| blob | ba0570dbf97d2f24aae2cdac882d7df33d642eeb |
1 import ../make-test-python.nix ({ pkgs, lib, ... }:
3 let
4 testOnlySSHCredentials = pkgs.runCommand "pam-ussh-test-ca" {
5 nativeBuildInputs = [ pkgs.openssh ];
6 } ''
7 mkdir $out
8 ssh-keygen -t ed25519 -N "" -f $out/ca
10 ssh-keygen -t ed25519 -N "" -f $out/alice
11 ssh-keygen -s $out/ca -I "alice user key" -n "alice,root" -V 19700101:forever $out/alice.pub
13 ssh-keygen -t ed25519 -N "" -f $out/bob
14 ssh-keygen -s $out/ca -I "bob user key" -n "bob" -V 19700101:forever $out/bob.pub
15 '';
16 makeTestScript = user: pkgs.writeShellScript "pam-ussh-${user}-test-script" ''
17 set -euo pipefail
19 eval $(${pkgs.openssh}/bin/ssh-agent)
21 mkdir -p $HOME/.ssh
22 chmod 700 $HOME/.ssh
23 cp ${testOnlySSHCredentials}/${user}{,.pub,-cert.pub} $HOME/.ssh
24 chmod 600 $HOME/.ssh/${user}
25 chmod 644 $HOME/.ssh/${user}{,-cert}.pub
27 set -x
29 ${pkgs.openssh}/bin/ssh-add $HOME/.ssh/${user}
30 ${pkgs.openssh}/bin/ssh-add -l &>2
32 exec sudo id -u -n
33 '';
34 in {
35 name = "pam-ussh";
36 meta.maintainers = with lib.maintainers; [ lukegb ];
38 machine =
39 { ... }:
40 {
41 users.users.alice = { isNormalUser = true; extraGroups = [ "wheel" ]; };
42 users.users.bob = { isNormalUser = true; extraGroups = [ "wheel" ]; };
44 security.pam.ussh = {
45 enable = true;
46 authorizedPrincipals = "root";
47 caFile = "${testOnlySSHCredentials}/ca.pub";
48 };
50 security.sudo = {
51 enable = true;
52 extraConfig = ''
53 Defaults lecture="never"
54 '';
55 };
56 };
58 testScript =
59 ''
60 with subtest("alice should be allowed to escalate to root"):
61 machine.succeed(
62 'su -c "${makeTestScript "alice"}" -l alice | grep root'
63 )
65 with subtest("bob should not be allowed to escalate to root"):
66 machine.fail(
67 'su -c "${makeTestScript "bob"}" -l bob | grep root'
68 )
69 '';
70 })