diff options
| author | Darren Tucker <dtucker@zip.com.au> | 2008-06-11 09:38:12 +1000 |
|---|---|---|
| committer | Darren Tucker <dtucker@zip.com.au> | 2008-06-11 09:38:12 +1000 |
| commit | e045e0c62ae29fb7a2ed175c973fda32e60ee43d (patch) | |
| tree | 51aae239029c8f4ce2992c9fee33b32c02d41e3b | |
| parent | 2a8b138ed852625abeb56192f8439061761bdb93 (diff) | |
| download | openssh-git-e045e0c62ae29fb7a2ed175c973fda32e60ee43d.tar.gz | |
- dtucker@cvs.openbsd.org 2008/06/10 23:13:43
[Makefile regress/key-options.sh]
Add regress test for key options. ok djm@
| -rw-r--r-- | ChangeLog | 5 | ||||
| -rw-r--r-- | regress/key-options.sh | 71 |
2 files changed, 75 insertions, 1 deletions
@@ -58,6 +58,9 @@ - dtucker@cvs.openbsd.org 2008/06/10 23:21:34 [bufaux.c] Use '\0' for a nul byte rather than unadorned 0. ok djm@ + - dtucker@cvs.openbsd.org 2008/06/10 23:13:43 + [Makefile regress/key-options.sh] + Add regress test for key options. ok djm@ - (dtucker) [openbsd-compat/fake-rfc2553.h] Add sin6_scope_id to sockaddr_in6 since the new CIDR code in addmatch.c references it. - (dtucker) [Makefile.in configure.ac regress/addrmatch.sh] Skip IPv6 @@ -4150,4 +4153,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.4964 2008/06/10 23:35:37 dtucker Exp $ +$Id: ChangeLog,v 1.4965 2008/06/10 23:38:12 dtucker Exp $ diff --git a/regress/key-options.sh b/regress/key-options.sh new file mode 100644 index 00000000..b4dd4705 --- /dev/null +++ b/regress/key-options.sh @@ -0,0 +1,71 @@ +# $OpenBSD: key-options.sh,v 1.1 2008/06/10 23:13:43 dtucker Exp $ +# Placed in the Public Domain. + +tid="key options" + +origkeys="$OBJ/authkeys_orig" +authkeys="$OBJ/authorized_keys_${USER}" +cp $authkeys $origkeys + +# Test command= forced command +for p in 1 2; do + for c in 'command="echo bar"' 'no-pty,command="echo bar"'; do + sed "s/.*/$c &/" $origkeys >$authkeys + verbose "key option proto $p $c" + r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost echo foo` + if [ "$r" = "foo" ]; then + fail "key option forced command not restricted" + fi + if [ "$r" != "bar" ]; then + fail "key option forced command not executed" + fi + done +done + +# Test no-pty +sed 's/.*/no-pty &/' $origkeys >$authkeys +for p in 1 2; do + verbose "key option proto $p no-pty" + r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost tty` + if [ -f "$r" ]; then + fail "key option failed proto $p no-pty (pty $r)" + fi +done + +# Test environment= +echo 'PermitUserEnvironment yes' >> $OBJ/sshd_proxy +sed 's/.*/environment="FOO=bar" &/' $origkeys >$authkeys +for p in 1 2; do + verbose "key option proto $p environment" + r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost 'echo $FOO'` + if [ "$r" != "bar" ]; then + fail "key option environment not set" + fi +done + +# Test from= restriction +start_sshd +for p in 1 2; do + for f in 127.0.0.1 '127.0.0.0\/8'; do + cat $origkeys >$authkeys + ${SSH} -$p -q -F $OBJ/ssh_proxy somehost true + if [ $? -ne 0 ]; then + fail "key option proto $p failed without restriction" + fi + + sed 's/.*/from="'$f'" &/' $origkeys >$authkeys + from=`head -1 $authkeys | cut -f1 -d ' '` + verbose "key option proto $p $from" + r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost 'echo true'` + if [ "$r" == "true" ]; then + fail "key option proto $p $from not restricted" + fi + + r=`${SSH} -$p -q -F $OBJ/ssh_config somehost 'echo true'` + if [ "$r" != "true" ]; then + fail "key option proto $p $from not allowed but should be" + fi + done +done + +rm -f "$origkeys" |