summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2023-11-01 01:29:46 +0100
committerDamien Miller <djm@mindrot.org>2023-11-01 01:39:55 +0100
commit7ddf27668f0e21233f08c0ab2fe9ee3fdd6ab1e2 (patch)
tree90bc0dc270036d0d2c34d5fe6eaa1e0f944eea8a
parentupstream: Don't try to use sudo inside sshd log wrapper. (diff)
downloadopenssh-7ddf27668f0e21233f08c0ab2fe9ee3fdd6ab1e2.tar.xz
openssh-7ddf27668f0e21233f08c0ab2fe9ee3fdd6ab1e2.zip
upstream: add some tests of forced commands overriding Subsystem
directives OpenBSD-Regress-ID: eb48610282f6371672bdf2a8b5d2aa33cfbd322b
-rw-r--r--regress/forcecommand.sh56
1 files changed, 44 insertions, 12 deletions
diff --git a/regress/forcecommand.sh b/regress/forcecommand.sh
index e756600a6..8d0114b40 100644
--- a/regress/forcecommand.sh
+++ b/regress/forcecommand.sh
@@ -1,35 +1,67 @@
-# $OpenBSD: forcecommand.sh,v 1.5 2023/05/12 06:36:27 djm Exp $
+# $OpenBSD: forcecommand.sh,v 1.6 2023/11/01 00:29:46 djm Exp $
# Placed in the Public Domain.
tid="forced command"
cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
-cp /dev/null $OBJ/authorized_keys_$USER
-for t in ${SSH_KEYTYPES}; do
- printf 'command="true" ' >>$OBJ/authorized_keys_$USER
- cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
-done
+authorized_keys() {
+ cmd=$1
+ cp /dev/null $OBJ/authorized_keys_$USER
+ for t in ${SSH_KEYTYPES}; do
+ test -z "$cmd" || \
+ printf "command=\"$cmd\" " >>$OBJ/authorized_keys_$USER
+ cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
+ done
+}
+
+trace "test config with sftp"
+authorized_keys
+rm -f $OBJ/ssh_proxy.tmp
+echo "@get $OBJ/ssh_proxy $OBJ/ssh_proxy.tmp" | \
+ ${SFTP} -b - -qF $OBJ/ssh_proxy somehost 2>/dev/null || \
+ fail "sftp failed"
+test -f "$OBJ/ssh_proxy.tmp" || fail "sftp did not download file"
+rm -f $OBJ/ssh_proxy.tmp
trace "forced command in key option"
+authorized_keys true
${SSH} -F $OBJ/ssh_proxy somehost false || fail "forced command in key option"
-cp /dev/null $OBJ/authorized_keys_$USER
-for t in ${SSH_KEYTYPES}; do
- printf 'command="false" ' >> $OBJ/authorized_keys_$USER
- cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
-done
-
+authorized_keys false
cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
echo "ForceCommand true" >> $OBJ/sshd_proxy
trace "forced command in sshd_config overrides key option"
${SSH} -F $OBJ/ssh_proxy somehost false || fail "forced command config"
+authorized_keys
cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
echo "ForceCommand false" >> $OBJ/sshd_proxy
+
+trace "force command overriding subsystem"
+echo "@get $OBJ/ssh_proxy $OBJ/ssh_proxy.tmp" | \
+ ${SFTP} -F $OBJ/ssh_proxy -oLoglevel=quiet somehost && \
+ fail "sftp succeeded"
+
echo "Match User $USER" >> $OBJ/sshd_proxy
echo " ForceCommand true" >> $OBJ/sshd_proxy
trace "forced command with match"
${SSH} -F $OBJ/ssh_proxy somehost false || fail "forced command match"
+
+trace "force command in match overriding subsystem"
+echo "@get $OBJ/ssh_proxy $OBJ/ssh_proxy.tmp" | \
+ ${SFTP} -F $OBJ/ssh_proxy -oLoglevel=quiet somehost && \
+ fail "sftp succeeded"
+
+trace "force command to sftpserver"
+grep -vi subsystem $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
+echo "Subsystem sftp /bin/false" >> $OBJ/sshd_proxy
+echo "ForceCommand ${SFTPSERVER}" >> $OBJ/sshd_proxy
+rm -f $OBJ/ssh_proxy.tmp
+echo "@get $OBJ/ssh_proxy $OBJ/ssh_proxy.tmp" | \
+ ${SFTP} -b - -qF $OBJ/ssh_proxy somehost 2>/dev/null || \
+ fail "sftp failed"
+test -f "$OBJ/ssh_proxy.tmp" || fail "sftp did not download file"
+rm -f $OBJ/ssh_proxy.tmp