pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / tests / pam / pam-ussh.nix
at 23.11-beta 1.9 kB view raw
1import ../make-test-python.nix ({ pkgs, lib, ... }: 2 3let 4 testOnlySSHCredentials = pkgs.runCommand "pam-ussh-test-ca" { 5 nativeBuildInputs = [ pkgs.openssh ]; 6 } '' 7 mkdir $out 8 ssh-keygen -t ed25519 -N "" -f $out/ca 9 10 ssh-keygen -t ed25519 -N "" -f $out/alice 11 ssh-keygen -s $out/ca -I "alice user key" -n "alice,root" -V 19700101:forever $out/alice.pub 12 13 ssh-keygen -t ed25519 -N "" -f $out/bob 14 ssh-keygen -s $out/ca -I "bob user key" -n "bob" -V 19700101:forever $out/bob.pub 15 ''; 16 makeTestScript = user: pkgs.writeShellScript "pam-ussh-${user}-test-script" '' 17 set -euo pipefail 18 19 eval $(${pkgs.openssh}/bin/ssh-agent) 20 21 mkdir -p $HOME/.ssh 22 chmod 700 $HOME/.ssh 23 cp ${testOnlySSHCredentials}/${user}{,.pub,-cert.pub} $HOME/.ssh 24 chmod 600 $HOME/.ssh/${user} 25 chmod 644 $HOME/.ssh/${user}{,-cert}.pub 26 27 set -x 28 29 ${pkgs.openssh}/bin/ssh-add $HOME/.ssh/${user} 30 ${pkgs.openssh}/bin/ssh-add -l &>2 31 32 exec sudo id -u -n 33 ''; 34in { 35 name = "pam-ussh"; 36 meta.maintainers = with lib.maintainers; [ lukegb ]; 37 38 machine = 39 { ... }: 40 { 41 users.users.alice = { isNormalUser = true; extraGroups = [ "wheel" ]; }; 42 users.users.bob = { isNormalUser = true; extraGroups = [ "wheel" ]; }; 43 44 security.pam.ussh = { 45 enable = true; 46 authorizedPrincipals = "root"; 47 caFile = "${testOnlySSHCredentials}/ca.pub"; 48 }; 49 50 security.sudo = { 51 enable = true; 52 extraConfig = '' 53 Defaults lecture="never" 54 ''; 55 }; 56 }; 57 58 testScript = 59 '' 60 with subtest("alice should be allowed to escalate to root"): 61 machine.succeed( 62 'su -c "${makeTestScript "alice"}" -l alice | grep root' 63 ) 64 65 with subtest("bob should not be allowed to escalate to root"): 66 machine.fail( 67 'su -c "${makeTestScript "bob"}" -l bob | grep root' 68 ) 69 ''; 70})