diff options
author | nicoo <nicoo@mur.at> | 2023-11-08 20:47:33 +0000 |
---|---|---|
committer | nicoo <nicoo@mur.at> | 2023-12-24 16:00:22 +0000 |
commit | 7e70c084709574ad423159dcb461f8aede020d58 (patch) | |
tree | e2213abf18098da9beda515f891a1c85849ada16 /nixos | |
parent | 6df37dc6a77654682fe9f071c62b4242b5342e04 (diff) | |
download | nixlib-7e70c084709574ad423159dcb461f8aede020d58.tar nixlib-7e70c084709574ad423159dcb461f8aede020d58.tar.gz nixlib-7e70c084709574ad423159dcb461f8aede020d58.tar.bz2 nixlib-7e70c084709574ad423159dcb461f8aede020d58.tar.lz nixlib-7e70c084709574ad423159dcb461f8aede020d58.tar.xz nixlib-7e70c084709574ad423159dcb461f8aede020d58.tar.zst nixlib-7e70c084709574ad423159dcb461f8aede020d58.zip |
nixosTests.ssh-agent-auth: init
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/tests/all-tests.nix | 1 | ||||
-rw-r--r-- | nixos/tests/ssh-agent-auth.nix | 48 |
2 files changed, 49 insertions, 0 deletions
diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index f09c79e782b8..e5ba9afe206f 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -782,6 +782,7 @@ in { spark = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./spark {}; sqlite3-to-mysql = handleTest ./sqlite3-to-mysql.nix {}; sslh = handleTest ./sslh.nix {}; + ssh-agent-auth = handleTest ./ssh-agent-auth.nix {}; ssh-audit = handleTest ./ssh-audit.nix {}; sssd = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./sssd.nix {}; sssd-ldap = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./sssd-ldap.nix {}; diff --git a/nixos/tests/ssh-agent-auth.nix b/nixos/tests/ssh-agent-auth.nix new file mode 100644 index 000000000000..2233ce0b3279 --- /dev/null +++ b/nixos/tests/ssh-agent-auth.nix @@ -0,0 +1,48 @@ +import ./make-test-python.nix ({ lib, pkgs, ... }: + let + inherit (import ./ssh-keys.nix pkgs) snakeOilPrivateKey snakeOilPublicKey; + in { + name = "ssh-agent-auth"; + meta.maintainers = with lib.maintainers; [ nicoo ]; + + nodes.sudoVM = { lib, ... }: { + users.users = { + admin = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + openssh.authorizedKeys.keys = [ snakeOilPublicKey ]; + }; + foo.isNormalUser = true; + }; + + security.pam.enableSSHAgentAuth = true; + security.sudo = { + enable = true; + wheelNeedsPassword = true; # We are checking `pam_ssh_agent_auth(8)` works for a sudoer + }; + + # Necessary for pam_ssh_agent_auth >_>' + services.openssh.enable = true; + }; + + testScript = let + privateKeyPath = "/home/admin/.ssh/id_ecdsa"; + userScript = pkgs.writeShellScript "test-script" '' + set -e + ssh-add -q ${privateKeyPath} + + # faketty needed to ensure `sudo` doesn't write to the controlling PTY, + # which would break the test-driver's line-oriented protocol. + ${lib.getExe pkgs.faketty} sudo -u foo -- id -un + ''; + in '' + sudoVM.copy_from_host("${snakeOilPrivateKey}", "${privateKeyPath}") + sudoVM.succeed("chmod -R 0700 /home/admin") + sudoVM.succeed("chown -R admin:users /home/admin") + + with subtest("sudoer can auth through pam_ssh_agent_auth(8)"): + # Run `userScript` in an environment with an SSH-agent available + assert sudoVM.succeed("sudo -u admin -- ssh-agent ${userScript} 2>&1").strip() == "foo" + ''; + } +) |