commit bbf66d50a21be6adb839961cab8fdd01fbc8b6b5 · pyrox.dev/nixpkgs

-2

nixos/modules/services/networking/ssh/sshd.nix

···

       595
       595
        
                 environment.LD_LIBRARY_PATH = nssModulesPath;

     

       596
       596
        
       

     

       597
       597
        
                 serviceConfig = {

     

       598
       598
       -
                   Type = "notify";

     

       599
       598
        
                   ExecStart = lib.concatStringsSep " " [

     

       600
       599
        
                     "-${lib.getExe' cfg.package "sshd"}"

     

       601
       600
        
                     "-i"

     
···

       620
       619
        
                 restartTriggers = [ config.environment.etc."ssh/sshd_config".source ];

     

       621
       620
        
       

     

       622
       621
        
                 serviceConfig = {

     

       623
       623
       -
                   Type = "notify";

     

       624
       622
        
                   Restart = "always";

     

       625
       623
        
                   ExecStart = lib.concatStringsSep " " [

     

       626
       624
        
                     (lib.getExe' cfg.package "sshd")

nixos/tests/openssh.nix

···

       274
       274
        
                   "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server-no-pam true",

     

       275
       275
        
                   timeout=30

     

       276
       276
        
               )

     

       277
       277
       +
       

     

       278
       278
       +
           # None of the per-connection units should have failed.

     

       279
       279
       +
           server_lazy.fail("systemctl is-failed 'sshd@*.service'")

     

       277
       280
        
         '';

     

       278
       281
        
       })

+14 -27

nixos/tests/systemd-ssh-proxy.nix

···

       6
       6
        
       }:

     

       7
       7
        
       # This tests that systemd-ssh-proxy and systemd-ssh-generator work correctly with:

     

       8
       8
        
       # - a local unix socket on the same system

     

       9
       9
       -
       # - a vsock socket inside a vm

     

       9
       9
       +
       # - a unix socket inside a container

     

       10
       10
        
       let

     

       11
       11
        
         inherit (import ./ssh-keys.nix pkgs)

     

       12
       12
        
           snakeOilEd25519PrivateKey

     

       13
       13
        
           snakeOilEd25519PublicKey

     

       14
       14
        
           ;

     

       15
       15
       -
         qemu = config.nodes.virthost.virtualisation.qemu.package;

     

       16
       16
       -
         iso =

     

       17
       17
       -
           (import ../lib/eval-config.nix {

     

       18
       18
       -
             inherit (pkgs.stdenv.hostPlatform) system;

     

       19
       19
       -
             modules = [

     

       20
       20
       -
               ../modules/installer/cd-dvd/iso-image.nix

     

       21
       21
       -
               {

     

       22
       22
       -
                 services.openssh = {

     

       23
       23
       -
                   enable = true;

     

       24
       24
       -
                   settings.PermitRootLogin = "prohibit-password";

     

       25
       25
       -
                 };

     

       26
       26
       -
                 isoImage.isoBaseName = lib.mkForce "nixos";

     

       27
       27
       -
                 isoImage.makeBiosBootable = true;

     

       28
       28
       -
                 system.stateVersion = lib.trivial.release;

     

       29
       29
       -
               }

     

       30
       30
       -
             ];

     

       31
       31
       -
           }).config.system.build.isoImage;

     

       32
       15
        
       in

     

       33
       16
        
       {

     

       34
       17
        
         name = "systemd-ssh-proxy";

     
···

       46
       29
        
                 isNormalUser = true;

     

       47
       30
        
               };

     

       48
       31
        
             };

     

       49
       49
       -
             systemd.services.test-vm = {

     

       50
       50
       -
               script = "${lib.getExe qemu} --nographic -smp 1 -m 512 -cdrom ${iso}/iso/nixos.iso -device vhost-vsock-pci,guest-cid=3 -smbios type=11,value=\"io.systemd.credential:ssh.authorized_keys.root=${snakeOilEd25519PublicKey}\"";

     

       32
       32
       +
             containers.guest = {

     

       33
       33
       +
               autoStart = true;

     

       34
       34
       +
               config = {

     

       35
       35
       +
                 users.users.root.openssh.authorizedKeys.keys = [ snakeOilEd25519PublicKey ];

     

       36
       36
       +
                 services.openssh = {

     

       37
       37
       +
                   enable = true;

     

       38
       38
       +
                   settings.PermitRootLogin = "prohibit-password";

     

       39
       39
       +
                 };

     

       40
       40
       +
                 system.stateVersion = lib.trivial.release;

     

       41
       41
       +
               };

     

       51
       42
        
             };

     

       52
       43
        
           };

     

       53
       44
        
         };

     

       54
       45
        
       

     

       55
       46
        
         testScript = ''

     

       56
       56
       -
           virthost.systemctl("start test-vm.service")

     

       57
       57
       -
       

     

       58
       47
        
           virthost.succeed("mkdir -p ~/.ssh")

     

       59
       48
        
           virthost.succeed("cp '${snakeOilEd25519PrivateKey}' ~/.ssh/id_ed25519")

     

       60
       49
        
           virthost.succeed("chmod 600 ~/.ssh/id_ed25519")

     

       61
       50
        
       

     

       62
       62
       -
           with subtest("ssh into a vm with vsock"):

     

       63
       63
       -
             virthost.wait_until_succeeds("systemctl is-active test-vm.service")

     

       64
       64
       -
             virthost.wait_until_succeeds("ssh -i ~/.ssh/id_ed25519 vsock/3 echo meow | grep meow")

     

       65
       65
       -
             virthost.wait_until_succeeds("ssh -i ~/.ssh/id_ed25519 vsock/3 shutdown now")

     

       66
       66
       -
             virthost.wait_until_succeeds("! systemctl is-active test-vm.service")

     

       51
       51
       +
           with subtest("ssh into a container with AF_UNIX"):

     

       52
       52
       +
             virthost.wait_for_unit("container@guest.service")

     

       53
       53
       +
             virthost.wait_until_succeeds("ssh -i ~/.ssh/id_ed25519 unix/run/systemd/nspawn/unix-export/guest/ssh echo meow | grep meow")

     

       67
       54
        
       

     

       68
       55
        
           with subtest("elevate permissions using local ssh socket"):

     

       69
       56
        
             virthost.wait_for_unit("sshd-unix-local.socket")