nixos/tests/openssh.nix at 23.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / openssh.nix
at 23.11-pre 3.6 kB view raw
  1import ./make-test-python.nix ({ pkgs, ... }:
  2
  3let inherit (import ./ssh-keys.nix pkgs)
  4      snakeOilPrivateKey snakeOilPublicKey;
  5in {
  6  name = "openssh";
  7  meta = with pkgs.lib.maintainers; {
  8    maintainers = [ aszlig eelco ];
  9  };
 10
 11  nodes = {
 12
 13    server =
 14      { ... }:
 15
 16      {
 17        services.openssh.enable = true;
 18        security.pam.services.sshd.limits =
 19          [ { domain = "*"; item = "memlock"; type = "-"; value = 1024; } ];
 20        users.users.root.openssh.authorizedKeys.keys = [
 21          snakeOilPublicKey
 22        ];
 23      };
 24
 25    server_lazy =
 26      { ... }:
 27
 28      {
 29        services.openssh = { enable = true; startWhenNeeded = true; };
 30        security.pam.services.sshd.limits =
 31          [ { domain = "*"; item = "memlock"; type = "-"; value = 1024; } ];
 32        users.users.root.openssh.authorizedKeys.keys = [
 33          snakeOilPublicKey
 34        ];
 35      };
 36
 37    server_localhost_only =
 38      { ... }:
 39
 40      {
 41        services.openssh = {
 42          enable = true; listenAddresses = [ { addr = "127.0.0.1"; port = 22; } ];
 43        };
 44      };
 45
 46    server_localhost_only_lazy =
 47      { ... }:
 48
 49      {
 50        services.openssh = {
 51          enable = true; startWhenNeeded = true; listenAddresses = [ { addr = "127.0.0.1"; port = 22; } ];
 52        };
 53      };
 54
 55    client =
 56      { ... }: { };
 57
 58  };
 59
 60  testScript = ''
 61    start_all()
 62
 63    server.wait_for_unit("sshd")
 64
 65    with subtest("manual-authkey"):
 66        client.succeed("mkdir -m 700 /root/.ssh")
 67        client.succeed(
 68            '${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f /root/.ssh/id_ed25519 -N ""'
 69        )
 70        public_key = client.succeed(
 71            "${pkgs.openssh}/bin/ssh-keygen -y -f /root/.ssh/id_ed25519"
 72        )
 73        public_key = public_key.strip()
 74        client.succeed("chmod 600 /root/.ssh/id_ed25519")
 75
 76        server.succeed("mkdir -m 700 /root/.ssh")
 77        server.succeed("echo '{}' > /root/.ssh/authorized_keys".format(public_key))
 78        server_lazy.succeed("mkdir -m 700 /root/.ssh")
 79        server_lazy.succeed("echo '{}' > /root/.ssh/authorized_keys".format(public_key))
 80
 81        client.wait_for_unit("network.target")
 82        client.succeed(
 83            "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'echo hello world' >&2",
 84            timeout=30
 85        )
 86        client.succeed(
 87            "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'ulimit -l' | grep 1024",
 88            timeout=30
 89        )
 90
 91        client.succeed(
 92            "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server_lazy 'echo hello world' >&2",
 93            timeout=30
 94        )
 95        client.succeed(
 96            "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server_lazy 'ulimit -l' | grep 1024",
 97            timeout=30
 98        )
 99
100    with subtest("configured-authkey"):
101        client.succeed(
102            "cat ${snakeOilPrivateKey} > privkey.snakeoil"
103        )
104        client.succeed("chmod 600 privkey.snakeoil")
105        client.succeed(
106            "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server true",
107            timeout=30
108        )
109        client.succeed(
110            "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server_lazy true",
111            timeout=30
112        )
113
114    with subtest("localhost-only"):
115        server_localhost_only.succeed("ss -nlt | grep '127.0.0.1:22'")
116        server_localhost_only_lazy.succeed("ss -nlt | grep '127.0.0.1:22'")
117  '';
118})