pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / tests / pam / pam-ussh.nix
at 25.11-pre 2.2 kB view raw
1import ../make-test-python.nix ( 2 { pkgs, lib, ... }: 3 4 let 5 testOnlySSHCredentials = 6 pkgs.runCommand "pam-ussh-test-ca" 7 { 8 nativeBuildInputs = [ pkgs.openssh ]; 9 } 10 '' 11 mkdir $out 12 ssh-keygen -t ed25519 -N "" -f $out/ca 13 14 ssh-keygen -t ed25519 -N "" -f $out/alice 15 ssh-keygen -s $out/ca -I "alice user key" -n "alice,root" -V 19700101:forever $out/alice.pub 16 17 ssh-keygen -t ed25519 -N "" -f $out/bob 18 ssh-keygen -s $out/ca -I "bob user key" -n "bob" -V 19700101:forever $out/bob.pub 19 ''; 20 makeTestScript = 21 user: 22 pkgs.writeShellScript "pam-ussh-${user}-test-script" '' 23 set -euo pipefail 24 25 eval $(${pkgs.openssh}/bin/ssh-agent) 26 27 mkdir -p $HOME/.ssh 28 chmod 700 $HOME/.ssh 29 cp ${testOnlySSHCredentials}/${user}{,.pub,-cert.pub} $HOME/.ssh 30 chmod 600 $HOME/.ssh/${user} 31 chmod 644 $HOME/.ssh/${user}{,-cert}.pub 32 33 set -x 34 35 ${pkgs.openssh}/bin/ssh-add $HOME/.ssh/${user} 36 ${pkgs.openssh}/bin/ssh-add -l &>2 37 38 exec sudo id -u -n 39 ''; 40 in 41 { 42 name = "pam-ussh"; 43 meta.maintainers = with lib.maintainers; [ lukegb ]; 44 45 machine = 46 { ... }: 47 { 48 users.users.alice = { 49 isNormalUser = true; 50 extraGroups = [ "wheel" ]; 51 }; 52 users.users.bob = { 53 isNormalUser = true; 54 extraGroups = [ "wheel" ]; 55 }; 56 57 security.pam.ussh = { 58 enable = true; 59 authorizedPrincipals = "root"; 60 caFile = "${testOnlySSHCredentials}/ca.pub"; 61 }; 62 63 security.sudo = { 64 enable = true; 65 extraConfig = '' 66 Defaults lecture="never" 67 ''; 68 }; 69 }; 70 71 testScript = '' 72 with subtest("alice should be allowed to escalate to root"): 73 machine.succeed( 74 'su -c "${makeTestScript "alice"}" -l alice | grep root' 75 ) 76 77 with subtest("bob should not be allowed to escalate to root"): 78 machine.fail( 79 'su -c "${makeTestScript "bob"}" -l bob | grep root' 80 ) 81 ''; 82 } 83)