pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / tests / pam / pam-ussh.nix
at master 2.0 kB view raw
1{ pkgs, lib, ... }: 2 3let 4 testOnlySSHCredentials = 5 pkgs.runCommand "pam-ussh-test-ca" 6 { 7 nativeBuildInputs = [ pkgs.openssh ]; 8 } 9 '' 10 mkdir $out 11 ssh-keygen -t ed25519 -N "" -f $out/ca 12 13 ssh-keygen -t ed25519 -N "" -f $out/alice 14 ssh-keygen -s $out/ca -I "alice user key" -n "alice,root" -V 19700101:forever $out/alice.pub 15 16 ssh-keygen -t ed25519 -N "" -f $out/bob 17 ssh-keygen -s $out/ca -I "bob user key" -n "bob" -V 19700101:forever $out/bob.pub 18 ''; 19 makeTestScript = 20 user: 21 pkgs.writeShellScript "pam-ussh-${user}-test-script" '' 22 set -euo pipefail 23 24 eval $(${pkgs.openssh}/bin/ssh-agent) 25 26 mkdir -p $HOME/.ssh 27 chmod 700 $HOME/.ssh 28 cp ${testOnlySSHCredentials}/${user}{,.pub,-cert.pub} $HOME/.ssh 29 chmod 600 $HOME/.ssh/${user} 30 chmod 644 $HOME/.ssh/${user}{,-cert}.pub 31 32 set -x 33 34 ${pkgs.openssh}/bin/ssh-add $HOME/.ssh/${user} 35 ${pkgs.openssh}/bin/ssh-add -l &>2 36 37 exec sudo id -u -n 38 ''; 39in 40{ 41 name = "pam-ussh"; 42 meta.maintainers = with lib.maintainers; [ lukegb ]; 43 44 machine = 45 { ... }: 46 { 47 users.users.alice = { 48 isNormalUser = true; 49 extraGroups = [ "wheel" ]; 50 }; 51 users.users.bob = { 52 isNormalUser = true; 53 extraGroups = [ "wheel" ]; 54 }; 55 56 security.pam.ussh = { 57 enable = true; 58 authorizedPrincipals = "root"; 59 caFile = "${testOnlySSHCredentials}/ca.pub"; 60 }; 61 62 security.sudo = { 63 enable = true; 64 extraConfig = '' 65 Defaults lecture="never" 66 ''; 67 }; 68 }; 69 70 testScript = '' 71 with subtest("alice should be allowed to escalate to root"): 72 machine.succeed( 73 'su -c "${makeTestScript "alice"}" -l alice | grep root' 74 ) 75 76 with subtest("bob should not be allowed to escalate to root"): 77 machine.fail( 78 'su -c "${makeTestScript "bob"}" -l bob | grep root' 79 ) 80 ''; 81}