1 # $OpenBSD: keys-command.sh,v 1.3 2015/05/21 06:40:02 djm Exp $ 2 # Placed in the Public Domain. 3 4 tid="authorized keys from command" 5 6 if [ -z "$SUDO" -a ! -w /var/run ]; then 7 echo "skipped (SUDO not set)" 8 echo "need SUDO to create file in /var/run, test won't work without" 9 exit 0 10 fi 11 12 rm -f $OBJ/keys-command-args 13 14 touch $OBJ/keys-command-args 15 chmod a+rw $OBJ/keys-command-args 16 17 expected_key_text=`awk '{ print $2 }' < $OBJ/rsa.pub` 18 expected_key_fp=`$SSHKEYGEN -lf $OBJ/rsa.pub | awk '{ print $2 }'` 19 20 # Establish a AuthorizedKeysCommand in /var/run where it will have 21 # acceptable directory permissions. 22 KEY_COMMAND="/var/run/keycommand_${LOGNAME}" 23 cat << _EOF | $SUDO sh -c "rm -f '$KEY_COMMAND' ; cat > '$KEY_COMMAND'" 24 #!/bin/sh 25 echo args: "\$@" >> $OBJ/keys-command-args 26 echo "$PATH" | grep -q mekmitasdigoat && exit 7 27 test "x\$1" != "x${LOGNAME}" && exit 1 28 if test $# -eq 6 ; then 29 test "x\$2" != "xblah" && exit 2 30 test "x\$3" != "x${expected_key_text}" && exit 3 31 test "x\$4" != "xssh-rsa" && exit 4 32 test "x\$5" != "x${expected_key_fp}" && exit 5 33 test "x\$6" != "xblah" && exit 6 34 fi 35 exec cat "$OBJ/authorized_keys_${LOGNAME}" 36 _EOF 37 $SUDO chmod 0755 "$KEY_COMMAND" 38 39 if ! $OBJ/check-perm -m keys-command $KEY_COMMAND ; then 40 echo "skipping: $KEY_COMMAND is unsuitable as AuthorizedKeysCommand" 41 $SUDO rm -f $KEY_COMMAND 42 exit 0 43 fi 44 45 if [ -x $KEY_COMMAND ]; then 46 cp $OBJ/sshd_proxy $OBJ/sshd_proxy.bak 47 48 verbose "AuthorizedKeysCommand with arguments" 49 ( 50 grep -vi AuthorizedKeysFile $OBJ/sshd_proxy.bak 51 echo AuthorizedKeysFile none 52 echo AuthorizedKeysCommand $KEY_COMMAND %u blah %k %t %f blah 53 echo AuthorizedKeysCommandUser ${LOGNAME} 54 ) > $OBJ/sshd_proxy 55 56 # Ensure that $PATH is sanitised in sshd 57 env PATH=$PATH:/sbin/mekmitasdigoat \ 58 ${SSH} -F $OBJ/ssh_proxy somehost true 59 if [ $? -ne 0 ]; then 60 fail "connect failed" 61 fi 62 63 verbose "AuthorizedKeysCommand without arguments" 64 # Check legacy behavior of no-args resulting in username being passed. 65 ( 66 grep -vi AuthorizedKeysFile $OBJ/sshd_proxy.bak 67 echo AuthorizedKeysFile none 68 echo AuthorizedKeysCommand $KEY_COMMAND 69 echo AuthorizedKeysCommandUser ${LOGNAME} 70 ) > $OBJ/sshd_proxy 71 72 # Ensure that $PATH is sanitised in sshd 73 env PATH=$PATH:/sbin/mekmitasdigoat \ 74 ${SSH} -F $OBJ/ssh_proxy somehost true 75 if [ $? -ne 0 ]; then 76 fail "connect failed" 77 fi 78 else 79 echo "SKIPPED: $KEY_COMMAND not executable (/var/run mounted noexec?)" 80 fi 81 82 $SUDO rm -f $KEY_COMMAND 83