1180750Sdes#	$OpenBSD: key-options.sh,v 1.2 2008/06/30 08:07:34 djm Exp $
2180750Sdes#	Placed in the Public Domain.
3180750Sdes
4180750Sdestid="key options"
5180750Sdes
6180750Sdesorigkeys="$OBJ/authkeys_orig"
7180750Sdesauthkeys="$OBJ/authorized_keys_${USER}"
8180750Sdescp $authkeys $origkeys
9180750Sdes
10180750Sdes# Test command= forced command
11180750Sdesfor p in 1 2; do
12180750Sdes    for c in 'command="echo bar"' 'no-pty,command="echo bar"'; do
13180750Sdes	sed "s/.*/$c &/" $origkeys >$authkeys
14180750Sdes	verbose "key option proto $p $c"
15180750Sdes	r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost echo foo`
16180750Sdes	if [ "$r" = "foo" ]; then
17180750Sdes		fail "key option forced command not restricted"
18180750Sdes	fi
19180750Sdes	if [ "$r" != "bar" ]; then
20180750Sdes		fail "key option forced command not executed"
21180750Sdes	fi
22180750Sdes    done
23180750Sdesdone
24180750Sdes
25180750Sdes# Test no-pty
26180750Sdessed 's/.*/no-pty &/' $origkeys >$authkeys
27180750Sdesfor p in 1 2; do
28180750Sdes	verbose "key option proto $p no-pty"
29180750Sdes	r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost tty`
30180750Sdes	if [ -f "$r" ]; then
31180750Sdes		fail "key option failed proto $p no-pty (pty $r)"
32180750Sdes	fi
33180750Sdesdone
34180750Sdes
35180750Sdes# Test environment=
36180750Sdesecho 'PermitUserEnvironment yes' >> $OBJ/sshd_proxy
37180750Sdessed 's/.*/environment="FOO=bar" &/' $origkeys >$authkeys
38180750Sdesfor p in 1 2; do
39180750Sdes	verbose "key option proto $p environment"
40180750Sdes	r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost 'echo $FOO'`
41180750Sdes	if [ "$r" != "bar" ]; then
42180750Sdes		fail "key option environment not set"
43180750Sdes	fi
44180750Sdesdone
45180750Sdes
46180750Sdes# Test from= restriction
47180750Sdesstart_sshd
48180750Sdesfor p in 1 2; do
49180750Sdes    for f in 127.0.0.1 '127.0.0.0\/8'; do
50180750Sdes	cat  $origkeys >$authkeys
51180750Sdes	${SSH} -$p -q -F $OBJ/ssh_proxy somehost true
52180750Sdes	if [ $? -ne 0 ]; then
53180750Sdes		fail "key option proto $p failed without restriction"
54180750Sdes	fi
55180750Sdes
56180750Sdes	sed 's/.*/from="'"$f"'" &/' $origkeys >$authkeys
57180750Sdes	from=`head -1 $authkeys | cut -f1 -d ' '`
58180750Sdes	verbose "key option proto $p $from"
59180750Sdes	r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost 'echo true'`
60180750Sdes	if [ "$r" = "true" ]; then
61180750Sdes		fail "key option proto $p $from not restricted"
62180750Sdes	fi
63180750Sdes
64180750Sdes	r=`${SSH} -$p -q -F $OBJ/ssh_config somehost 'echo true'`
65180750Sdes	if [ "$r" != "true" ]; then
66180750Sdes		fail "key option proto $p $from not allowed but should be"
67180750Sdes	fi
68180750Sdes    done
69180750Sdesdone
70180750Sdes
71180750Sdesrm -f "$origkeys"
72