56 lines
1.9 KiB
Nix
56 lines
1.9 KiB
Nix
import ./make-test-python.nix ({ lib, pkgs, ... }:
|
|
let
|
|
inherit (import ./ssh-keys.nix pkgs) snakeOilPrivateKey snakeOilPublicKey;
|
|
in {
|
|
name = "ssh-agent-auth";
|
|
meta.maintainers = with lib.maintainers; [ nicoo ];
|
|
|
|
nodes = let nodeConfig = n: { ... }: {
|
|
users.users = {
|
|
admin = {
|
|
isNormalUser = true;
|
|
extraGroups = [ "wheel" ];
|
|
openssh.authorizedKeys.keys = [ snakeOilPublicKey ];
|
|
};
|
|
foo.isNormalUser = true;
|
|
};
|
|
|
|
security.pam.sshAgentAuth = {
|
|
# Must be specified, as nixpkgs CI expects everything to eval without warning
|
|
authorizedKeysFiles = [ "/etc/ssh/authorized_keys.d/%u" ];
|
|
enable = true;
|
|
};
|
|
security.${lib.replaceStrings [ "_" ] [ "-" ] n} = {
|
|
enable = true;
|
|
wheelNeedsPassword = true; # We are checking `pam_ssh_agent_auth(8)` works for a sudoer
|
|
};
|
|
|
|
# Necessary for pam_ssh_agent_auth >_>'
|
|
services.openssh.enable = true;
|
|
};
|
|
in lib.genAttrs [ "sudo" "sudo_rs" ] nodeConfig;
|
|
|
|
testScript = let
|
|
privateKeyPath = "/home/admin/.ssh/id_ecdsa";
|
|
userScript = pkgs.writeShellScript "test-script" ''
|
|
set -e
|
|
ssh-add -q ${privateKeyPath}
|
|
|
|
# faketty needed to ensure `sudo` doesn't write to the controlling PTY,
|
|
# which would break the test-driver's line-oriented protocol.
|
|
${lib.getExe pkgs.faketty} sudo -u foo -- id -un
|
|
'';
|
|
in ''
|
|
for vm in (sudo, sudo_rs):
|
|
sudo_impl = vm.name.replace("_", "-")
|
|
with subtest(f"wheel user can auth with ssh-agent for {sudo_impl}"):
|
|
vm.copy_from_host("${snakeOilPrivateKey}", "${privateKeyPath}")
|
|
vm.succeed("chmod -R 0700 /home/admin")
|
|
vm.succeed("chown -R admin:users /home/admin")
|
|
|
|
# Run `userScript` in an environment with an SSH-agent available
|
|
assert vm.succeed("sudo -u admin -- ssh-agent ${userScript} 2>&1").strip() == "foo"
|
|
'';
|
|
}
|
|
)
|