nixpkgs/nixos/tests/openssh.nix

import ./make-test-python.nix ({ pkgs, ... }:

let inherit (import ./ssh-keys.nix pkgs)
      snakeOilPrivateKey snakeOilPublicKey;
in {
  name = "openssh";
  meta = with pkgs.lib.maintainers; {
    maintainers = [ aszlig eelco ];
  };

  nodes = {

    server =
      { ... }:

      {
        services.openssh.enable = true;
        security.pam.services.sshd.limits =
          [ { domain = "*"; item = "memlock"; type = "-"; value = 1024; } ];
        users.users.root.openssh.authorizedKeys.keys = [
          snakeOilPublicKey
        ];
      };

    server-lazy =
      { ... }:

      {
        services.openssh = { enable = true; startWhenNeeded = true; };
        security.pam.services.sshd.limits =
          [ { domain = "*"; item = "memlock"; type = "-"; value = 1024; } ];
        users.users.root.openssh.authorizedKeys.keys = [
          snakeOilPublicKey
        ];
      };

    server-lazy-socket = {
      virtualisation.vlans = [ 1 2 ];
      services.openssh = {
        enable = true;
        startWhenNeeded = true;
        ports = [ 2222 ];
        listenAddresses = [ { addr = "0.0.0.0"; } ];
      };
      users.users.root.openssh.authorizedKeys.keys = [
        snakeOilPublicKey
      ];
    };

    server-localhost-only =
      { ... }:

      {
        services.openssh = {
          enable = true; listenAddresses = [ { addr = "127.0.0.1"; port = 22; } ];
        };
      };

    server-localhost-only-lazy =
      { ... }:

      {
        services.openssh = {
          enable = true; startWhenNeeded = true; listenAddresses = [ { addr = "127.0.0.1"; port = 22; } ];
        };
      };

    server-match-rule =
      { ... }:

      {
        services.openssh = {
          enable = true; listenAddresses = [ { addr = "127.0.0.1"; port = 22; } { addr = "[::]"; port = 22; } ];
          extraConfig = ''
            # Combined test for two (predictable) Match criterias
            Match LocalAddress 127.0.0.1 LocalPort 22
              PermitRootLogin yes

            # Separate tests for Match criterias
            Match User root
              PermitRootLogin yes
            Match Group root
              PermitRootLogin yes
            Match Host nohost.example
              PermitRootLogin yes
            Match LocalAddress 127.0.0.1
              PermitRootLogin yes
            Match LocalPort 22
              PermitRootLogin yes
            Match RDomain nohost.example
              PermitRootLogin yes
            Match Address 127.0.0.1
              PermitRootLogin yes
          '';
        };
      };

    server_allowedusers =
      { ... }:

      {
        services.openssh = { enable = true; settings.AllowUsers = [ "alice" "bob" ]; };
        users.groups = { alice = { }; bob = { }; carol = { }; };
        users.users = {
          alice = { isNormalUser = true; group = "alice"; openssh.authorizedKeys.keys = [ snakeOilPublicKey ]; };
          bob = { isNormalUser = true; group = "bob"; openssh.authorizedKeys.keys = [ snakeOilPublicKey ]; };
          carol = { isNormalUser = true; group = "carol"; openssh.authorizedKeys.keys = [ snakeOilPublicKey ]; };
        };
      };

    client =
      { ... }: {
        virtualisation.vlans = [ 1 2 ];
      };

  };

  testScript = ''
    start_all()

    server.wait_for_unit("sshd", timeout=30)
    server_localhost_only.wait_for_unit("sshd", timeout=30)
    server_match_rule.wait_for_unit("sshd", timeout=30)

    server_lazy.wait_for_unit("sshd.socket", timeout=30)
    server_localhost_only_lazy.wait_for_unit("sshd.socket", timeout=30)
    server_lazy_socket.wait_for_unit("sshd.socket", timeout=30)

    with subtest("manual-authkey"):
        client.succeed("mkdir -m 700 /root/.ssh")
        client.succeed(
            '${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f /root/.ssh/id_ed25519 -N ""'
        )
        public_key = client.succeed(
            "${pkgs.openssh}/bin/ssh-keygen -y -f /root/.ssh/id_ed25519"
        )
        public_key = public_key.strip()
        client.succeed("chmod 600 /root/.ssh/id_ed25519")

        server.succeed("mkdir -m 700 /root/.ssh")
        server.succeed("echo '{}' > /root/.ssh/authorized_keys".format(public_key))
        server_lazy.succeed("mkdir -m 700 /root/.ssh")
        server_lazy.succeed("echo '{}' > /root/.ssh/authorized_keys".format(public_key))

        client.wait_for_unit("network.target")
        client.succeed(
            "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'echo hello world' >&2",
            timeout=30
        )
        client.succeed(
            "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'ulimit -l' | grep 1024",
            timeout=30
        )

        client.succeed(
            "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server-lazy 'echo hello world' >&2",
            timeout=30
        )
        client.succeed(
            "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server-lazy 'ulimit -l' | grep 1024",
            timeout=30
        )

    with subtest("socket activation on a non-standard port"):
        client.succeed(
            "cat ${snakeOilPrivateKey} > privkey.snakeoil"
        )
        client.succeed("chmod 600 privkey.snakeoil")
        client.succeed(
            "ssh -p 2222 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil root@192.168.2.4 true",
            timeout=30
        )

    with subtest("configured-authkey"):
        client.succeed(
            "cat ${snakeOilPrivateKey} > privkey.snakeoil"
        )
        client.succeed("chmod 600 privkey.snakeoil")
        client.succeed(
            "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server true",
            timeout=30
        )
        client.succeed(
            "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server-lazy true",
            timeout=30
        )

    with subtest("localhost-only"):
        server_localhost_only.succeed("ss -nlt | grep '127.0.0.1:22'")
        server_localhost_only_lazy.succeed("ss -nlt | grep '127.0.0.1:22'")

    with subtest("match-rules"):
        server_match_rule.succeed("ss -nlt | grep '127.0.0.1:22'")

    with subtest("allowed-users"):
        client.succeed(
            "cat ${snakeOilPrivateKey} > privkey.snakeoil"
        )
        client.succeed("chmod 600 privkey.snakeoil")
        client.succeed(
            "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil alice@server_allowedusers true",
            timeout=30
        )
        client.succeed(
            "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil bob@server_allowedusers true",
            timeout=30
        )
        client.fail(
            "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil carol@server_allowedusers true",
            timeout=30
        )
  '';
})
nixos/openssh: port test to python 2019-11-04 23:33:17 +00:00			`import ./make-test-python.nix ({ pkgs, ... }:`
nixos/tests/openssh: Test configured auth keys. So far the test only uses an authorized key that is copied over to the target machine instead of being set by the target's configuration. Now, we cover both cases. Signed-off-by: aszlig <aszlig@redmoonstudios.org> 2014-06-27 06:34:59 +00:00
nixos: nix.sshServe: Support ssh-ng. 2018-02-28 21:55:00 +00:00			`let inherit (import ./ssh-keys.nix pkgs)`
			`snakeOilPrivateKey snakeOilPublicKey;`
nixos/tests/openssh: Test configured auth keys. So far the test only uses an authorized key that is copied over to the target machine instead of being set by the target's configuration. Now, we cover both cases. Signed-off-by: aszlig <aszlig@redmoonstudios.org> 2014-06-27 06:34:59 +00:00			`in {`
name nixos tests, close #3078 2014-06-28 14:04:49 +00:00			`name = "openssh";`
treewide: simplify pkgs.stdenv.lib -> pkgs.lib The library does not depend on stdenv, that `stdenv` exposes `lib` is an artifact of the ancient origins of nixpkgs. 2021-01-10 19:08:30 +00:00			`meta = with pkgs.lib.maintainers; {`
Remove myself as maintainer from packages I'm currently not maintaining any packages. 2019-02-22 15:14:13 +00:00			`maintainers = [ aszlig eelco ];`
all tests: added meta.maintainers section 2015-07-12 10:09:40 +00:00			`};`
Added openssh testcase svn path=/nixos/trunk/; revision=20732 2010-03-18 13:07:56 +00:00
			`nodes = {`
strip trailing whitespace; no functional change svn path=/nixos/trunk/; revision=29285 2011-09-14 18:20:50 +00:00
			`server =`
[bot] nixos/*: remove unused arguments in lambdas 2018-07-20 20:56:59 +00:00			`{ ... }:`
strip trailing whitespace; no functional change svn path=/nixos/trunk/; revision=29285 2011-09-14 18:20:50 +00:00
Added openssh testcase svn path=/nixos/trunk/; revision=20732 2010-03-18 13:07:56 +00:00			`{`
			`services.openssh.enable = true;`
Test whether PAM resource limits work 2013-10-17 13:37:08 +00:00			`security.pam.services.sshd.limits =`
			`[ { domain = "*"; item = "memlock"; type = "-"; value = 1024; } ];`
nixos/tests: users.(extraUsers\|extraGroup->users\|group) 2018-06-29 23:55:42 +00:00			`users.users.root.openssh.authorizedKeys.keys = [`
nixos/tests/openssh: Test configured auth keys. So far the test only uses an authorized key that is copied over to the target machine instead of being set by the target's configuration. Now, we cover both cases. Signed-off-by: aszlig <aszlig@redmoonstudios.org> 2014-06-27 06:34:59 +00:00			`snakeOilPublicKey`
			`];`
* Slight cleanup. svn path=/nixos/trunk/; revision=21998 2010-05-27 10:05:17 +00:00			`};`
strip trailing whitespace; no functional change svn path=/nixos/trunk/; revision=29285 2011-09-14 18:20:50 +00:00
nixos/tests/openssh: use dashes for hostnames Otherwise the tests will fail with `networking.useNetworkd = true;` because `systemd-resolved` ignores invalid hostnames in `/etc/hosts` (which is where all hosts from the `nodes`-attribute set end up) and subsequently e.g. `ssh server_lazy` will fail because the name cannot be resolved. In d6e84a4574a200de63e8fe86ef8574b507fd366e the test-framework was changed to replace all dashes with underscores of hostnames in the python code to have readable hostnames that are valid. I.e. nodes.foo-bar = {} represents a host with a valid hostname and it can be referenced in the `testScript` with `foo_bar`. Applying this here fixes the test for both scripted networking and networkd. 2023-10-24 12:24:10 +00:00			`server-lazy =`
[bot] nixos/*: remove unused arguments in lambdas 2018-07-20 20:56:59 +00:00			`{ ... }:`
openssh: test that startWhenNeeded works 2016-12-29 14:49:43 +00:00
			`{`
			`services.openssh = { enable = true; startWhenNeeded = true; };`
			`security.pam.services.sshd.limits =`
			`[ { domain = "*"; item = "memlock"; type = "-"; value = 1024; } ];`
nixos/tests: users.(extraUsers\|extraGroup->users\|group) 2018-06-29 23:55:42 +00:00			`users.users.root.openssh.authorizedKeys.keys = [`
openssh: test that startWhenNeeded works 2016-12-29 14:49:43 +00:00			`snakeOilPublicKey`
			`];`
			`};`

nixos/sshd: fix socket activated ports when using ListenAddress Noticed that issue while reviewing #275633: when declaring `ListenAddress host` without a port, all ports declared by `Port`/`cfg.ports` will be used with `host` according to `sshd_config(5)`. However, if this is done and socket activation is used, only a socket for port 22 is created instead of a sockets for each port from `Port`/`cfg.ports`. This patch corrects that behavior. Also added a regression test for this case. 2024-01-03 18:36:51 +00:00			`server-lazy-socket = {`
			`virtualisation.vlans = [ 1 2 ];`
			`services.openssh = {`
			`enable = true;`
			`startWhenNeeded = true;`
			`ports = [ 2222 ];`
			`listenAddresses = [ { addr = "0.0.0.0"; } ];`
			`};`
			`users.users.root.openssh.authorizedKeys.keys = [`
			`snakeOilPublicKey`
			`];`
			`};`

nixos/tests/openssh: use dashes for hostnames Otherwise the tests will fail with `networking.useNetworkd = true;` because `systemd-resolved` ignores invalid hostnames in `/etc/hosts` (which is where all hosts from the `nodes`-attribute set end up) and subsequently e.g. `ssh server_lazy` will fail because the name cannot be resolved. In d6e84a4574a200de63e8fe86ef8574b507fd366e the test-framework was changed to replace all dashes with underscores of hostnames in the python code to have readable hostnames that are valid. I.e. nodes.foo-bar = {} represents a host with a valid hostname and it can be referenced in the `testScript` with `foo_bar`. Applying this here fixes the test for both scripted networking and networkd. 2023-10-24 12:24:10 +00:00			`server-localhost-only =`
sshd: fix startWhenNeeded and listenAddresses combination Previously, if startWhenNeeded was set, listenAddresses option was ignored and daemon was listening on all interfaces. Fixes #56325. 2019-02-24 23:48:01 +00:00			`{ ... }:`

			`{`
			`services.openssh = {`
			`enable = true; listenAddresses = [ { addr = "127.0.0.1"; port = 22; } ];`
			`};`
			`};`

nixos/tests/openssh: use dashes for hostnames Otherwise the tests will fail with `networking.useNetworkd = true;` because `systemd-resolved` ignores invalid hostnames in `/etc/hosts` (which is where all hosts from the `nodes`-attribute set end up) and subsequently e.g. `ssh server_lazy` will fail because the name cannot be resolved. In d6e84a4574a200de63e8fe86ef8574b507fd366e the test-framework was changed to replace all dashes with underscores of hostnames in the python code to have readable hostnames that are valid. I.e. nodes.foo-bar = {} represents a host with a valid hostname and it can be referenced in the `testScript` with `foo_bar`. Applying this here fixes the test for both scripted networking and networkd. 2023-10-24 12:24:10 +00:00			`server-localhost-only-lazy =`
sshd: fix startWhenNeeded and listenAddresses combination Previously, if startWhenNeeded was set, listenAddresses option was ignored and daemon was listening on all interfaces. Fixes #56325. 2019-02-24 23:48:01 +00:00			`{ ... }:`

			`{`
			`services.openssh = {`
			`enable = true; startWhenNeeded = true; listenAddresses = [ { addr = "127.0.0.1"; port = 22; } ];`
			`};`
			`};`

nixos/tests/openssh: use dashes for hostnames Otherwise the tests will fail with `networking.useNetworkd = true;` because `systemd-resolved` ignores invalid hostnames in `/etc/hosts` (which is where all hosts from the `nodes`-attribute set end up) and subsequently e.g. `ssh server_lazy` will fail because the name cannot be resolved. In d6e84a4574a200de63e8fe86ef8574b507fd366e the test-framework was changed to replace all dashes with underscores of hostnames in the python code to have readable hostnames that are valid. I.e. nodes.foo-bar = {} represents a host with a valid hostname and it can be referenced in the `testScript` with `foo_bar`. Applying this here fixes the test for both scripted networking and networkd. 2023-10-24 12:24:10 +00:00			`server-match-rule =`
nixos/tests/openssh: add `Match` config for validation test 2023-09-19 11:05:59 +00:00			`{ ... }:`

			`{`
			`services.openssh = {`
nixos/sshd: fix sshd.conf validity check When using e.g. `{ addr = "[::]"; port = 22; }` at `listenAddresses`, the check fails because of an escaping issue[1] with last 1 log lines: > Invalid test mode specification -f For full logs, run 'nix log /nix/store/c6pbpw5hjkjgipmarwyic9zyqr1xaix5-check-sshd-config.drv' Using `lib.escapeShellArg` appears to solve the problem. [1] https://github.com/NixOS/nixpkgs/pull/256090#issuecomment-1738063528 2023-09-27 20:59:13 +00:00			`enable = true; listenAddresses = [ { addr = "127.0.0.1"; port = 22; } { addr = "[::]"; port = 22; } ];`
nixos/tests/openssh: add `Match` config for validation test 2023-09-19 11:05:59 +00:00			`extraConfig = ''`
			`# Combined test for two (predictable) Match criterias`
			`Match LocalAddress 127.0.0.1 LocalPort 22`
			`PermitRootLogin yes`

			`# Separate tests for Match criterias`
			`Match User root`
			`PermitRootLogin yes`
			`Match Group root`
			`PermitRootLogin yes`
			`Match Host nohost.example`
			`PermitRootLogin yes`
			`Match LocalAddress 127.0.0.1`
			`PermitRootLogin yes`
			`Match LocalPort 22`
			`PermitRootLogin yes`
			`Match RDomain nohost.example`
			`PermitRootLogin yes`
			`Match Address 127.0.0.1`
			`PermitRootLogin yes`
			`'';`
			`};`
			`};`

nixos/tests/openssh: add test for `AllowUsers` Signed-off-by: Christoph Heiss <christoph@c8h4.io> 2023-10-08 21:23:51 +00:00			`server_allowedusers =`
			`{ ... }:`

			`{`
			`services.openssh = { enable = true; settings.AllowUsers = [ "alice" "bob" ]; };`
			`users.groups = { alice = { }; bob = { }; carol = { }; };`
			`users.users = {`
			`alice = { isNormalUser = true; group = "alice"; openssh.authorizedKeys.keys = [ snakeOilPublicKey ]; };`
			`bob = { isNormalUser = true; group = "bob"; openssh.authorizedKeys.keys = [ snakeOilPublicKey ]; };`
			`carol = { isNormalUser = true; group = "carol"; openssh.authorizedKeys.keys = [ snakeOilPublicKey ]; };`
			`};`
			`};`

strip trailing whitespace; no functional change svn path=/nixos/trunk/; revision=29285 2011-09-14 18:20:50 +00:00			`client =`
nixos/sshd: fix socket activated ports when using ListenAddress Noticed that issue while reviewing #275633: when declaring `ListenAddress host` without a port, all ports declared by `Port`/`cfg.ports` will be used with `host` according to `sshd_config(5)`. However, if this is done and socket activation is used, only a socket for port 22 is created instead of a sockets for each port from `Port`/`cfg.ports`. This patch corrects that behavior. Also added a regression test for this case. 2024-01-03 18:36:51 +00:00			`{ ... }: {`
			`virtualisation.vlans = [ 1 2 ];`
			`};`
strip trailing whitespace; no functional change svn path=/nixos/trunk/; revision=29285 2011-09-14 18:20:50 +00:00
Added openssh testcase svn path=/nixos/trunk/; revision=20732 2010-03-18 13:07:56 +00:00			`};`
strip trailing whitespace; no functional change svn path=/nixos/trunk/; revision=29285 2011-09-14 18:20:50 +00:00
* No wonder the OpenSSH test was so unreliable: it didn't wait for the sshd Upstart job to finish. svn path=/nixos/trunk/; revision=25524 2011-01-12 17:36:15 +00:00			`testScript = ''`
nixos/openssh: port test to python 2019-11-04 23:33:17 +00:00			`start_all()`

nixos/tests/openssh: wait for sshd(.socket) units, add timeout=30 Motivated by recently observed flakiness of this test on Hydra: [1] https://github.com/NixOS/nixpkgs/pull/259051#issuecomment-1752363951 [2] https://hydra.nixos.org/build/237478399 2023-10-09 18:54:14 +00:00			`server.wait_for_unit("sshd", timeout=30)`
			`server_localhost_only.wait_for_unit("sshd", timeout=30)`
			`server_match_rule.wait_for_unit("sshd", timeout=30)`

			`server_lazy.wait_for_unit("sshd.socket", timeout=30)`
			`server_localhost_only_lazy.wait_for_unit("sshd.socket", timeout=30)`
nixos/sshd: fix socket activated ports when using ListenAddress Noticed that issue while reviewing #275633: when declaring `ListenAddress host` without a port, all ports declared by `Port`/`cfg.ports` will be used with `host` according to `sshd_config(5)`. However, if this is done and socket activation is used, only a socket for port 22 is created instead of a sockets for each port from `Port`/`cfg.ports`. This patch corrects that behavior. Also added a regression test for this case. 2024-01-03 18:36:51 +00:00			`server_lazy_socket.wait_for_unit("sshd.socket", timeout=30)`
nixos/openssh: port test to python 2019-11-04 23:33:17 +00:00
			`with subtest("manual-authkey"):`
			`client.succeed("mkdir -m 700 /root/.ssh")`
			`client.succeed(`
			`'${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f /root/.ssh/id_ed25519 -N ""'`
			`)`
			`public_key = client.succeed(`
			`"${pkgs.openssh}/bin/ssh-keygen -y -f /root/.ssh/id_ed25519"`
			`)`
			`public_key = public_key.strip()`
			`client.succeed("chmod 600 /root/.ssh/id_ed25519")`

			`server.succeed("mkdir -m 700 /root/.ssh")`
			`server.succeed("echo '{}' > /root/.ssh/authorized_keys".format(public_key))`
			`server_lazy.succeed("mkdir -m 700 /root/.ssh")`
			`server_lazy.succeed("echo '{}' > /root/.ssh/authorized_keys".format(public_key))`

			`client.wait_for_unit("network.target")`
			`client.succeed(`
nixos/tests/openssh: add timeouts to all ssh invocations It might still lock up, but at least it won't lock up for 10 hours. 2022-05-04 04:58:52 +00:00			`"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'echo hello world' >&2",`
			`timeout=30`
nixos/openssh: port test to python 2019-11-04 23:33:17 +00:00			`)`
			`client.succeed(`
nixos/tests/openssh: add timeouts to all ssh invocations It might still lock up, but at least it won't lock up for 10 hours. 2022-05-04 04:58:52 +00:00			`"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'ulimit -l' \| grep 1024",`
			`timeout=30`
nixos/openssh: port test to python 2019-11-04 23:33:17 +00:00			`)`

			`client.succeed(`
nixos/tests/openssh: use dashes for hostnames Otherwise the tests will fail with `networking.useNetworkd = true;` because `systemd-resolved` ignores invalid hostnames in `/etc/hosts` (which is where all hosts from the `nodes`-attribute set end up) and subsequently e.g. `ssh server_lazy` will fail because the name cannot be resolved. In d6e84a4574a200de63e8fe86ef8574b507fd366e the test-framework was changed to replace all dashes with underscores of hostnames in the python code to have readable hostnames that are valid. I.e. nodes.foo-bar = {} represents a host with a valid hostname and it can be referenced in the `testScript` with `foo_bar`. Applying this here fixes the test for both scripted networking and networkd. 2023-10-24 12:24:10 +00:00			`"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server-lazy 'echo hello world' >&2",`
nixos/tests/openssh: add timeouts to all ssh invocations It might still lock up, but at least it won't lock up for 10 hours. 2022-05-04 04:58:52 +00:00			`timeout=30`
nixos/openssh: port test to python 2019-11-04 23:33:17 +00:00			`)`
			`client.succeed(`
nixos/tests/openssh: use dashes for hostnames Otherwise the tests will fail with `networking.useNetworkd = true;` because `systemd-resolved` ignores invalid hostnames in `/etc/hosts` (which is where all hosts from the `nodes`-attribute set end up) and subsequently e.g. `ssh server_lazy` will fail because the name cannot be resolved. In d6e84a4574a200de63e8fe86ef8574b507fd366e the test-framework was changed to replace all dashes with underscores of hostnames in the python code to have readable hostnames that are valid. I.e. nodes.foo-bar = {} represents a host with a valid hostname and it can be referenced in the `testScript` with `foo_bar`. Applying this here fixes the test for both scripted networking and networkd. 2023-10-24 12:24:10 +00:00			`"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server-lazy 'ulimit -l' \| grep 1024",`
nixos/tests/openssh: add timeouts to all ssh invocations It might still lock up, but at least it won't lock up for 10 hours. 2022-05-04 04:58:52 +00:00			`timeout=30`
nixos/openssh: port test to python 2019-11-04 23:33:17 +00:00			`)`

nixos/sshd: fix socket activated ports when using ListenAddress Noticed that issue while reviewing #275633: when declaring `ListenAddress host` without a port, all ports declared by `Port`/`cfg.ports` will be used with `host` according to `sshd_config(5)`. However, if this is done and socket activation is used, only a socket for port 22 is created instead of a sockets for each port from `Port`/`cfg.ports`. This patch corrects that behavior. Also added a regression test for this case. 2024-01-03 18:36:51 +00:00			`with subtest("socket activation on a non-standard port"):`
			`client.succeed(`
			`"cat ${snakeOilPrivateKey} > privkey.snakeoil"`
			`)`
			`client.succeed("chmod 600 privkey.snakeoil")`
			`client.succeed(`
			`"ssh -p 2222 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil root@192.168.2.4 true",`
			`timeout=30`
			`)`

nixos/openssh: port test to python 2019-11-04 23:33:17 +00:00			`with subtest("configured-authkey"):`
			`client.succeed(`
			`"cat ${snakeOilPrivateKey} > privkey.snakeoil"`
			`)`
			`client.succeed("chmod 600 privkey.snakeoil")`
			`client.succeed(`
nixos/tests/openssh: add timeouts to all ssh invocations It might still lock up, but at least it won't lock up for 10 hours. 2022-05-04 04:58:52 +00:00			`"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server true",`
			`timeout=30`
nixos/openssh: port test to python 2019-11-04 23:33:17 +00:00			`)`
			`client.succeed(`
nixos/tests/openssh: use dashes for hostnames Otherwise the tests will fail with `networking.useNetworkd = true;` because `systemd-resolved` ignores invalid hostnames in `/etc/hosts` (which is where all hosts from the `nodes`-attribute set end up) and subsequently e.g. `ssh server_lazy` will fail because the name cannot be resolved. In d6e84a4574a200de63e8fe86ef8574b507fd366e the test-framework was changed to replace all dashes with underscores of hostnames in the python code to have readable hostnames that are valid. I.e. nodes.foo-bar = {} represents a host with a valid hostname and it can be referenced in the `testScript` with `foo_bar`. Applying this here fixes the test for both scripted networking and networkd. 2023-10-24 12:24:10 +00:00			`"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server-lazy true",`
nixos/tests/openssh: add timeouts to all ssh invocations It might still lock up, but at least it won't lock up for 10 hours. 2022-05-04 04:58:52 +00:00			`timeout=30`
nixos/openssh: port test to python 2019-11-04 23:33:17 +00:00			`)`

			`with subtest("localhost-only"):`
			`server_localhost_only.succeed("ss -nlt \| grep '127.0.0.1:22'")`
			`server_localhost_only_lazy.succeed("ss -nlt \| grep '127.0.0.1:22'")`
nixos/tests/openssh: add `Match` config for validation test 2023-09-19 11:05:59 +00:00
			`with subtest("match-rules"):`
			`server_match_rule.succeed("ss -nlt \| grep '127.0.0.1:22'")`
nixos/tests/openssh: add test for `AllowUsers` Signed-off-by: Christoph Heiss <christoph@c8h4.io> 2023-10-08 21:23:51 +00:00
			`with subtest("allowed-users"):`
			`client.succeed(`
			`"cat ${snakeOilPrivateKey} > privkey.snakeoil"`
			`)`
			`client.succeed("chmod 600 privkey.snakeoil")`
			`client.succeed(`
			`"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil alice@server_allowedusers true",`
			`timeout=30`
			`)`
			`client.succeed(`
			`"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil bob@server_allowedusers true",`
			`timeout=30`
			`)`
			`client.fail(`
			`"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil carol@server_allowedusers true",`
			`timeout=30`
			`)`
Added openssh testcase svn path=/nixos/trunk/; revision=20732 2010-03-18 13:07:56 +00:00			`'';`
Make it easier to run the tests You can now run a test in the nixos/tests directory directly using nix-build, e.g. $ nix-build '<nixos/tests/login.nix>' -A test This gets rid of having to add the test to nixos/tests/default.nix. (Of course, you still need to add it to nixos/release.nix if you want Hydra to run the test.) 2014-04-14 12:02:44 +00:00			`})`