diff options
author | djm@openbsd.org <djm@openbsd.org> | 2023-11-01 01:29:46 +0100 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2023-11-01 01:39:55 +0100 |
commit | 7ddf27668f0e21233f08c0ab2fe9ee3fdd6ab1e2 (patch) | |
tree | 90bc0dc270036d0d2c34d5fe6eaa1e0f944eea8a | |
parent | upstream: Don't try to use sudo inside sshd log wrapper. (diff) | |
download | openssh-7ddf27668f0e21233f08c0ab2fe9ee3fdd6ab1e2.tar.xz openssh-7ddf27668f0e21233f08c0ab2fe9ee3fdd6ab1e2.zip |
upstream: add some tests of forced commands overriding Subsystem
directives
OpenBSD-Regress-ID: eb48610282f6371672bdf2a8b5d2aa33cfbd322b
-rw-r--r-- | regress/forcecommand.sh | 56 |
1 files changed, 44 insertions, 12 deletions
diff --git a/regress/forcecommand.sh b/regress/forcecommand.sh index e756600a6..8d0114b40 100644 --- a/regress/forcecommand.sh +++ b/regress/forcecommand.sh @@ -1,35 +1,67 @@ -# $OpenBSD: forcecommand.sh,v 1.5 2023/05/12 06:36:27 djm Exp $ +# $OpenBSD: forcecommand.sh,v 1.6 2023/11/01 00:29:46 djm Exp $ # Placed in the Public Domain. tid="forced command" cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak -cp /dev/null $OBJ/authorized_keys_$USER -for t in ${SSH_KEYTYPES}; do - printf 'command="true" ' >>$OBJ/authorized_keys_$USER - cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER -done +authorized_keys() { + cmd=$1 + cp /dev/null $OBJ/authorized_keys_$USER + for t in ${SSH_KEYTYPES}; do + test -z "$cmd" || \ + printf "command=\"$cmd\" " >>$OBJ/authorized_keys_$USER + cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER + done +} + +trace "test config with sftp" +authorized_keys +rm -f $OBJ/ssh_proxy.tmp +echo "@get $OBJ/ssh_proxy $OBJ/ssh_proxy.tmp" | \ + ${SFTP} -b - -qF $OBJ/ssh_proxy somehost 2>/dev/null || \ + fail "sftp failed" +test -f "$OBJ/ssh_proxy.tmp" || fail "sftp did not download file" +rm -f $OBJ/ssh_proxy.tmp trace "forced command in key option" +authorized_keys true ${SSH} -F $OBJ/ssh_proxy somehost false || fail "forced command in key option" -cp /dev/null $OBJ/authorized_keys_$USER -for t in ${SSH_KEYTYPES}; do - printf 'command="false" ' >> $OBJ/authorized_keys_$USER - cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER -done - +authorized_keys false cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy echo "ForceCommand true" >> $OBJ/sshd_proxy trace "forced command in sshd_config overrides key option" ${SSH} -F $OBJ/ssh_proxy somehost false || fail "forced command config" +authorized_keys cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy echo "ForceCommand false" >> $OBJ/sshd_proxy + +trace "force command overriding subsystem" +echo "@get $OBJ/ssh_proxy $OBJ/ssh_proxy.tmp" | \ + ${SFTP} -F $OBJ/ssh_proxy -oLoglevel=quiet somehost && \ + fail "sftp succeeded" + echo "Match User $USER" >> $OBJ/sshd_proxy echo " ForceCommand true" >> $OBJ/sshd_proxy trace "forced command with match" ${SSH} -F $OBJ/ssh_proxy somehost false || fail "forced command match" + +trace "force command in match overriding subsystem" +echo "@get $OBJ/ssh_proxy $OBJ/ssh_proxy.tmp" | \ + ${SFTP} -F $OBJ/ssh_proxy -oLoglevel=quiet somehost && \ + fail "sftp succeeded" + +trace "force command to sftpserver" +grep -vi subsystem $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy +echo "Subsystem sftp /bin/false" >> $OBJ/sshd_proxy +echo "ForceCommand ${SFTPSERVER}" >> $OBJ/sshd_proxy +rm -f $OBJ/ssh_proxy.tmp +echo "@get $OBJ/ssh_proxy $OBJ/ssh_proxy.tmp" | \ + ${SFTP} -b - -qF $OBJ/ssh_proxy somehost 2>/dev/null || \ + fail "sftp failed" +test -f "$OBJ/ssh_proxy.tmp" || fail "sftp did not download file" +rm -f $OBJ/ssh_proxy.tmp |