Home Explore Help
Sign In
trn
/
j-hpn-ssh
mirror of git://github.com/johnsonjh/j-hpn-ssh
Watch 1
Star 1
Fork 0
Files
Tree: e677f121eb
Branches Tags
j-hpn-ssh
/
regress
/
keys-command.sh

keys-command.sh 2.4 KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283 
  1. #!/usr/bin/env sh
    2. 

  2. #	$OpenBSD: keys-command.sh,v 1.6 2019/07/25 08:48:11 dtucker Exp $
    3. 

  3. #	Placed in the Public Domain.
    4. 

  4. 

  5. tid="authorized keys from command"
    6. 

  6. 

  7. if [ -z "$SUDO" -a ! -w /var/run ]; then
    8. 

  8. 	echo "skipped (SUDO not set)"
    9. 

  9. 	echo "need SUDO to create file in /var/run, test won't work without"
    10. 

  10. 	exit 0
    11. 

  11. fi
    12. 

  12. 

  13. rm -f $OBJ/keys-command-args
    14. 

  14. 

  15. touch $OBJ/keys-command-args
    16. 

  16. chmod a+rw $OBJ/keys-command-args
    17. 

  17. 

  18. expected_key_text=$(awk '{ print $2 }' < $OBJ/ssh-ed25519.pub)
    19. 

  19. expected_key_fp=$($SSHKEYGEN -lf $OBJ/ssh-ed25519.pub | awk '{ print $2 }')
    20. 

  20. 

  21. # Establish a AuthorizedKeysCommand in /var/run where it will have
    22. 

  22. # acceptable directory permissions.
    23. 

  23. KEY_COMMAND="/var/run/keycommand_${LOGNAME}.$$"
    24. 

  24. trap "${SUDO} rm -f ${KEY_COMMAND}" 0
    25. 

  25. cat << _EOF | $SUDO sh -c "rm -f '$KEY_COMMAND' ; cat > '$KEY_COMMAND'"
    26. 

  26. #!/bin/sh
    27. 

  27. echo args: "\$@" >> $OBJ/keys-command-args
    28. 

  28. echo "$PATH" | grep -q mekmitasdigoat && exit 7
    29. 

  29. test "x\$1" != "x${LOGNAME}" && exit 1
    30. 

  30. if test $# -eq 6 ; then
    31. 

  31. 	test "x\$2" != "xblah" && exit 2
    32. 

  32. 	test "x\$3" != "x${expected_key_text}" && exit 3
    33. 

  33. 	test "x\$4" != "xssh-rsa" && exit 4
    34. 

  34. 	test "x\$5" != "x${expected_key_fp}" && exit 5
    35. 

  35. 	test "x\$6" != "xblah" && exit 6
    36. 

  36. fi
    37. 

  37. exec cat "$OBJ/authorized_keys_${LOGNAME}"
    38. 

  38. _EOF
    39. 

  39. $SUDO chmod 0755 "$KEY_COMMAND"
    40. 

  40. 

  41. if ! $OBJ/check-perm -m keys-command $KEY_COMMAND; then
    42. 

  42. 	echo "skipping: $KEY_COMMAND is unsuitable as AuthorizedKeysCommand"
    43. 

  43. 	$SUDO rm -f $KEY_COMMAND
    44. 

  44. 	exit 0
    45. 

  45. fi
    46. 

  46. 

  47. if [ -x $KEY_COMMAND ]; then
    48. 

  48. 	cp $OBJ/sshd_proxy $OBJ/sshd_proxy.bak
    49. 

  49. 

  50. 	verbose "AuthorizedKeysCommand with arguments"
    51. 

  51. 	(
    52. 

  52. 		grep -vi AuthorizedKeysFile $OBJ/sshd_proxy.bak
    53. 

  53. 		echo AuthorizedKeysFile none
    54. 

  54. 		echo AuthorizedKeysCommand $KEY_COMMAND %u blah %k %t %f blah
    55. 

  55. 		echo AuthorizedKeysCommandUser ${LOGNAME}
    56. 

  56. 	) > $OBJ/sshd_proxy
    57. 

  57. 

  58. 	# Ensure that $PATH is sanitised in sshd
    59. 

  59. 	env PATH=$PATH:/sbin/mekmitasdigoat \
    60. 

  60. 		${SSH}  -F $OBJ/ssh_proxy somehost true
    61. 

  61. 	if [ $? -ne 0 ]; then
    62. 

  62. 		fail "connect failed"
    63. 

  63. 	fi
    64. 

  64. 

  65. 	verbose "AuthorizedKeysCommand without arguments"
    66. 

  66. 	# Check legacy behavior of no-args resulting in username being passed.
    67. 

  67. 	(
    68. 

  68. 		grep -vi AuthorizedKeysFile $OBJ/sshd_proxy.bak
    69. 

  69. 		echo AuthorizedKeysFile none
    70. 

  70. 		echo AuthorizedKeysCommand $KEY_COMMAND
    71. 

  71. 		echo AuthorizedKeysCommandUser ${LOGNAME}
    72. 

  72. 	) > $OBJ/sshd_proxy
    73. 

  73. 

  74. 	# Ensure that $PATH is sanitised in sshd
    75. 

  75. 	env PATH=$PATH:/sbin/mekmitasdigoat \
    76. 

  76. 		${SSH}  -F $OBJ/ssh_proxy somehost true
    77. 

  77. 	if [ $? -ne 0 ]; then
    78. 

  78. 		fail "connect failed"
    79. 

  79. 	fi
    80. 

  80. else
    81. 

  81. 	echo "SKIPPED: $KEY_COMMAND not executable (/var/run mounted noexec?)"
    82. 

  82. fi
    83. 

  83.