diff options
| author | Franz Pletz <fpletz@fnordicwalking.de> | 2024-01-17 23:27:52 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-01-17 23:27:52 +0100 |
| commit | ed2ea66bbf2eb7cb1b45399a8331784b150048ad (patch) | |
| tree | a85e26bb7d06776935c7d9bd7411d53e696545f9 | |
| parent | 07adb24551a32371c61c828654e55b569ab28731 (diff) | |
| parent | 7e45990c06adc32b7aaf196b36b20001c5f8ce42 (diff) | |
| download | nixlib-ed2ea66bbf2eb7cb1b45399a8331784b150048ad.tar nixlib-ed2ea66bbf2eb7cb1b45399a8331784b150048ad.tar.gz nixlib-ed2ea66bbf2eb7cb1b45399a8331784b150048ad.tar.bz2 nixlib-ed2ea66bbf2eb7cb1b45399a8331784b150048ad.tar.lz nixlib-ed2ea66bbf2eb7cb1b45399a8331784b150048ad.tar.xz nixlib-ed2ea66bbf2eb7cb1b45399a8331784b150048ad.tar.zst nixlib-ed2ea66bbf2eb7cb1b45399a8331784b150048ad.zip | |
Merge pull request #278539 from Ma27/sshd-socket-activation-ports
nixos/sshd: fix socket activated ports when using ListenAddress
| -rw-r--r-- | nixos/modules/services/networking/ssh/sshd.nix | 6 | ||||
| -rw-r--r-- | nixos/tests/openssh.nix | 28 |
2 files changed, 32 insertions, 2 deletions
diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index 39793922ab51..aca8343b7d59 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -600,7 +600,11 @@ in { description = "SSH Socket"; wantedBy = [ "sockets.target" ]; socketConfig.ListenStream = if cfg.listenAddresses != [] then - map (l: "${l.addr}:${toString (if l.port != null then l.port else 22)}") cfg.listenAddresses + concatMap + ({ addr, port }: + if port != null then [ "${addr}:${toString port}" ] + else map (p: "${addr}:${toString p}") cfg.ports) + cfg.listenAddresses else cfg.ports; socketConfig.Accept = true; diff --git a/nixos/tests/openssh.nix b/nixos/tests/openssh.nix index 799497477993..8074fd2ed483 100644 --- a/nixos/tests/openssh.nix +++ b/nixos/tests/openssh.nix @@ -34,6 +34,19 @@ in { ]; }; + server-lazy-socket = { + virtualisation.vlans = [ 1 2 ]; + services.openssh = { + enable = true; + startWhenNeeded = true; + ports = [ 2222 ]; + listenAddresses = [ { addr = "0.0.0.0"; } ]; + }; + users.users.root.openssh.authorizedKeys.keys = [ + snakeOilPublicKey + ]; + }; + server-localhost-only = { ... }: @@ -96,7 +109,9 @@ in { }; client = - { ... }: { }; + { ... }: { + virtualisation.vlans = [ 1 2 ]; + }; }; @@ -109,6 +124,7 @@ in { server_lazy.wait_for_unit("sshd.socket", timeout=30) server_localhost_only_lazy.wait_for_unit("sshd.socket", timeout=30) + server_lazy_socket.wait_for_unit("sshd.socket", timeout=30) with subtest("manual-authkey"): client.succeed("mkdir -m 700 /root/.ssh") @@ -145,6 +161,16 @@ in { timeout=30 ) + with subtest("socket activation on a non-standard port"): + client.succeed( + "cat ${snakeOilPrivateKey} > privkey.snakeoil" + ) + client.succeed("chmod 600 privkey.snakeoil") + client.succeed( + "ssh -p 2222 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil root@192.168.2.4 true", + timeout=30 + ) + with subtest("configured-authkey"): client.succeed( "cat ${snakeOilPrivateKey} > privkey.snakeoil" |