- dtucker@cvs.openbsd.org 2008/06/10 23:13:43

[Makefile regress/key-options.sh] Add regress test for key options. ok djm@
2008-06-11 09:38:12 +10:00 · 2008-06-11 09:38:12 +10:00 · e045e0c62a
parent 2a8b138ed8
commit e045e0c62a
2 changed files with 75 additions and 1 deletions
--- a/5
+++ b/5
@ -58,6 +58,9 @@
   - dtucker@cvs.openbsd.org 2008/06/10 23:21:34
     [bufaux.c]
     Use '\0' for a nul byte rather than unadorned 0.  ok djm@
+   - dtucker@cvs.openbsd.org 2008/06/10 23:13:43
+     [Makefile regress/key-options.sh]
+     Add regress test for key options.  ok djm@
 - (dtucker) [openbsd-compat/fake-rfc2553.h] Add sin6_scope_id to sockaddr_in6
   since the new CIDR code in addmatch.c references it.
 - (dtucker) [Makefile.in configure.ac regress/addrmatch.sh] Skip IPv6
@ -4150,4 +4153,4 @@
   OpenServer 6 and add osr5bigcrypt support so when someone migrates
   passwords between UnixWare and OpenServer they will still work. OK dtucker@

-$Id: ChangeLog,v 1.4964 2008/06/10 23:35:37 dtucker Exp $
+$Id: ChangeLog,v 1.4965 2008/06/10 23:38:12 dtucker Exp $
--- a/regress/key-options.sh
+++ b/regress/key-options.sh
@ -0,0 +1,71 @@
+#	$OpenBSD: key-options.sh,v 1.1 2008/06/10 23:13:43 dtucker Exp $
+#	Placed in the Public Domain.
+
+tid="key options"
+
+origkeys="$OBJ/authkeys_orig"
+authkeys="$OBJ/authorized_keys_${USER}"
+cp $authkeys $origkeys
+
+# Test command= forced command
+for p in 1 2; do
+    for c in 'command="echo bar"' 'no-pty,command="echo bar"'; do
+	sed "s/.*/$c &/" $origkeys >$authkeys
+	verbose "key option proto $p $c"
+	r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost echo foo`
+	if [ "$r" = "foo" ]; then
+		fail "key option forced command not restricted"
+	fi
+	if [ "$r" != "bar" ]; then
+		fail "key option forced command not executed"
+	fi
+    done
+done
+
+# Test no-pty
+sed 's/.*/no-pty &/' $origkeys >$authkeys
+for p in 1 2; do
+	verbose "key option proto $p no-pty"
+	r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost tty`
+	if [ -f "$r" ]; then
+		fail "key option failed proto $p no-pty (pty $r)"
+	fi
+done
+
+# Test environment=
+echo 'PermitUserEnvironment yes' >> $OBJ/sshd_proxy
+sed 's/.*/environment="FOO=bar" &/' $origkeys >$authkeys
+for p in 1 2; do
+	verbose "key option proto $p environment"
+	r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost 'echo $FOO'`
+	if [ "$r" != "bar" ]; then
+		fail "key option environment not set"
+	fi
+done
+
+# Test from= restriction
+start_sshd
+for p in 1 2; do
+    for f in 127.0.0.1 '127.0.0.0\/8'; do
+	cat  $origkeys >$authkeys
+	${SSH} -$p -q -F $OBJ/ssh_proxy somehost true
+	if [ $? -ne 0 ]; then
+		fail "key option proto $p failed without restriction"
+	fi
+
+	sed 's/.*/from="'$f'" &/' $origkeys >$authkeys
+	from=`head -1 $authkeys | cut -f1 -d ' '`
+	verbose "key option proto $p $from"
+	r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost 'echo true'`
+	if [ "$r" == "true" ]; then
+		fail "key option proto $p $from not restricted"
+	fi
+
+	r=`${SSH} -$p -q -F $OBJ/ssh_config somehost 'echo true'`
+	if [ "$r" != "true" ]; then
+		fail "key option proto $p $from not allowed but should be"
+	fi
+    done
+done
+
+rm -f "$origkeys"