nixos/ssh: allow UsePAM to be disabled
This commit is contained in:
parent
41911ed9d2
commit
2e51a2fd03
|
@ -346,6 +346,7 @@ in
|
||||||
violates the privacy of users and is not recommended.
|
violates the privacy of users and is not recommended.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
UsePAM = mkEnableOption "PAM authentication" // { default = true; };
|
||||||
UseDns = mkOption {
|
UseDns = mkOption {
|
||||||
type = types.bool;
|
type = types.bool;
|
||||||
# apply if cfg.useDns then "yes" else "no"
|
# apply if cfg.useDns then "yes" else "no"
|
||||||
|
@ -622,7 +623,7 @@ in
|
||||||
|
|
||||||
networking.firewall.allowedTCPPorts = optionals cfg.openFirewall cfg.ports;
|
networking.firewall.allowedTCPPorts = optionals cfg.openFirewall cfg.ports;
|
||||||
|
|
||||||
security.pam.services.sshd =
|
security.pam.services.sshd = lib.mkIf cfg.settings.UsePAM
|
||||||
{ startSession = true;
|
{ startSession = true;
|
||||||
showMotd = true;
|
showMotd = true;
|
||||||
unixAuth = cfg.settings.PasswordAuthentication;
|
unixAuth = cfg.settings.PasswordAuthentication;
|
||||||
|
@ -638,8 +639,6 @@ in
|
||||||
|
|
||||||
services.openssh.extraConfig = mkOrder 0
|
services.openssh.extraConfig = mkOrder 0
|
||||||
''
|
''
|
||||||
UsePAM yes
|
|
||||||
|
|
||||||
Banner ${if cfg.banner == null then "none" else pkgs.writeText "ssh_banner" cfg.banner}
|
Banner ${if cfg.banner == null then "none" else pkgs.writeText "ssh_banner" cfg.banner}
|
||||||
|
|
||||||
AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"}
|
AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"}
|
||||||
|
|
|
@ -108,6 +108,23 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
server-no-pam =
|
||||||
|
{ pkgs, ... }:
|
||||||
|
{
|
||||||
|
programs.ssh.package = pkgs.opensshPackages.openssh.override {
|
||||||
|
withPAM = false;
|
||||||
|
};
|
||||||
|
services.openssh = {
|
||||||
|
enable = true;
|
||||||
|
settings = {
|
||||||
|
UsePAM = false;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
users.users.root.openssh.authorizedKeys.keys = [
|
||||||
|
snakeOilPublicKey
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
client =
|
client =
|
||||||
{ ... }: {
|
{ ... }: {
|
||||||
virtualisation.vlans = [ 1 2 ];
|
virtualisation.vlans = [ 1 2 ];
|
||||||
|
@ -122,6 +139,7 @@ in {
|
||||||
server_allowed_users.wait_for_unit("sshd", timeout=30)
|
server_allowed_users.wait_for_unit("sshd", timeout=30)
|
||||||
server_localhost_only.wait_for_unit("sshd", timeout=30)
|
server_localhost_only.wait_for_unit("sshd", timeout=30)
|
||||||
server_match_rule.wait_for_unit("sshd", timeout=30)
|
server_match_rule.wait_for_unit("sshd", timeout=30)
|
||||||
|
server_no_pam.wait_for_unit("sshd", timeout=30)
|
||||||
|
|
||||||
server_lazy.wait_for_unit("sshd.socket", timeout=30)
|
server_lazy.wait_for_unit("sshd.socket", timeout=30)
|
||||||
server_localhost_only_lazy.wait_for_unit("sshd.socket", timeout=30)
|
server_localhost_only_lazy.wait_for_unit("sshd.socket", timeout=30)
|
||||||
|
@ -211,5 +229,15 @@ in {
|
||||||
"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil carol@server-allowed-users true",
|
"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil carol@server-allowed-users true",
|
||||||
timeout=30
|
timeout=30
|
||||||
)
|
)
|
||||||
|
|
||||||
|
with subtest("no-pam"):
|
||||||
|
client.succeed(
|
||||||
|
"cat ${snakeOilPrivateKey} > privkey.snakeoil"
|
||||||
|
)
|
||||||
|
client.succeed("chmod 600 privkey.snakeoil")
|
||||||
|
client.succeed(
|
||||||
|
"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server-no-pam true",
|
||||||
|
timeout=30
|
||||||
|
)
|
||||||
'';
|
'';
|
||||||
})
|
})
|
||||||
|
|
Loading…
Reference in New Issue
Block a user