From 7f7105318a44943eab9e1a0e88365b6f99f022f3 Mon Sep 17 00:00:00 2001 From: djm Date: Wed, 1 Nov 2023 00:29:46 +0000 Subject: [PATCH] add some tests of forced commands overriding Subsystem directives --- regress/usr.bin/ssh/forcecommand.sh | 56 ++++++++++++++++++++++------- 1 file changed, 44 insertions(+), 12 deletions(-) diff --git a/regress/usr.bin/ssh/forcecommand.sh b/regress/usr.bin/ssh/forcecommand.sh index e756600a6f9..8d0114b4095 100644 --- a/regress/usr.bin/ssh/forcecommand.sh +++ b/regress/usr.bin/ssh/forcecommand.sh @@ -1,35 +1,67 @@ -# $OpenBSD: forcecommand.sh,v 1.5 2023/05/12 06:36:27 djm Exp $ +# $OpenBSD: forcecommand.sh,v 1.6 2023/11/01 00:29:46 djm Exp $ # Placed in the Public Domain. tid="forced command" cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak -cp /dev/null $OBJ/authorized_keys_$USER -for t in ${SSH_KEYTYPES}; do - printf 'command="true" ' >>$OBJ/authorized_keys_$USER - cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER -done +authorized_keys() { + cmd=$1 + cp /dev/null $OBJ/authorized_keys_$USER + for t in ${SSH_KEYTYPES}; do + test -z "$cmd" || \ + printf "command=\"$cmd\" " >>$OBJ/authorized_keys_$USER + cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER + done +} + +trace "test config with sftp" +authorized_keys +rm -f $OBJ/ssh_proxy.tmp +echo "@get $OBJ/ssh_proxy $OBJ/ssh_proxy.tmp" | \ + ${SFTP} -b - -qF $OBJ/ssh_proxy somehost 2>/dev/null || \ + fail "sftp failed" +test -f "$OBJ/ssh_proxy.tmp" || fail "sftp did not download file" +rm -f $OBJ/ssh_proxy.tmp trace "forced command in key option" +authorized_keys true ${SSH} -F $OBJ/ssh_proxy somehost false || fail "forced command in key option" -cp /dev/null $OBJ/authorized_keys_$USER -for t in ${SSH_KEYTYPES}; do - printf 'command="false" ' >> $OBJ/authorized_keys_$USER - cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER -done - +authorized_keys false cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy echo "ForceCommand true" >> $OBJ/sshd_proxy trace "forced command in sshd_config overrides key option" ${SSH} -F $OBJ/ssh_proxy somehost false || fail "forced command config" +authorized_keys cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy echo "ForceCommand false" >> $OBJ/sshd_proxy + +trace "force command overriding subsystem" +echo "@get $OBJ/ssh_proxy $OBJ/ssh_proxy.tmp" | \ + ${SFTP} -F $OBJ/ssh_proxy -oLoglevel=quiet somehost && \ + fail "sftp succeeded" + echo "Match User $USER" >> $OBJ/sshd_proxy echo " ForceCommand true" >> $OBJ/sshd_proxy trace "forced command with match" ${SSH} -F $OBJ/ssh_proxy somehost false || fail "forced command match" + +trace "force command in match overriding subsystem" +echo "@get $OBJ/ssh_proxy $OBJ/ssh_proxy.tmp" | \ + ${SFTP} -F $OBJ/ssh_proxy -oLoglevel=quiet somehost && \ + fail "sftp succeeded" + +trace "force command to sftpserver" +grep -vi subsystem $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy +echo "Subsystem sftp /bin/false" >> $OBJ/sshd_proxy +echo "ForceCommand ${SFTPSERVER}" >> $OBJ/sshd_proxy +rm -f $OBJ/ssh_proxy.tmp +echo "@get $OBJ/ssh_proxy $OBJ/ssh_proxy.tmp" | \ + ${SFTP} -b - -qF $OBJ/ssh_proxy somehost 2>/dev/null || \ + fail "sftp failed" +test -f "$OBJ/ssh_proxy.tmp" || fail "sftp did not download file" +rm -f $OBJ/ssh_proxy.tmp -- 2.20.1