Начало Каталог Помощ
Вход
trn
/
j-hpn-ssh
огледало от git://github.com/johnsonjh/j-hpn-ssh
Наблюдаван 1
Харесван 1
Разклонения 0
Файлове
Клон: master
Клонове Маркери
j-hpn-ssh
/
regress
/
key-options.sh

key-options.sh 3.4 KB
Постоянна връзка История Директен файл

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127 
  1. #	$OpenBSD: key-options.sh,v 1.9 2018/07/03 13:53:26 djm Exp $
    2. 

  2. #	Placed in the Public Domain.
    3. 

  3. 

  4. tid="key options"
    5. 

  5. 

  6. origkeys="$OBJ/authkeys_orig"
    7. 

  7. authkeys="$OBJ/authorized_keys_${USER}"
    8. 

  8. cp $authkeys $origkeys
    9. 

  9. 

  10. # Allocating ptys can require privileges on some platforms.
    11. 

  11. skip_pty=""
    12. 

  12. if ! config_defined HAVE_OPENPTY && [ "x$SUDO" = "x" ]; then
    13. 

  13. 	skip_pty="no openpty(3) and SUDO not set"
    14. 

  14. fi
    15. 

  15. 

  16. # Test command= forced command
    17. 

  17. for c in 'command="echo bar"' 'no-pty,command="echo bar"'; do
    18. 

  18. 	sed "s/.*/$c &/" $origkeys > $authkeys
    19. 

  19. 	verbose "key option $c"
    20. 

  20. 	r=$(${SSH} -q -F $OBJ/ssh_proxy somehost echo foo)
    21. 

  21. 	if [ "$r" = "foo" ]; then
    22. 

  22. 		fail "key option forced command not restricted"
    23. 

  23. 	fi
    24. 

  24. 	if [ "$r" != "bar" ]; then
    25. 

  25. 		fail "key option forced command not executed"
    26. 

  26. 	fi
    27. 

  27. done
    28. 

  28. 

  29. # Test no-pty
    30. 

  30. expect_pty_succeed()
    31. 

  31. {
    32. 

  32. 	which=$1
    33. 

  33. 	opts=$2
    34. 

  34. 	rm -f $OBJ/data
    35. 

  35. 	sed "s/.*/$opts &/" $origkeys > $authkeys
    36. 

  36. 	verbose "key option pty $which"
    37. 

  37. 	[ "x$skip_pty" != "x" ] && verbose "skipped because $skip_pty" && return
    38. 

  38. 	${SSH} -ttq -F $OBJ/ssh_proxy somehost "tty > $OBJ/data; exit 0"
    39. 

  39. 	if [ $? -ne 0 ]; then
    40. 

  40. 		fail "key option failed $which"
    41. 

  41. 	else
    42. 

  42. 		r=$(cat $OBJ/data)
    43. 

  43. 		case "$r" in
    44. 

  44. 			/dev/*) ;;
    45. 

  45. 			*) fail "key option failed $which (pty $r)" ;;
    46. 

  46. 		esac
    47. 

  47. 	fi
    48. 

  48. }
    49. 

  49. expect_pty_fail()
    50. 

  50. {
    51. 

  51. 	which=$1
    52. 

  52. 	opts=$2
    53. 

  53. 	rm -f $OBJ/data
    54. 

  54. 	sed "s/.*/$opts &/" $origkeys > $authkeys
    55. 

  55. 	verbose "key option pty $which"
    56. 

  56. 	[ "x$skip_pty" != "x" ] && verbose "skipped because $skip_pty" && return
    57. 

  57. 	${SSH} -ttq -F $OBJ/ssh_proxy somehost "tty > $OBJ/data; exit 0"
    58. 

  58. 	if [ $? -eq 0 ]; then
    59. 

  59. 		r=$(cat $OBJ/data)
    60. 

  60. 		if [ -e "$r" ]; then
    61. 

  61. 			fail "key option failed $which (pty $r)"
    62. 

  62. 		fi
    63. 

  63. 		case "$r" in
    64. 

  64. 			/dev/*) fail "key option failed $which (pty $r)" ;;
    65. 

  65. 			*) ;;
    66. 

  66. 		esac
    67. 

  67. 	fi
    68. 

  68. }
    69. 

  69. # First ensure that we can allocate a pty by default.
    70. 

  70. expect_pty_succeed "default" ""
    71. 

  71. expect_pty_fail "no-pty" "no-pty"
    72. 

  72. expect_pty_fail "restrict" "restrict"
    73. 

  73. expect_pty_succeed "restrict,pty" "restrict,pty"
    74. 

  74. 

  75. # Test environment=
    76. 

  76. # XXX this can fail if ~/.ssh/environment exists for the user running the test
    77. 

  77. echo 'PermitUserEnvironment yes' >> $OBJ/sshd_proxy
    78. 

  78. sed 's/.*/environment="FOO=bar" &/' $origkeys > $authkeys
    79. 

  79. verbose "key option environment"
    80. 

  80. r=$(${SSH} -q -F $OBJ/ssh_proxy somehost 'echo $FOO')
    81. 

  81. if [ "$r" != "bar" ]; then
    82. 

  82. 	fail "key option environment not set"
    83. 

  83. fi
    84. 

  84. 

  85. # Test from= restriction
    86. 

  86. start_sshd
    87. 

  87. for f in 127.0.0.1 '127.0.0.0\/8'; do
    88. 

  88. 	cat $origkeys > $authkeys
    89. 

  89. 	${SSH} -q -F $OBJ/ssh_proxy somehost true
    90. 

  90. 	if [ $? -ne 0 ]; then
    91. 

  91. 		fail "key option failed without restriction"
    92. 

  92. 	fi
    93. 

  93. 

  94. 	sed 's/.*/from="'"$f"'" &/' $origkeys > $authkeys
    95. 

  95. 	from=$(head -1 $authkeys | cut -f1 -d ' ')
    96. 

  96. 	verbose "key option $from"
    97. 

  97. 	r=$(${SSH} -q -F $OBJ/ssh_proxy somehost 'echo true')
    98. 

  98. 	if [ "$r" = "true" ]; then
    99. 

  99. 		fail "key option $from not restricted"
    100. 

  100. 	fi
    101. 

  101. 

  102. 	r=$(${SSH} -q -F $OBJ/ssh_config somehost 'echo true')
    103. 

  103. 	if [ "$r" != "true" ]; then
    104. 

  104. 		fail "key option $from not allowed but should be"
    105. 

  105. 	fi
    106. 

  106. done
    107. 

  107. 

  108. check_valid_before()
    109. 

  109. {
    110. 

  110. 	which=$1
    111. 

  111. 	opts=$2
    112. 

  112. 	expect=$3
    113. 

  113. 	sed "s/.*/$opts &/" $origkeys > $authkeys
    114. 

  114. 	verbose "key option expiry-time $which"
    115. 

  115. 	${SSH} -q -F $OBJ/ssh_proxy somehost true
    116. 

  116. 	r=$?
    117. 

  117. 	case "$expect" in
    118. 

  118. 		fail) test $r -eq 0 && fail "key option succeeded $which" ;;
    119. 

  119. 		pass) test $r -ne 0 && fail "key option failed $which" ;;
    120. 

  120. 		*) fatal "unknown expectation $expect" ;;
    121. 

  121. 	esac
    122. 

  122. }
    123. 

  123. check_valid_before "default" ""    "pass"
    124. 

  124. check_valid_before "invalid" 'expiry-time="INVALID"'  "fail"
    125. 

  125. check_valid_before "expired" 'expiry-time="19990101"' "fail"
    126. 

  126. check_valid_before "valid" 'expiry-time="20380101"' "pass"
    127. 

  127.