| blob | 4083f5906d79a9d03ddaf8d555d2701213471aba |
1 import ./make-test-python.nix ({ pkgs, ... }:
3 let inherit (import ./ssh-keys.nix pkgs)
4 snakeOilPrivateKey snakeOilPublicKey;
5 in {
6 name = "openssh";
7 meta = with pkgs.lib.maintainers; {
8 maintainers = [ aszlig eelco ];
9 };
11 nodes = {
13 server =
14 { ... }:
16 {
17 services.openssh.enable = true;
18 security.pam.services.sshd.limits =
19 [ { domain = "*"; item = "memlock"; type = "-"; value = 1024; } ];
20 users.users.root.openssh.authorizedKeys.keys = [
21 snakeOilPublicKey
22 ];
23 };
25 server_lazy =
26 { ... }:
28 {
29 services.openssh = { enable = true; startWhenNeeded = true; };
30 security.pam.services.sshd.limits =
31 [ { domain = "*"; item = "memlock"; type = "-"; value = 1024; } ];
32 users.users.root.openssh.authorizedKeys.keys = [
33 snakeOilPublicKey
34 ];
35 };
37 server_localhost_only =
38 { ... }:
40 {
41 services.openssh = {
42 enable = true; listenAddresses = [ { addr = "127.0.0.1"; port = 22; } ];
43 };
44 };
46 server_localhost_only_lazy =
47 { ... }:
49 {
50 services.openssh = {
51 enable = true; startWhenNeeded = true; listenAddresses = [ { addr = "127.0.0.1"; port = 22; } ];
52 };
53 };
55 client =
56 { ... }: { };
58 };
60 testScript = ''
61 start_all()
63 server.wait_for_unit("sshd")
65 with subtest("manual-authkey"):
66 client.succeed("mkdir -m 700 /root/.ssh")
67 client.succeed(
68 '${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f /root/.ssh/id_ed25519 -N ""'
69 )
70 public_key = client.succeed(
71 "${pkgs.openssh}/bin/ssh-keygen -y -f /root/.ssh/id_ed25519"
72 )
73 public_key = public_key.strip()
74 client.succeed("chmod 600 /root/.ssh/id_ed25519")
76 server.succeed("mkdir -m 700 /root/.ssh")
77 server.succeed("echo '{}' > /root/.ssh/authorized_keys".format(public_key))
78 server_lazy.succeed("mkdir -m 700 /root/.ssh")
79 server_lazy.succeed("echo '{}' > /root/.ssh/authorized_keys".format(public_key))
81 client.wait_for_unit("network.target")
82 client.succeed(
83 "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'echo hello world' >&2",
84 timeout=30
85 )
86 client.succeed(
87 "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'ulimit -l' | grep 1024",
88 timeout=30
89 )
91 client.succeed(
92 "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server_lazy 'echo hello world' >&2",
93 timeout=30
94 )
95 client.succeed(
96 "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server_lazy 'ulimit -l' | grep 1024",
97 timeout=30
98 )
100 with subtest("configured-authkey"):
101 client.succeed(
102 "cat ${snakeOilPrivateKey} > privkey.snakeoil"
103 )
104 client.succeed("chmod 600 privkey.snakeoil")
105 client.succeed(
106 "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server true",
107 timeout=30
108 )
109 client.succeed(
110 "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server_lazy true",
111 timeout=30
112 )
114 with subtest("localhost-only"):
115 server_localhost_only.succeed("ss -nlt | grep '127.0.0.1:22'")
116 server_localhost_only_lazy.succeed("ss -nlt | grep '127.0.0.1:22'")
117 '';
118 })