From 7ddf27668f0e21233f08c0ab2fe9ee3fdd6ab1e2 Mon Sep 17 00:00:00 2001 From: "djm@openbsd.org" Date: Wed, 1 Nov 2023 00:29:46 +0000 Subject: [PATCH] upstream: add some tests of forced commands overriding Subsystem directives OpenBSD-Regress-ID: eb48610282f6371672bdf2a8b5d2aa33cfbd322b --- regress/forcecommand.sh | 56 ++++++++++++++++++++++++++++++++--------- 1 file changed, 44 insertions(+), 12 deletions(-) diff --git a/regress/forcecommand.sh b/regress/forcecommand.sh index e756600a6..8d0114b40 100644 --- a/regress/forcecommand.sh +++ b/regress/forcecommand.sh @@ -1,35 +1,67 @@ -# $OpenBSD: forcecommand.sh,v 1.5 2023/05/12 06:36:27 djm Exp $ +# $OpenBSD: forcecommand.sh,v 1.6 2023/11/01 00:29:46 djm Exp $ # Placed in the Public Domain. tid="forced command" cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak -cp /dev/null $OBJ/authorized_keys_$USER -for t in ${SSH_KEYTYPES}; do - printf 'command="true" ' >>$OBJ/authorized_keys_$USER - cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER -done +authorized_keys() { + cmd=$1 + cp /dev/null $OBJ/authorized_keys_$USER + for t in ${SSH_KEYTYPES}; do + test -z "$cmd" || \ + printf "command=\"$cmd\" " >>$OBJ/authorized_keys_$USER + cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER + done +} + +trace "test config with sftp" +authorized_keys +rm -f $OBJ/ssh_proxy.tmp +echo "@get $OBJ/ssh_proxy $OBJ/ssh_proxy.tmp" | \ + ${SFTP} -b - -qF $OBJ/ssh_proxy somehost 2>/dev/null || \ + fail "sftp failed" +test -f "$OBJ/ssh_proxy.tmp" || fail "sftp did not download file" +rm -f $OBJ/ssh_proxy.tmp trace "forced command in key option" +authorized_keys true ${SSH} -F $OBJ/ssh_proxy somehost false || fail "forced command in key option" -cp /dev/null $OBJ/authorized_keys_$USER -for t in ${SSH_KEYTYPES}; do - printf 'command="false" ' >> $OBJ/authorized_keys_$USER - cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER -done - +authorized_keys false cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy echo "ForceCommand true" >> $OBJ/sshd_proxy trace "forced command in sshd_config overrides key option" ${SSH} -F $OBJ/ssh_proxy somehost false || fail "forced command config" +authorized_keys cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy echo "ForceCommand false" >> $OBJ/sshd_proxy + +trace "force command overriding subsystem" +echo "@get $OBJ/ssh_proxy $OBJ/ssh_proxy.tmp" | \ + ${SFTP} -F $OBJ/ssh_proxy -oLoglevel=quiet somehost && \ + fail "sftp succeeded" + echo "Match User $USER" >> $OBJ/sshd_proxy echo " ForceCommand true" >> $OBJ/sshd_proxy trace "forced command with match" ${SSH} -F $OBJ/ssh_proxy somehost false || fail "forced command match" + +trace "force command in match overriding subsystem" +echo "@get $OBJ/ssh_proxy $OBJ/ssh_proxy.tmp" | \ + ${SFTP} -F $OBJ/ssh_proxy -oLoglevel=quiet somehost && \ + fail "sftp succeeded" + +trace "force command to sftpserver" +grep -vi subsystem $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy +echo "Subsystem sftp /bin/false" >> $OBJ/sshd_proxy +echo "ForceCommand ${SFTPSERVER}" >> $OBJ/sshd_proxy +rm -f $OBJ/ssh_proxy.tmp +echo "@get $OBJ/ssh_proxy $OBJ/ssh_proxy.tmp" | \ + ${SFTP} -b - -qF $OBJ/ssh_proxy somehost 2>/dev/null || \ + fail "sftp failed" +test -f "$OBJ/ssh_proxy.tmp" || fail "sftp did not download file" +rm -f $OBJ/ssh_proxy.tmp