Fix check shell before executing

Bumps [golang.org/x/crypto](https://github.com/golang/crypto) from 0.33.0 to 0.35.0.
- [Commits](https://github.com/golang/crypto/compare/v0.33.0...v0.35.0)

---
updated-dependencies:
- dependency-name: golang.org/x/crypto
  dependency-version: 0.35.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

breakglass.go

@@ -193,8 +193,8 @@ func initMOTD() error {
 func main() {
 	flag.Parse()
 	log.SetFlags(log.LstdFlags | log.Lshortfile)
+
 	installBusybox()
-	gokrazy.DontStartOnBoot()
 
 	loadPasswd("/etc/passwd")
 

go.mod

@@ -10,7 +10,7 @@ require (
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510
 	github.com/kr/pty v1.1.8
 	github.com/pkg/sftp v1.13.5
-	golang.org/x/crypto v0.33.0
+	golang.org/x/crypto v0.35.0
 )
 
 require (

go.sum

@@ -33,8 +33,8 @@ github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+
 github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.33.0 h1:IOBPskki6Lysi0lo9qQvbxiQ+FvsCC/YWOecCHAixus=
-golang.org/x/crypto v0.33.0/go.mod h1:bVdXmD7IV/4GdElGPozy6U7lWdRXA4qyRVGJV57uQ5M=
+golang.org/x/crypto v0.35.0 h1:b15kiHdrGCHrP6LvwaQ3c03kgNhhiMgvlhxHQhmg2Xs=
+golang.org/x/crypto v0.35.0/go.mod h1:dy7dXNW32cAb/6/PRuTNsix8T+vJAqvuIy5Bli/x0YQ=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/oauth2 v0.23.0 h1:PbgcYx2W7i4LvjJWEbf0ngHV6qJYr86PkAV3bXdLEbs=
 golang.org/x/oauth2 v0.23.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=

ssh.go

@@ -14,6 +14,7 @@ import (
 	"strings"
 	"sync"
 	"syscall"
+	"time"
 	"unsafe"
 
 	"github.com/gokrazy/gokrazy"
@@ -220,6 +221,14 @@ type exitStatus struct {
 	Status uint32
 }
 
+func shellWorks(shell string) bool {
+	ctx, cancel := context.WithTimeout(context.Background(), 200*time.Millisecond)
+	defer cancel()
+	cmd := exec.CommandContext(ctx, shell, "-c", "exit 58")
+	cmd.Run()
+	return cmd.ProcessState != nil && cmd.ProcessState.ExitCode() == 58
+}
+
 func findShell() string {
 	if _, err := os.Stat(wellKnownBusybox); err == nil {
 		// Install busybox to /bin to provide the typical userspace utilities
@@ -229,13 +238,13 @@ func findShell() string {
 			// fallthrough, we don't return /bin/sh as we read /etc/passwd
 		}
 	}
-	if _, err := exec.LookPath(shell); path.IsAbs(shell) && err == nil {
+	if _, err := exec.LookPath(shell); path.IsAbs(shell) && shellWorks(shell) && err == nil {
 		return shell
 	}
-	if path, err := exec.LookPath("bash"); err == nil {
+	if path, err := exec.LookPath("bash"); shellWorks(path) && err == nil {
 		return path
 	}
-	if path, err := exec.LookPath("sh"); err == nil {
+	if path, err := exec.LookPath("sh"); shellWorks(path) && err == nil {
 		return path
 	}
 	const wellKnownSerialShell = "/tmp/serial-busybox/ash"
@@ -375,7 +384,7 @@ func (s *session) request(ctx context.Context, req *ssh.Request, conn *ssh.Serve
 
 		var cmd *exec.Cmd
 		if shell := findShell(); shell != "" {
-			if r.Command == "sh" {
+			if len(cmdline) == 0 || (len(cmdline) == 1 && cmdline[0] == "sh") {
 				cmd = exec.CommandContext(ctx, shell, "-l")
 			} else {
 				cmd = exec.CommandContext(ctx, shell, "-c", r.Command)