4850276Speter	verbose "AuthorizedKeysCommand with arguments"
4950276Speter	(
5076726Speter		grep -vi AuthorizedKeysFile $OBJ/sshd_proxy.bak
51166124Srafan		echo AuthorizedKeysFile none
5250276Speter		echo AuthorizedKeysCommand $KEY_COMMAND %u blah %k %t %f blah
5350276Speter		echo AuthorizedKeysCommandUser ${LOGNAME}
5450276Speter	) > $OBJ/sshd_proxy
5550276Speter
5650276Speter	# Ensure that $PATH is sanitised in sshd
57166124Srafan	env PATH=$PATH:/sbin/mekmitasdigoat \
58166124Srafan	    ${SSH} -F $OBJ/ssh_proxy somehost true
5950276Speter	if [ $? -ne 0 ]; then
6050276Speter		fail "connect failed"
6150276Speter	fi
62166124Srafan
6350276Speter	verbose "AuthorizedKeysCommand without arguments"
6450276Speter	# Check legacy behavior of no-args resulting in username being passed.
6550276Speter	(
6650276Speter		grep -vi AuthorizedKeysFile $OBJ/sshd_proxy.bak
67166124Srafan		echo AuthorizedKeysFile none
6850276Speter		echo AuthorizedKeysCommand $KEY_COMMAND
69166124Srafan		echo AuthorizedKeysCommandUser ${LOGNAME}
7050276Speter	) > $OBJ/sshd_proxy
7150276Speter
7250276Speter	# Ensure that $PATH is sanitised in sshd
7350276Speter	env PATH=$PATH:/sbin/mekmitasdigoat \
74166124Srafan	    ${SSH} -F $OBJ/ssh_proxy somehost true
7550276Speter	if [ $? -ne 0 ]; then
7650276Speter		fail "connect failed"
77166124Srafan	fi
7850276Speterelse
7950276Speter	echo "SKIPPED: $KEY_COMMAND not executable (/var/run mounted noexec?)"
8050276Speterfi
8150276Speter
82166124Srafan$SUDO rm -f $KEY_COMMAND
83166124Srafan