keys-command.sh revision 323134 
1#	$OpenBSD: keys-command.sh,v 1.3 2015/05/21 06:40:02 djm Exp $
2#	Placed in the Public Domain.
3
4tid="authorized keys from command"
5
6if [ -z "$SUDO" -a ! -w /var/run ]; then
7	echo "skipped (SUDO not set)"
8	echo "need SUDO to create file in /var/run, test won't work without"
9	exit 0
10fi
11
12rm -f $OBJ/keys-command-args
13
14touch $OBJ/keys-command-args
15chmod a+rw $OBJ/keys-command-args
16
17expected_key_text=`awk '{ print $2 }' < $OBJ/rsa.pub`
18expected_key_fp=`$SSHKEYGEN -lf $OBJ/rsa.pub | awk '{ print $2 }'`
19
20# Establish a AuthorizedKeysCommand in /var/run where it will have
21# acceptable directory permissions.
22KEY_COMMAND="/var/run/keycommand_${LOGNAME}"
23cat << _EOF | $SUDO sh -c "rm -f '$KEY_COMMAND' ; cat > '$KEY_COMMAND'"
24#!/bin/sh
25echo args: "\$@" >> $OBJ/keys-command-args
26echo "$PATH" | grep -q mekmitasdigoat && exit 7
27test "x\$1" != "x${LOGNAME}" && exit 1
28if test $# -eq 6 ; then
29	test "x\$2" != "xblah" && exit 2
30	test "x\$3" != "x${expected_key_text}" && exit 3
31	test "x\$4" != "xssh-rsa" && exit 4
32	test "x\$5" != "x${expected_key_fp}" && exit 5
33	test "x\$6" != "xblah" && exit 6
34fi
35exec cat "$OBJ/authorized_keys_${LOGNAME}"
36_EOF
37$SUDO chmod 0755 "$KEY_COMMAND"
38
39if ! $OBJ/check-perm -m keys-command $KEY_COMMAND ; then
40	echo "skipping: $KEY_COMMAND is unsuitable as AuthorizedKeysCommand"
41	$SUDO rm -f $KEY_COMMAND
42	exit 0
43fi
44
45if [ -x $KEY_COMMAND ]; then
46	cp $OBJ/sshd_proxy $OBJ/sshd_proxy.bak
47
48	verbose "AuthorizedKeysCommand with arguments"
49	(
50		grep -vi AuthorizedKeysFile $OBJ/sshd_proxy.bak
51		echo AuthorizedKeysFile none
52		echo AuthorizedKeysCommand $KEY_COMMAND %u blah %k %t %f blah
53		echo AuthorizedKeysCommandUser ${LOGNAME}
54	) > $OBJ/sshd_proxy
55
56	# Ensure that $PATH is sanitised in sshd
57	env PATH=$PATH:/sbin/mekmitasdigoat \
58	    ${SSH} -F $OBJ/ssh_proxy somehost true
59	if [ $? -ne 0 ]; then
60		fail "connect failed"
61	fi
62
63	verbose "AuthorizedKeysCommand without arguments"
64	# Check legacy behavior of no-args resulting in username being passed.
65	(
66		grep -vi AuthorizedKeysFile $OBJ/sshd_proxy.bak
67		echo AuthorizedKeysFile none
68		echo AuthorizedKeysCommand $KEY_COMMAND
69		echo AuthorizedKeysCommandUser ${LOGNAME}
70	) > $OBJ/sshd_proxy
71
72	# Ensure that $PATH is sanitised in sshd
73	env PATH=$PATH:/sbin/mekmitasdigoat \
74	    ${SSH} -F $OBJ/ssh_proxy somehost true
75	if [ $? -ne 0 ]; then
76		fail "connect failed"
77	fi
78else
79	echo "SKIPPED: $KEY_COMMAND not executable (/var/run mounted noexec?)"
80fi
81
82$SUDO rm -f $KEY_COMMAND
83