blob: 2274e463ce95a47214431cc935d9da4390ad028d (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
|
import ./make-test-python.nix ({ lib, pkgs, ... }:
let
inherit (import ./ssh-keys.nix pkgs) snakeOilPrivateKey snakeOilPublicKey;
in {
name = "ssh-agent-auth";
meta.maintainers = with lib.maintainers; [ nicoo ];
nodes = let nodeConfig = n: { ... }: {
users.users = {
admin = {
isNormalUser = true;
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = [ snakeOilPublicKey ];
};
foo.isNormalUser = true;
};
security.pam.enableSSHAgentAuth = true;
security.${lib.replaceStrings [ "_" ] [ "-" ] n} = {
enable = true;
wheelNeedsPassword = true; # We are checking `pam_ssh_agent_auth(8)` works for a sudoer
};
# Necessary for pam_ssh_agent_auth >_>'
services.openssh.enable = true;
};
in lib.genAttrs [ "sudo" "sudo_rs" ] nodeConfig;
testScript = let
privateKeyPath = "/home/admin/.ssh/id_ecdsa";
userScript = pkgs.writeShellScript "test-script" ''
set -e
ssh-add -q ${privateKeyPath}
# faketty needed to ensure `sudo` doesn't write to the controlling PTY,
# which would break the test-driver's line-oriented protocol.
${lib.getExe pkgs.faketty} sudo -u foo -- id -un
'';
in ''
for vm in (sudo, sudo_rs):
sudo_impl = vm.name.replace("_", "-")
with subtest(f"wheel user can auth with ssh-agent for {sudo_impl}"):
vm.copy_from_host("${snakeOilPrivateKey}", "${privateKeyPath}")
vm.succeed("chmod -R 0700 /home/admin")
vm.succeed("chown -R admin:users /home/admin")
# Run `userScript` in an environment with an SSH-agent available
assert vm.succeed("sudo -u admin -- ssh-agent ${userScript} 2>&1").strip() == "foo"
'';
}
)
|