diff options
Diffstat (limited to 'nixpkgs/nixos/tests/openssh.nix')
-rw-r--r-- | nixpkgs/nixos/tests/openssh.nix | 213 |
1 files changed, 213 insertions, 0 deletions
diff --git a/nixpkgs/nixos/tests/openssh.nix b/nixpkgs/nixos/tests/openssh.nix new file mode 100644 index 000000000000..8074fd2ed483 --- /dev/null +++ b/nixpkgs/nixos/tests/openssh.nix @@ -0,0 +1,213 @@ +import ./make-test-python.nix ({ pkgs, ... }: + +let inherit (import ./ssh-keys.nix pkgs) + snakeOilPrivateKey snakeOilPublicKey; +in { + name = "openssh"; + meta = with pkgs.lib.maintainers; { + maintainers = [ aszlig eelco ]; + }; + + nodes = { + + server = + { ... }: + + { + services.openssh.enable = true; + security.pam.services.sshd.limits = + [ { domain = "*"; item = "memlock"; type = "-"; value = 1024; } ]; + users.users.root.openssh.authorizedKeys.keys = [ + snakeOilPublicKey + ]; + }; + + server-lazy = + { ... }: + + { + services.openssh = { enable = true; startWhenNeeded = true; }; + security.pam.services.sshd.limits = + [ { domain = "*"; item = "memlock"; type = "-"; value = 1024; } ]; + users.users.root.openssh.authorizedKeys.keys = [ + snakeOilPublicKey + ]; + }; + + server-lazy-socket = { + virtualisation.vlans = [ 1 2 ]; + services.openssh = { + enable = true; + startWhenNeeded = true; + ports = [ 2222 ]; + listenAddresses = [ { addr = "0.0.0.0"; } ]; + }; + users.users.root.openssh.authorizedKeys.keys = [ + snakeOilPublicKey + ]; + }; + + server-localhost-only = + { ... }: + + { + services.openssh = { + enable = true; listenAddresses = [ { addr = "127.0.0.1"; port = 22; } ]; + }; + }; + + server-localhost-only-lazy = + { ... }: + + { + services.openssh = { + enable = true; startWhenNeeded = true; listenAddresses = [ { addr = "127.0.0.1"; port = 22; } ]; + }; + }; + + server-match-rule = + { ... }: + + { + services.openssh = { + enable = true; listenAddresses = [ { addr = "127.0.0.1"; port = 22; } { addr = "[::]"; port = 22; } ]; + extraConfig = '' + # Combined test for two (predictable) Match criterias + Match LocalAddress 127.0.0.1 LocalPort 22 + PermitRootLogin yes + + # Separate tests for Match criterias + Match User root + PermitRootLogin yes + Match Group root + PermitRootLogin yes + Match Host nohost.example + PermitRootLogin yes + Match LocalAddress 127.0.0.1 + PermitRootLogin yes + Match LocalPort 22 + PermitRootLogin yes + Match RDomain nohost.example + PermitRootLogin yes + Match Address 127.0.0.1 + PermitRootLogin yes + ''; + }; + }; + + server_allowedusers = + { ... }: + + { + services.openssh = { enable = true; settings.AllowUsers = [ "alice" "bob" ]; }; + users.groups = { alice = { }; bob = { }; carol = { }; }; + users.users = { + alice = { isNormalUser = true; group = "alice"; openssh.authorizedKeys.keys = [ snakeOilPublicKey ]; }; + bob = { isNormalUser = true; group = "bob"; openssh.authorizedKeys.keys = [ snakeOilPublicKey ]; }; + carol = { isNormalUser = true; group = "carol"; openssh.authorizedKeys.keys = [ snakeOilPublicKey ]; }; + }; + }; + + client = + { ... }: { + virtualisation.vlans = [ 1 2 ]; + }; + + }; + + testScript = '' + start_all() + + server.wait_for_unit("sshd", timeout=30) + server_localhost_only.wait_for_unit("sshd", timeout=30) + server_match_rule.wait_for_unit("sshd", timeout=30) + + server_lazy.wait_for_unit("sshd.socket", timeout=30) + server_localhost_only_lazy.wait_for_unit("sshd.socket", timeout=30) + server_lazy_socket.wait_for_unit("sshd.socket", timeout=30) + + with subtest("manual-authkey"): + client.succeed("mkdir -m 700 /root/.ssh") + client.succeed( + '${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f /root/.ssh/id_ed25519 -N ""' + ) + public_key = client.succeed( + "${pkgs.openssh}/bin/ssh-keygen -y -f /root/.ssh/id_ed25519" + ) + public_key = public_key.strip() + client.succeed("chmod 600 /root/.ssh/id_ed25519") + + server.succeed("mkdir -m 700 /root/.ssh") + server.succeed("echo '{}' > /root/.ssh/authorized_keys".format(public_key)) + server_lazy.succeed("mkdir -m 700 /root/.ssh") + server_lazy.succeed("echo '{}' > /root/.ssh/authorized_keys".format(public_key)) + + client.wait_for_unit("network.target") + client.succeed( + "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'echo hello world' >&2", + timeout=30 + ) + client.succeed( + "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'ulimit -l' | grep 1024", + timeout=30 + ) + + client.succeed( + "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server-lazy 'echo hello world' >&2", + timeout=30 + ) + client.succeed( + "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server-lazy 'ulimit -l' | grep 1024", + timeout=30 + ) + + with subtest("socket activation on a non-standard port"): + client.succeed( + "cat ${snakeOilPrivateKey} > privkey.snakeoil" + ) + client.succeed("chmod 600 privkey.snakeoil") + client.succeed( + "ssh -p 2222 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil root@192.168.2.4 true", + timeout=30 + ) + + with subtest("configured-authkey"): + client.succeed( + "cat ${snakeOilPrivateKey} > privkey.snakeoil" + ) + client.succeed("chmod 600 privkey.snakeoil") + client.succeed( + "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server true", + timeout=30 + ) + client.succeed( + "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server-lazy true", + timeout=30 + ) + + with subtest("localhost-only"): + server_localhost_only.succeed("ss -nlt | grep '127.0.0.1:22'") + server_localhost_only_lazy.succeed("ss -nlt | grep '127.0.0.1:22'") + + with subtest("match-rules"): + server_match_rule.succeed("ss -nlt | grep '127.0.0.1:22'") + + with subtest("allowed-users"): + client.succeed( + "cat ${snakeOilPrivateKey} > privkey.snakeoil" + ) + client.succeed("chmod 600 privkey.snakeoil") + client.succeed( + "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil alice@server_allowedusers true", + timeout=30 + ) + client.succeed( + "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil bob@server_allowedusers true", + timeout=30 + ) + client.fail( + "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil carol@server_allowedusers true", + timeout=30 + ) + ''; +}) |