Mercurial > dropbear
annotate test/test_dropbearconvert.py @ 1930:299f4f19ba19
Add /usr/sbin and /sbin to default root PATH
When dropbear is used in a very restricted environment (such as in a
initrd), the default user shell is often also very restricted
and doesn't take care of setting the PATH so the user ends up
with the PATH set by dropbear. Unfortunately, dropbear always
sets "/usr/bin:/bin" as default PATH even for the root user
which should have /usr/sbin and /sbin too.
For a concrete instance of this problem, see the "Remote Unlocking"
section in this tutorial: https://paxswill.com/blog/2013/11/04/encrypted-raspberry-pi/
It speaks of a bug in the initramfs script because it's written "blkid"
instead of "/sbin/blkid"... this is just because the scripts from the
initramfs do not expect to have a PATH without the sbin directories and
because dropbear is not setting the PATH appropriately for the root user.
I'm thus suggesting to use the attached patch to fix this misbehaviour (I
did not test it, but it's easy enough). It might seem anecdotic but
multiple Kali users have been bitten by this.
From https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903403
author | Raphael Hertzog <hertzog@debian.org> |
---|---|
date | Mon, 09 Jul 2018 16:27:53 +0200 |
parents | ced53051e200 |
children |
rev | line source |
---|---|
1909 | 1 import subprocess |
2 import tempfile | |
3 | |
4 import pytest | |
5 | |
6 keytypes = [ | |
7 "rsa", "rsa-4096", | |
8 "ed25519", | |
9 "ecdsa", "ecdsa-256", "ecdsa-384", "ecdsa-521", | |
10 "dss", | |
11 ] | |
12 | |
13 def parse_keytype(kt): | |
14 if '-' in kt: | |
15 return kt.split('-') | |
16 else: | |
17 return (kt, None) | |
18 | |
19 @pytest.mark.parametrize("keytype", keytypes) | |
20 @pytest.mark.parametrize("keyformat", [None, "PEM"]) | |
21 def test_from_openssh(request, tmp_path, keytype, keyformat): | |
22 """ | |
23 Convert OpenSSH to Dropbear format, | |
24 PEM and OpenSSH internal | |
25 """ | |
26 opt = request.config.option | |
27 kt, keybits = parse_keytype(keytype) | |
28 | |
29 if kt == 'dss' and keyformat is None: | |
1911
ced53051e200
Add ecdsa OpenSSH format for dropbearconvert
Matt Johnston <matt@ucc.asn.au>
parents:
1909
diff
changeset
|
30 pytest.skip("dss doesn't support openssh format") |
1909 | 31 |
32 os_kt = kt | |
33 if os_kt == 'dss': | |
34 # OpenSSH calls it 'dsa', Dropbear calls it 'dss' | |
35 os_kt = 'dsa' | |
36 | |
37 os_key = tmp_path / 'oskey1' | |
38 db_key = tmp_path / 'dbkey1' | |
39 | |
40 # Generate an OpenSSH key | |
41 args = [ | |
42 opt.ssh_keygen, | |
43 '-f', os_key, | |
44 '-t', os_kt, | |
45 '-N', '', # no password | |
46 ] | |
47 if keybits is not None: | |
48 args += ['-b', keybits] | |
49 if keyformat: | |
50 args += ['-m', keyformat] | |
51 p = subprocess.run(args, check=True) | |
52 | |
53 # Convert to dropbear format | |
54 args = [ | |
55 opt.dropbearconvert, | |
56 'openssh', 'dropbear', | |
57 os_key, db_key, | |
58 ] | |
59 p = subprocess.run(args, check=True) | |
60 | |
61 # Compare pubkeys | |
62 args = [ | |
63 opt.dropbearkey, | |
64 '-f', db_key, | |
65 '-y' | |
66 ] | |
67 p = subprocess.run(args, check=True, stdout=subprocess.PIPE, text=True) | |
68 db_pubkey = p.stdout.splitlines()[1].strip() | |
69 os_pubkey = os_key.with_suffix('.pub').open().read().strip() | |
70 # we compare the whole key including comment since it currently matches | |
71 assert db_pubkey == os_pubkey | |
72 | |
73 @pytest.mark.parametrize("keytype", keytypes) | |
74 def test_roundtrip(request, tmp_path, keytype): | |
75 """ | |
76 Dropbear's private key format is deterministic so | |
77 we can compare round trip conversion. (OpenSSH's | |
78 format has more variable comments and other fields). | |
79 """ | |
80 opt = request.config.option | |
81 kt, keybits = parse_keytype(keytype) | |
82 | |
83 os_key = tmp_path / 'oskey1' | |
84 db_key1 = tmp_path / 'dbkey1' | |
85 db_key2 = tmp_path / 'dbkey2' | |
86 | |
87 # generate a key | |
88 args = [ | |
89 opt.dropbearkey, | |
90 '-t', kt, | |
91 '-f', db_key1, | |
92 ] | |
93 if keybits is not None: | |
94 args += ['-s', keybits] | |
95 p = subprocess.run(args, check=True) | |
96 | |
97 # convert to openssh | |
98 args = [ | |
99 opt.dropbearconvert, | |
100 'dropbear', 'openssh', | |
101 db_key1, os_key, | |
102 ] | |
103 p = subprocess.run(args, check=True) | |
104 | |
105 # Check ssh-keygen can read it | |
106 args = [ | |
107 opt.ssh_keygen, | |
108 '-f', os_key, | |
109 '-y', | |
110 ] | |
111 p = subprocess.run(args, check=True, text=True, stdout=subprocess.PIPE) | |
112 os_pubkey = p.stdout.strip() | |
113 | |
114 # Compare public keys | |
115 args = [ | |
116 opt.dropbearkey, | |
117 '-f', db_key1, | |
118 '-y', | |
119 ] | |
120 p = subprocess.run(args, check=True, text=True, stdout=subprocess.PIPE) | |
121 db_pubkey = p.stdout.splitlines()[1].strip() | |
122 # comment may differ | |
123 db_pubkey = db_pubkey.split(' ')[:2] | |
124 os_pubkey = os_pubkey.split(' ')[:2] | |
125 assert db_pubkey == os_pubkey | |
126 | |
127 # convert back to dropbear | |
128 args = [ | |
129 opt.dropbearconvert, | |
130 'openssh', 'dropbear', | |
131 os_key, db_key2, | |
132 ] | |
133 p = subprocess.run(args, check=True) | |
134 # check the round trip is identical | |
135 assert db_key1.open('rb').read() == db_key2.open('rb').read() |