| blob | fee40afd615392b6a08f0fcea5610773219ba180 |
1 import ./make-test-python.nix ({ lib, pkgs, ... }:
2 let
3 inherit (import ./ssh-keys.nix pkgs) snakeOilPrivateKey snakeOilPublicKey;
4 in {
5 name = "ssh-agent-auth";
6 meta.maintainers = with lib.maintainers; [ nicoo ];
8 nodes = let nodeConfig = n: { ... }: {
9 users.users = {
10 admin = {
11 isNormalUser = true;
12 extraGroups = [ "wheel" ];
13 openssh.authorizedKeys.keys = [ snakeOilPublicKey ];
14 };
15 foo.isNormalUser = true;
16 };
18 security.pam.sshAgentAuth = {
19 # Must be specified, as nixpkgs CI expects everything to eval without warning
20 authorizedKeysFiles = [ "/etc/ssh/authorized_keys.d/%u" ];
21 enable = true;
22 };
23 security.${lib.replaceStrings [ "_" ] [ "-" ] n} = {
24 enable = true;
25 wheelNeedsPassword = true; # We are checking `pam_ssh_agent_auth(8)` works for a sudoer
26 };
28 # Necessary for pam_ssh_agent_auth >_>'
29 services.openssh.enable = true;
30 };
31 in lib.genAttrs [ "sudo" "sudo_rs" ] nodeConfig;
33 testScript = let
34 privateKeyPath = "/home/admin/.ssh/id_ecdsa";
35 userScript = pkgs.writeShellScript "test-script" ''
36 set -e
37 ssh-add -q ${privateKeyPath}
39 # faketty needed to ensure `sudo` doesn't write to the controlling PTY,
40 # which would break the test-driver's line-oriented protocol.
41 ${lib.getExe pkgs.faketty} sudo -u foo -- id -un
42 '';
43 in ''
44 for vm in (sudo, sudo_rs):
45 sudo_impl = vm.name.replace("_", "-")
46 with subtest(f"wheel user can auth with ssh-agent for {sudo_impl}"):
47 vm.copy_from_host("${snakeOilPrivateKey}", "${privateKeyPath}")
48 vm.succeed("chmod -R 0700 /home/admin")
49 vm.succeed("chown -R admin:users /home/admin")
51 # Run `userScript` in an environment with an SSH-agent available
52 assert vm.succeed("sudo -u admin -- ssh-agent ${userScript} 2>&1").strip() == "foo"
53 '';
54 }
55 )