Attachment 2349 Details for Bug 2103 – RemoteCommand / PermitRemoteCommand + tests and doco

[patch] RemoteCommand / PermitRemoteCommand + tests and doco

p2 (text/plain), 9.23 KB, created by Daniel Black on 2013-10-10 23:15:51 AEDT

(hide)

Description:

Filename:

MIME Type:

Creator: Daniel Black

Created: 2013-10-10 23:15:51 AEDT

Size: 9.23 KB

patch

obsolete

>Index: readconf.c
>===================================================================
>RCS file: /cvs/openssh/readconf.c,v
>retrieving revision 1.186
>diff -u -r1.186 readconf.c
>--- readconf.c	20 Aug 2013 16:44:25 -0000	1.186
>+++ readconf.c	10 Oct 2013 12:10:01 -0000
>@@ -138,6 +138,7 @@
> 	oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
> 	oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
> 	oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
>+  oRemoteCommand, oPermitRemoteCommand,
> 	oIgnoredUnknownOption, oDeprecated, oUnsupported
> } OpCodes;
> 
>@@ -238,6 +239,7 @@
> 	{ "tunneldevice", oTunnelDevice },
> 	{ "localcommand", oLocalCommand },
> 	{ "permitlocalcommand", oPermitLocalCommand },
>+	{ "permitremotecommand", oPermitRemoteCommand },
> 	{ "visualhostkey", oVisualHostKey },
> 	{ "useroaming", oUseRoaming },
> #ifdef JPAKE
>@@ -251,6 +253,7 @@
> 	{ "requesttty", oRequestTTY },
> 	{ "proxyusefdpass", oProxyUseFdpass },
> 	{ "ignoreunknown", oIgnoreUnknown },
>+	{ "remotecommand", oRemoteCommand },
> 
> 	{ NULL, oBadOption }
> };
>@@ -1020,10 +1023,18 @@
> 		charptr = &options->local_command;
> 		goto parse_command;
> 
>+	case oRemoteCommand:
>+		charptr = &options->remote_command;
>+		goto parse_command;
>+
> 	case oPermitLocalCommand:
> 		intptr = &options->permit_local_command;
> 		goto parse_flag;
> 
>+	case oPermitRemoteCommand:
>+		intptr = &options->permit_remote_command;
>+		goto parse_flag;
>+
> 	case oVisualHostKey:
> 		intptr = &options->visual_host_key;
> 		goto parse_flag;
>@@ -1232,6 +1243,8 @@
> 	options->tun_remote = -1;
> 	options->local_command = NULL;
> 	options->permit_local_command = -1;
>+	options->remote_command = NULL;
>+	options->permit_remote_command = -1;
> 	options->use_roaming = -1;
> 	options->visual_host_key = -1;
> 	options->zero_knowledge_password_authentication = -1;
>@@ -1379,6 +1392,8 @@
> 		options->tun_remote = SSH_TUNID_ANY;
> 	if (options->permit_local_command == -1)
> 		options->permit_local_command = 0;
>+	if (options->permit_remote_command == -1)
>+		options->permit_remote_command = 0;
> 	if (options->use_roaming == -1)
> 		options->use_roaming = 1;
> 	if (options->visual_host_key == -1)
>Index: readconf.h
>===================================================================
>RCS file: /cvs/openssh/readconf.h,v
>retrieving revision 1.88
>diff -u -r1.88 readconf.h
>--- readconf.h	20 Aug 2013 16:44:25 -0000	1.88
>+++ readconf.h	10 Oct 2013 12:10:02 -0000
>@@ -132,6 +132,8 @@
> 
> 	char	*local_command;
> 	int	permit_local_command;
>+	char	*remote_command;
>+	int	permit_remote_command;
> 	int	visual_host_key;
> 
> 	int	use_roaming;
>Index: ssh.1
>===================================================================
>RCS file: /cvs/openssh/ssh.1,v
>retrieving revision 1.295
>diff -u -r1.295 ssh.1
>--- ssh.1	20 Aug 2013 16:44:58 -0000	1.295
>+++ ssh.1	10 Oct 2013 12:10:03 -0000
>@@ -460,6 +460,7 @@
> .It NumberOfPasswordPrompts
> .It PasswordAuthentication
> .It PermitLocalCommand
>+.It PermitRemoteCommand
> .It PKCS11Provider
> .It Port
> .It PreferredAuthentications
>@@ -468,6 +469,7 @@
> .It ProxyUseFdpass
> .It PubkeyAuthentication
> .It RekeyLimit
>+.It RemoteCommand
> .It RemoteForward
> .It RequestTTY
> .It RhostsRSAAuthentication
>Index: ssh.c
>===================================================================
>RCS file: /cvs/openssh/ssh.c,v
>retrieving revision 1.377
>diff -u -r1.377 ssh.c
>--- ssh.c	25 Jul 2013 01:55:53 -0000	1.377
>+++ ssh.c	10 Oct 2013 12:10:05 -0000
>@@ -730,8 +730,13 @@
> 	    options.request_tty == REQUEST_TTY_FORCE)
> 		tty_flag = 1;
> 
>+	if (options.remote_command != NULL &&
>+	    !options.permit_remote_command)
>+      options.remote_command = NULL;
>+
> 	/* Allocate a tty by default if no command specified. */
>-	if (buffer_len(&command) == 0)
>+	if (buffer_len(&command) == 0 || (options.remote_command != NULL && 
>+      !subsystem_flag))
> 		tty_flag = options.request_tty != REQUEST_TTY_NO;
> 
> 	/* Force no tty */
>@@ -779,6 +784,20 @@
> 		    (char *)NULL);
> 		debug3("expanded LocalCommand: %s", options.local_command);
> 		free(cp);
>+	}
>+
>+  if (options.remote_command != NULL && !subsystem_flag &&
>+      buffer_len(&command) == 0) {
>+	  debug3("expanding RemoteCommand: %s", options.local_command);
>+	  cp = options.remote_command;
>+	  options.remote_command = percent_expand(cp,
>+	      "h", host, "l", thishost, "n", host_arg, "r", options.user,
>+	      "p", portstr, "u", pw->pw_name, "L", shorthost,
>+	      (char *)NULL);
>+		buffer_append(&command, options.remote_command,
>+        strlen(options.remote_command));
>+	  debug3("expanded RemoteCommand: %s", options.remote_command);
>+	  free(cp);
> 	}
> 
> 	/* force lowercase for hostkey matching */
>Index: ssh_config
>===================================================================
>RCS file: /cvs/openssh/ssh_config,v
>retrieving revision 1.30
>diff -u -r1.30 ssh_config
>--- ssh_config	9 Oct 2013 23:24:12 -0000	1.30
>+++ ssh_config	10 Oct 2013 12:10:05 -0000
>@@ -43,6 +43,7 @@
> #   Tunnel no
> #   TunnelDevice any:any
> #   PermitLocalCommand no
>+#   PermitRemoteCommand no
> #   VisualHostKey no
> #   ProxyCommand ssh -q -W %h:%p gateway.example.com
> #   RekeyLimit 1G 1h
>Index: ssh_config.5
>===================================================================
>RCS file: /cvs/openssh/ssh_config.5,v
>retrieving revision 1.168
>diff -u -r1.168 ssh_config.5
>--- ssh_config.5	20 Aug 2013 16:44:58 -0000	1.168
>+++ ssh_config.5	10 Oct 2013 12:10:05 -0000
>@@ -862,6 +862,15 @@
> .Dq no .
> The default is
> .Dq no .
>+.It Cm PermitRemoteCommand
>+Allow remote command execution via the
>+.Ic RemoteCommand
>+The argument must be
>+.Dq yes
>+or
>+.Dq no .
>+The default is
>+.Dq no .
> .It Cm PKCS11Provider
> Specifies which PKCS#11 provider to use.
> The argument to this keyword is the PKCS#11 shared library
>@@ -980,6 +989,28 @@
> which means that rekeying is performed after the cipher's default amount
> of data has been sent or received and no time based rekeying is done.
> This option applies to protocol version 2 only.
>+.It Cm RemoteCommand
>+Specifies the command that will be executed on the remote machine.
>+The following escape character substitutions will be performed:
>+.Ql %h
>+(remote host name),
>+.Ql %l
>+(local host name),
>+.Ql %n
>+(host name as provided on the command line),
>+.Ql %p
>+(remote port),
>+.Ql %r
>+(remote user name) or
>+.Ql %u
>+(local user name).
>+.Pp
>+This directive is ignored unless
>+.Cm PermitRemoteCommand
>+has been enabled. Specifing a command on the 
>+.Xr ssh 1
>+command line will disable the
>+.Cm RemoteCommand
> .It Cm RemoteForward
> Specifies that a TCP port on the remote machine be forwarded over
> the secure channel to the specified host and port from the local machine.
>Index: regress/Makefile
>===================================================================
>RCS file: /cvs/openssh/regress/Makefile,v
>retrieving revision 1.62
>diff -u -r1.62 Makefile
>--- regress/Makefile	8 Aug 2013 07:02:12 -0000	1.62
>+++ regress/Makefile	10 Oct 2013 12:10:05 -0000
>@@ -63,7 +63,9 @@
> 		keys-command \
> 		forward-control \
> 		integrity \
>-		krl
>+		krl \
>+		remotecommand \
>+		remote_host-expand 
> 
> INTEROP_TESTS=	putty-transfer putty-ciphers putty-kex conch-ciphers
> #INTEROP_TESTS+=ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp
>Index: regress/README.regress
>===================================================================
>RCS file: /cvs/openssh/regress/README.regress,v
>retrieving revision 1.12
>diff -u -r1.12 README.regress
>--- regress/README.regress	5 May 2011 03:48:42 -0000	1.12
>+++ regress/README.regress	10 Oct 2013 12:10:05 -0000
>@@ -31,7 +31,7 @@
> TEST_SSH_PORT: TCP port to be used for the listening tests.
> TEST_SSH_SSH_CONFOPTS: Configuration directives to be added to ssh_config
> 	before running each test.
>-TEST_SSH_SSHD_CONFOTPS: Configuration directives to be added to sshd_config
>+TEST_SSH_SSHD_CONFOPTS: Configuration directives to be added to sshd_config
> 	before running each test.
> 
> 
>--- /dev/null	2013-10-07 09:07:14.067311290 +1100
>+++ regress/remotecommand.sh	2013-10-10 23:02:42.879469197 +1100
>@@ -0,0 +1,33 @@
>+#	$OpenBSD: Exp $
>+#	Placed in the Public Domain.
>+
>+tid="remotecommand"
>+
>+echo "RemoteCommand touch $OBJ/remote_test" >> $OBJ/ssh_proxy
>+
>+for p1 in disabled enabled; do
>+  for p in 1 2; do
>+  	verbose "test $tid: proto $p remotecommand cmd override. $p1"
>+  	${SSH} -F $OBJ/ssh_proxy -$p somehost touch $OBJ/remote_command_tt
>+  	if [ -f $OBJ/remote_test ] ; then
>+  		fail "$tid proto $p cmd override failed"
>+    fi
>+  	if [ ! -f $OBJ/remote_command_tt ] ; then
>+  		fail "$tid proto $p cmd override no cmdline"
>+  	fi
>+    [ -f $OBJ/remote_test ] && rm $OBJ/remote_test
>+    [ -f $OBJ/remote_command_tt ] && rm $OBJ/remote_command_tt
>+  done
>+  echo 'PermitRemoteCommand yes' >> $OBJ/ssh_proxy
>+done
>+  
>+
>+for p in 1 2; do
>+	verbose "test $tid: proto $p remotecommand cmd override"
>+	${SSH} -F $OBJ/ssh_proxy -$p somehost
>+	if [ ! -f $OBJ/remote_test ] ; then
>+		fail "$tid proto $p"
>+  else
>+    rm $OBJ/remote_test
>+	fi
>+done
>--- /dev/null	2013-10-07 09:07:14.067311290 +1100
>+++ regress/remote_host-expand.sh	2013-10-10 22:20:09.366199924 +1100
>@@ -0,0 +1,17 @@
>+#	Placed in the Public Domain.
>+
>+tid="remote expand %h and %n"
>+
>+echo 'PermitRemoteCommand yes' >> $OBJ/ssh_proxy
>+echo "RemoteCommand echo \"%n %h\" > $OBJ/actual" >> $OBJ/ssh_proxy
>+
>+cat >$OBJ/expect <<EOE
>+somehost 127.0.0.1
>+EOE
>+
>+for p in 1 2; do
>+	verbose "test $tid: proto $p"
>+	${SSH} -F $OBJ/ssh_proxy -$p somehost
>+	diff $OBJ/expect $OBJ/actual || fail "$tid proto $p"
>+done
>+

Actions: View | Diff

Attachments on bug 2103: 2348 | 2349 | 2350 | 2839 | 3067