Attachment #2545 for bug #2081

View | Details | Raw Unified | Return to bug 2081 | Differences between

and this patch

Lines 7-32 if [ -z "$SUDO" ]; then Link Here

(-)keys-command.sh (-10 / +47 lines)
7	fatal "need SUDO to create file in /var/run, test won't work without"	7	fatal "need SUDO to create file in /var/run, test won't work without"
8	fi	8	fi
9		9
		10	rm -f $OBJ/keys-command-args
		11
		12	touch $OBJ/keys-command-args
		13	chmod a+rw $OBJ/keys-command-args
		14
		15	expected_key_text=`awk '{ print $2 }' < $OBJ/rsa.pub`
		16	expected_key_fp=`$SSHKEYGEN -lf $OBJ/rsa.pub \| awk '{ print $2 }'`
		17
10	# Establish a AuthorizedKeysCommand in /var/run where it will have	18	# Establish a AuthorizedKeysCommand in /var/run where it will have
11	# acceptable directory permissions.	19	# acceptable directory permissions.
12	KEY_COMMAND="/var/run/keycommand_${LOGNAME}"	20	KEY_COMMAND="/var/run/keycommand_${LOGNAME}"
13	cat << _EOF \| $SUDO sh -c "cat > '$KEY_COMMAND'"	21	cat << _EOF \| $SUDO sh -c "rm -f '$KEY_COMMAND' ; cat > '$KEY_COMMAND'"
14	#!/bin/sh	22	#!/bin/sh
		23	echo args: "\$@" >> $OBJ/keys-command-args
		24	echo "$PATH" \| grep -q mekmitasdigoat && exit 7
15	test "x\$1" != "x${LOGNAME}" && exit 1	25	test "x\$1" != "x${LOGNAME}" && exit 1
		26	if test $# -eq 6 ; then
		27	test "x\$2" != "xblah" && exit 2
		28	test "x\$3" != "x${expected_key_text}" && exit 3
		29	test "x\$4" != "xssh-rsa" && exit 4
		30	test "x\$5" != "x${expected_key_fp}" && exit 5
		31	test "x\$6" != "xblah" && exit 6
		32	fi
16	exec cat "$OBJ/authorized_keys_${LOGNAME}"	33	exec cat "$OBJ/authorized_keys_${LOGNAME}"
17	_EOF	34	_EOF
18	$SUDO chmod 0755 "$KEY_COMMAND"	35	$SUDO chmod 0755 "$KEY_COMMAND"
19		36
20	cp $OBJ/sshd_proxy $OBJ/sshd_proxy.bak
21	(
22	grep -vi AuthorizedKeysFile $OBJ/sshd_proxy.bak
23	echo AuthorizedKeysFile none
24	echo AuthorizedKeysCommand $KEY_COMMAND
25	echo AuthorizedKeysCommandUser ${LOGNAME}
26	) > $OBJ/sshd_proxy
27
28	if [ -x $KEY_COMMAND ]; then	37	if [ -x $KEY_COMMAND ]; then
29	${SSH} -F $OBJ/ssh_proxy somehost true	38	cp $OBJ/sshd_proxy $OBJ/sshd_proxy.bak
		39
		40	verbose "AuthorizedKeysCommand with arguments"
		41	(
		42	grep -vi AuthorizedKeysFile $OBJ/sshd_proxy.bak
		43	echo AuthorizedKeysFile none
		44	echo AuthorizedKeysCommand $KEY_COMMAND %u blah %k %t %f blah
		45	echo AuthorizedKeysCommandUser ${LOGNAME}
		46	) > $OBJ/sshd_proxy
		47
		48	# Ensure that $PATH is sanitised in sshd
		49	env PATH=$PATH:/sbin/mekmitasdigoat \
		50	${SSH} -F $OBJ/ssh_proxy somehost true
		51	if [ $? -ne 0 ]; then
		52	fail "connect failed"
		53	fi
		54
		55	verbose "AuthorizedKeysCommand without arguments"
		56	# Check legacy behavior of no-args resulting in username being passed.
		57	(
		58	grep -vi AuthorizedKeysFile $OBJ/sshd_proxy.bak
		59	echo AuthorizedKeysFile none
		60	echo AuthorizedKeysCommand $KEY_COMMAND
		61	echo AuthorizedKeysCommandUser ${LOGNAME}
		62	) > $OBJ/sshd_proxy
		63
		64	# Ensure that $PATH is sanitised in sshd
		65	env PATH=$PATH:/sbin/mekmitasdigoat \
		66	${SSH} -F $OBJ/ssh_proxy somehost true
30	if [ $? -ne 0 ]; then	67	if [ $? -ne 0 ]; then
31	fail "connect failed"	68	fail "connect failed"
32	fi	69	fi

Return to bug 2081