nixpkgs/nixos/tests/openssh.nix
Tom Fitzhenry 9e4e5d96f1 tests/openssh: use upstream's algorithms in "no openssl" example
When I initially wrote this test, I wasn't aware that services.openssh
could opt into using OpenSSH's default algorithms by just setting the
relevant settings to null.

That's a better approach since:
* it's a simpler setting for this test to have to worry about
* it introduces test coverage for the null case
* the null case should be demonstrated as an example for those that
  want to compile without OpenSSL
2024-06-08 15:03:08 +10:00

281 lines
9.1 KiB
Nix

import ./make-test-python.nix ({ pkgs, ... }:
let inherit (import ./ssh-keys.nix pkgs)
snakeOilPrivateKey snakeOilPublicKey snakeOilEd25519PrivateKey snakeOilEd25519PublicKey;
in {
name = "openssh";
meta = with pkgs.lib.maintainers; {
maintainers = [ aszlig ];
};
nodes = {
server =
{ ... }:
{
services.openssh.enable = true;
security.pam.services.sshd.limits =
[ { domain = "*"; item = "memlock"; type = "-"; value = 1024; } ];
users.users.root.openssh.authorizedKeys.keys = [
snakeOilPublicKey
];
};
server-allowed-users =
{ ... }:
{
services.openssh = { enable = true; settings.AllowUsers = [ "alice" "bob" ]; };
users.groups = { alice = { }; bob = { }; carol = { }; };
users.users = {
alice = { isNormalUser = true; group = "alice"; openssh.authorizedKeys.keys = [ snakeOilPublicKey ]; };
bob = { isNormalUser = true; group = "bob"; openssh.authorizedKeys.keys = [ snakeOilPublicKey ]; };
carol = { isNormalUser = true; group = "carol"; openssh.authorizedKeys.keys = [ snakeOilPublicKey ]; };
};
};
server-lazy =
{ ... }:
{
services.openssh = { enable = true; startWhenNeeded = true; };
security.pam.services.sshd.limits =
[ { domain = "*"; item = "memlock"; type = "-"; value = 1024; } ];
users.users.root.openssh.authorizedKeys.keys = [
snakeOilPublicKey
];
};
server-lazy-socket = {
virtualisation.vlans = [ 1 2 ];
services.openssh = {
enable = true;
startWhenNeeded = true;
ports = [ 2222 ];
listenAddresses = [ { addr = "0.0.0.0"; } ];
};
users.users.root.openssh.authorizedKeys.keys = [
snakeOilPublicKey
];
};
server-localhost-only =
{ ... }:
{
services.openssh = {
enable = true; listenAddresses = [ { addr = "127.0.0.1"; port = 22; } ];
};
};
server-localhost-only-lazy =
{ ... }:
{
services.openssh = {
enable = true; startWhenNeeded = true; listenAddresses = [ { addr = "127.0.0.1"; port = 22; } ];
};
};
server-match-rule =
{ ... }:
{
services.openssh = {
enable = true; listenAddresses = [ { addr = "127.0.0.1"; port = 22; } { addr = "[::]"; port = 22; } ];
extraConfig = ''
# Combined test for two (predictable) Match criterias
Match LocalAddress 127.0.0.1 LocalPort 22
PermitRootLogin yes
# Separate tests for Match criterias
Match User root
PermitRootLogin yes
Match Group root
PermitRootLogin yes
Match Host nohost.example
PermitRootLogin yes
Match LocalAddress 127.0.0.1
PermitRootLogin yes
Match LocalPort 22
PermitRootLogin yes
Match RDomain nohost.example
PermitRootLogin yes
Match Address 127.0.0.1
PermitRootLogin yes
'';
};
};
server-no-openssl =
{ ... }:
{
services.openssh = {
enable = true;
package = pkgs.opensshPackages.openssh.override {
linkOpenssl = false;
};
hostKeys = [
{ type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
];
settings = {
# Since this test is against an OpenSSH-without-OpenSSL,
# we have to override NixOS's defaults ciphers (which require OpenSSL)
# and instead set these to null, which will mean OpenSSH uses its defaults.
# Expectedly, OpenSSH's defaults don't require OpenSSL when it's compiled
# without OpenSSL.
Ciphers = null;
KexAlgorithms = null;
Macs = null;
};
};
users.users.root.openssh.authorizedKeys.keys = [
snakeOilEd25519PublicKey
];
};
server-no-pam =
{ pkgs, ... }:
{
services.openssh = {
enable = true;
package = pkgs.opensshPackages.openssh.override {
withPAM = false;
};
settings = {
UsePAM = false;
};
};
users.users.root.openssh.authorizedKeys.keys = [
snakeOilPublicKey
];
};
client =
{ ... }: {
virtualisation.vlans = [ 1 2 ];
};
};
testScript = ''
start_all()
server.wait_for_unit("sshd", timeout=30)
server_allowed_users.wait_for_unit("sshd", timeout=30)
server_localhost_only.wait_for_unit("sshd", timeout=30)
server_match_rule.wait_for_unit("sshd", timeout=30)
server_no_openssl.wait_for_unit("sshd", timeout=30)
server_no_pam.wait_for_unit("sshd", timeout=30)
server_lazy.wait_for_unit("sshd.socket", timeout=30)
server_localhost_only_lazy.wait_for_unit("sshd.socket", timeout=30)
server_lazy_socket.wait_for_unit("sshd.socket", timeout=30)
with subtest("manual-authkey"):
client.succeed("mkdir -m 700 /root/.ssh")
client.succeed(
'${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f /root/.ssh/id_ed25519 -N ""'
)
public_key = client.succeed(
"${pkgs.openssh}/bin/ssh-keygen -y -f /root/.ssh/id_ed25519"
)
public_key = public_key.strip()
client.succeed("chmod 600 /root/.ssh/id_ed25519")
server.succeed("mkdir -m 700 /root/.ssh")
server.succeed("echo '{}' > /root/.ssh/authorized_keys".format(public_key))
server_lazy.succeed("mkdir -m 700 /root/.ssh")
server_lazy.succeed("echo '{}' > /root/.ssh/authorized_keys".format(public_key))
client.wait_for_unit("network.target")
client.succeed(
"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'echo hello world' >&2",
timeout=30
)
client.succeed(
"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'ulimit -l' | grep 1024",
timeout=30
)
client.succeed(
"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server-lazy 'echo hello world' >&2",
timeout=30
)
client.succeed(
"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server-lazy 'ulimit -l' | grep 1024",
timeout=30
)
with subtest("socket activation on a non-standard port"):
client.succeed(
"cat ${snakeOilPrivateKey} > privkey.snakeoil"
)
client.succeed("chmod 600 privkey.snakeoil")
# The final segment in this IP is allocated according to the alphabetical order of machines in this test.
client.succeed(
"ssh -p 2222 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil root@192.168.2.5 true",
timeout=30
)
with subtest("configured-authkey"):
client.succeed(
"cat ${snakeOilPrivateKey} > privkey.snakeoil"
)
client.succeed("chmod 600 privkey.snakeoil")
client.succeed(
"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server true",
timeout=30
)
client.succeed(
"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server-lazy true",
timeout=30
)
with subtest("localhost-only"):
server_localhost_only.succeed("ss -nlt | grep '127.0.0.1:22'")
server_localhost_only_lazy.succeed("ss -nlt | grep '127.0.0.1:22'")
with subtest("match-rules"):
server_match_rule.succeed("ss -nlt | grep '127.0.0.1:22'")
with subtest("allowed-users"):
client.succeed(
"cat ${snakeOilPrivateKey} > privkey.snakeoil"
)
client.succeed("chmod 600 privkey.snakeoil")
client.succeed(
"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil alice@server-allowed-users true",
timeout=30
)
client.succeed(
"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil bob@server-allowed-users true",
timeout=30
)
client.fail(
"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil carol@server-allowed-users true",
timeout=30
)
with subtest("no-openssl"):
client.succeed(
"cat ${snakeOilEd25519PrivateKey} > privkey.snakeoil"
)
client.succeed("chmod 600 privkey.snakeoil")
client.succeed(
"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server-no-openssl true",
timeout=30
)
with subtest("no-pam"):
client.succeed(
"cat ${snakeOilPrivateKey} > privkey.snakeoil"
)
client.succeed("chmod 600 privkey.snakeoil")
client.succeed(
"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server-no-pam true",
timeout=30
)
'';
})