pyrox.dev / nixpkgs
lol
fork atom

Revert "tests/openssh: write a test for CVE-2025-32728"

K900 353a5726 f94860f4

options
unified split
Changed files
-44
nixos
tests
openssh.nix
-44
nixos/tests/openssh.nix 
···

       
35

       
 

       
          ];


     

       
36

       
 

       
        };


     

       
37

       
 

       



     

       
38

       
-

       
      server-x11 =


     

       
39

       
-

       
        { ... }:


     

       
40

       
-

       



     

       
41

       
-

       
        {


     

       
42

       
-

       
          environment.systemPackages = [ pkgs.xorg.xauth ];


     

       
43

       
-

       
          services.openssh = {


     

       
44

       
-

       
            enable = true;


     

       
45

       
-

       
            settings.X11Forwarding = true;


     

       
46

       
-

       
          };


     

       
47

       
-

       
          users.users.root.openssh.authorizedKeys.keys = [


     

       
48

       
-

       
            snakeOilPublicKey


     

       
49

       
-

       
          ];


     

       
50

       
-

       
        };


     

       
51

       
-

       



     

       
52

       
-

       
      server-x11-disable =


     

       
53

       
-

       
        { ... }:


     

       
54

       
-

       



     

       
55

       
-

       
        {


     

       
56

       
-

       
          environment.systemPackages = [ pkgs.xorg.xauth ];


     

       
57

       
-

       
          services.openssh = {


     

       
58

       
-

       
            enable = true;


     

       
59

       
-

       
            settings = {


     

       
60

       
-

       
              X11Forwarding = true;


     

       
61

       
-

       
              # CVE-2025-32728: the following line is ineffectual


     

       
62

       
-

       
              DisableForwarding = true;


     

       
63

       
-

       
            };


     

       
64

       
-

       
          };


     

       
65

       
-

       
          users.users.root.openssh.authorizedKeys.keys = [


     

       
66

       
-

       
            snakeOilPublicKey


     

       
67

       
-

       
          ];


     

       
68

       
-

       
        };


     

       
69

       
-

       



     

       
70

       
 

       
      server-allowed-users =


     

       
71

       
 

       
        { ... }:


     

       
72

       
 

       



     
···

       
272

       
 

       
      start_all()


     

       
273

       
 

       



     

       
274

       
 

       
      server.wait_for_unit("sshd", timeout=30)


     

       
275

       
-

       
      server_x11.wait_for_unit("sshd", timeout=30)


     

       
276

       
-

       
      server_x11_disable.wait_for_unit("sshd", timeout=30)


     

       
277

       
 

       
      server_allowed_users.wait_for_unit("sshd", timeout=30)


     

       
278

       
 

       
      server_localhost_only.wait_for_unit("sshd", timeout=30)


     

       
279

       
 

       
      server_match_rule.wait_for_unit("sshd", timeout=30)


     
···

       
338

       
 

       
          )


     

       
339

       
 

       
          client.succeed(


     

       
340

       
 

       
              "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server-lazy true",


     

       
341

       
-

       
              timeout=30


     

       
342

       
-

       
          )


     

       
343

       
-

       



     

       
344

       
-

       
      with subtest("x11-forwarding"):


     

       
345

       
-

       
          client.succeed(


     

       
346

       
-

       
              "[ \"$(ssh -Y -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server-x11 'xauth list' | tee /dev/stderr | wc -l)\" -eq 1 ]",


     

       
347

       
-

       
              timeout=30


     

       
348

       
-

       
          )


     

       
349

       
-

       
          client.succeed(


     

       
350

       
-

       
              "[ \"$(ssh -Y -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server-x11-disable 'xauth list' | tee /dev/stderr | wc -l)\" -eq 0 ]",


     

       
351

       
 

       
              timeout=30


     

       
352

       
 

       
          )


     

       
353

       
 

       



     
···

       
35

       
 

       
          ];


     

       
36

       
 

       
        };


     

       
37

       
 

       



     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
38

       
 

       
      server-allowed-users =


     

       
39

       
 

       
        { ... }:


     

       
40

       
 

       



     
···

       
240

       
 

       
      start_all()


     

       
241

       
 

       



     

       
242

       
 

       
      server.wait_for_unit("sshd", timeout=30)


     

       

       

       
     

       

       

       
     

       
243

       
 

       
      server_allowed_users.wait_for_unit("sshd", timeout=30)


     

       
244

       
 

       
      server_localhost_only.wait_for_unit("sshd", timeout=30)


     

       
245

       
 

       
      server_match_rule.wait_for_unit("sshd", timeout=30)


     
···

       
304

       
 

       
          )


     

       
305

       
 

       
          client.succeed(


     

       
306

       
 

       
              "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server-lazy true",


     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
307

       
 

       
              timeout=30


     

       
308

       
 

       
          )


     

       
309