diff options
author | Matt Johnston <matt@ucc.asn.au> | 2022-03-16 17:17:23 +0800 |
---|---|---|
committer | Matt Johnston <matt@ucc.asn.au> | 2022-03-16 17:17:23 +0800 |
commit | 44e7d3487b69ceb188d70c22ff3d55310137ae19 (patch) | |
tree | 3a9e0952a56d7988e88859e66d142cd5a1b797f1 /test | |
parent | 7d2095c56c01900dcd0d645e11a34594d4ea5bf7 (diff) | |
download | dropbear-44e7d3487b69ceb188d70c22ff3d55310137ae19.tar.gz |
Fix SSH_PUBKEYINFO, limit characters, add tests
We fix a bad_bufptr() failure from a previous commit. We now limit
the allowed characters to those that will definitely be safe
in a shell. Some scripts/programs may use arbitrary environment
variables without escaping correctly - that could be a problem
in a restricted environment.
The current allowed set is a-z A-Z 0-9 .,_-+@
This also adds a test for SSH_PUBKEYINFO, by default it only runs
under github actions (or "act -j build").
Diffstat (limited to 'test')
-rw-r--r-- | test/test_svrauth.py | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/test/test_svrauth.py b/test/test_svrauth.py new file mode 100644 index 0000000..0ded6d4 --- /dev/null +++ b/test/test_svrauth.py @@ -0,0 +1,30 @@ +from test_dropbear import * +import signal +import queue +import socket +import os +from pathlib import Path + +# Tests for server side authentication + +# Requires keyfile and authorized_keys set up in github action build.yml +@pytest.mark.skipif('DBTEST_IN_ACTION' not in os.environ, reason="DBTEST_PUBKEYINFO not set") +def test_pubkeyinfo(request, dropbear): + kf = str(Path.home() / ".ssh/id_dropbear_key2") + r = dbclient(request, "-i", kf, "echo -n $SSH_PUBKEYINFO", capture_output=True) + # stop at first space + assert r.stdout.decode() == "key2" + +@pytest.mark.skipif('DBTEST_IN_ACTION' not in os.environ, reason="DBTEST_PUBKEYINFO not set") +def test_pubkeyinfo_special(request, dropbear): + kf = str(Path.home() / ".ssh/id_dropbear_key3") + r = dbclient(request, "-i", kf, "echo -n $SSH_PUBKEYINFO", capture_output=True) + # comment contains special characters so the SSH_PUBKEYINFO should not be set + assert r.stdout.decode() == "" + +@pytest.mark.skipif('DBTEST_IN_ACTION' not in os.environ, reason="DBTEST_PUBKEYINFO not set") +def test_pubkeyinfo_okchar(request, dropbear): + kf = str(Path.home() / ".ssh/id_dropbear_key4") + r = dbclient(request, "-i", kf, "echo -n $SSH_PUBKEYINFO", capture_output=True) + # comment contains special characters so the SSH_PUBKEYINFO should not be set + assert r.stdout.decode() == "key4,char" |