mirrors/nixpkgs
1
0
Fork 1
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-17 19:21:04 +00:00
Code Issues Wiki Activity
nixpkgs/nixos/tests/openssh.nix

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

282 lines
9.1 KiB
Nix
Raw Normal View History

nixos/openssh: port test to python
2019-11-04 23:33:17 +00:00
import ./make-test-python.nix ({ pkgs, ... }:
nixos/tests/openssh: Test configured auth keys. So far the test only uses an authorized key that is copied over to the target machine instead of being set by the target's configuration. Now, we cover both cases. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-06-27 07:34:59 +01:00
nixos: nix.sshServe: Support ssh-ng.
2018-02-28 21:55:00 +00:00
let inherit (import ./ssh-keys.nix pkgs)
openssh: fix linkOpenSSL=false by linking libxcrypt Possibly broken during https://github.com/NixOS/nixpkgs/pull/181764 Context: https://sourceware.org/legacy-ml/libc-alpha/2017-08/msg01257.html
2024-04-28 12:50:45 +01:00
snakeOilPrivateKey snakeOilPublicKey snakeOilEd25519PrivateKey snakeOilEd25519PublicKey;
nixos/tests/openssh: Test configured auth keys. So far the test only uses an authorized key that is copied over to the target machine instead of being set by the target's configuration. Now, we cover both cases. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-06-27 07:34:59 +01:00
in {
name nixos tests, close #3078
2014-06-28 15:04:49 +01:00
name = "openssh";
treewide: simplify pkgs.stdenv.lib -> pkgs.lib The library does not depend on stdenv, that `stdenv` exposes `lib` is an artifact of the ancient origins of nixpkgs.
2021-01-10 19:08:30 +00:00
meta = with pkgs.lib.maintainers; {
nixos: remove historical maintainership of modules by eelco Eelco has made several early contributions to NixOS including writing the samba module among other things, but is more or less inactive these days. By my brief inspection, he has not committed to the nixos/ tree since releasing Nix 2.13 in early 2023 and merging a PR to networking tests slightly before that. A lot of these tests/modules are actually unmaintained in practice, so we should update the code to reflect the practical reality so someone can consider picking them up.
2024-04-21 08:15:22 +01:00
maintainers = [ aszlig ];
all tests: added meta.maintainers section
2015-07-12 11:09:40 +01:00
};
Added openssh testcase svn path=/nixos/trunk/; revision=20732
2010-03-18 13:07:56 +00:00
nodes = {
strip trailing whitespace; no functional change svn path=/nixos/trunk/; revision=29285
2011-09-14 19:20:50 +01:00
server =
[bot] nixos/*: remove unused arguments in lambdas
2018-07-20 21:56:59 +01:00
{ ... }:
strip trailing whitespace; no functional change svn path=/nixos/trunk/; revision=29285
2011-09-14 19:20:50 +01:00
Added openssh testcase svn path=/nixos/trunk/; revision=20732
2010-03-18 13:07:56 +00:00
{
services.openssh.enable = true;
Test whether PAM resource limits work
2013-10-17 14:37:08 +01:00
security.pam.services.sshd.limits =
[ { domain = "*"; item = "memlock"; type = "-"; value = 1024; } ];
nixos/tests: users.(extraUsers|extraGroup->users|group)
2018-06-30 00:55:42 +01:00
users.users.root.openssh.authorizedKeys.keys = [
nixos/tests/openssh: Test configured auth keys. So far the test only uses an authorized key that is copied over to the target machine instead of being set by the target's configuration. Now, we cover both cases. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2014-06-27 07:34:59 +01:00
snakeOilPublicKey
];
* Slight cleanup. svn path=/nixos/trunk/; revision=21998
2010-05-27 11:05:17 +01:00
};
strip trailing whitespace; no functional change svn path=/nixos/trunk/; revision=29285
2011-09-14 19:20:50 +01:00
tests/openssh: tidy up tests This test renames server_allowedusers to server-allowed-users. As a side-effect, since IPs are allocated to machines in alphabetical order, the IP assigned to server-lazy-socket changed, so the corresponding test had its IP updated.
2024-04-23 13:31:51 +01:00
server-allowed-users =
{ ... }:
{
services.openssh = { enable = true; settings.AllowUsers = [ "alice" "bob" ]; };
users.groups = { alice = { }; bob = { }; carol = { }; };
users.users = {
alice = { isNormalUser = true; group = "alice"; openssh.authorizedKeys.keys = [ snakeOilPublicKey ]; };
bob = { isNormalUser = true; group = "bob"; openssh.authorizedKeys.keys = [ snakeOilPublicKey ]; };
carol = { isNormalUser = true; group = "carol"; openssh.authorizedKeys.keys = [ snakeOilPublicKey ]; };
};
};
nixos/tests/openssh: use dashes for hostnames Otherwise the tests will fail with `networking.useNetworkd = true;` because `systemd-resolved` ignores invalid hostnames in `/etc/hosts` (which is where all hosts from the `nodes`-attribute set end up) and subsequently e.g. `ssh server_lazy` will fail because the name cannot be resolved. In d6e84a4574a200de63e8fe86ef8574b507fd366e the test-framework was changed to replace all dashes with underscores of hostnames in the python code to have readable hostnames that are valid. I.e. nodes.foo-bar = {} represents a host with a valid hostname and it can be referenced in the `testScript` with `foo_bar`. Applying this here fixes the test for both scripted networking and networkd.
2023-10-24 13:24:10 +01:00
server-lazy =
[bot] nixos/*: remove unused arguments in lambdas
2018-07-20 21:56:59 +01:00
{ ... }:
openssh: test that startWhenNeeded works
2016-12-29 14:49:43 +00:00
{
services.openssh = { enable = true; startWhenNeeded = true; };
security.pam.services.sshd.limits =
[ { domain = "*"; item = "memlock"; type = "-"; value = 1024; } ];
nixos/tests: users.(extraUsers|extraGroup->users|group)
2018-06-30 00:55:42 +01:00
users.users.root.openssh.authorizedKeys.keys = [
openssh: test that startWhenNeeded works
2016-12-29 14:49:43 +00:00
snakeOilPublicKey
];
};
nixos/sshd: fix socket activated ports when using ListenAddress Noticed that issue while reviewing #275633: when declaring `ListenAddress host` without a port, all ports declared by `Port`/`cfg.ports` will be used with `host` according to `sshd_config(5)`. However, if this is done and socket activation is used, only a socket for port 22 is created instead of a sockets for each port from `Port`/`cfg.ports`. This patch corrects that behavior. Also added a regression test for this case.
2024-01-03 18:36:51 +00:00
server-lazy-socket = {
virtualisation.vlans = [ 1 2 ];
services.openssh = {
enable = true;
startWhenNeeded = true;
ports = [ 2222 ];
listenAddresses = [ { addr = "0.0.0.0"; } ];
};
users.users.root.openssh.authorizedKeys.keys = [
snakeOilPublicKey
];
};
nixos/tests/openssh: use dashes for hostnames Otherwise the tests will fail with `networking.useNetworkd = true;` because `systemd-resolved` ignores invalid hostnames in `/etc/hosts` (which is where all hosts from the `nodes`-attribute set end up) and subsequently e.g. `ssh server_lazy` will fail because the name cannot be resolved. In d6e84a4574a200de63e8fe86ef8574b507fd366e the test-framework was changed to replace all dashes with underscores of hostnames in the python code to have readable hostnames that are valid. I.e. nodes.foo-bar = {} represents a host with a valid hostname and it can be referenced in the `testScript` with `foo_bar`. Applying this here fixes the test for both scripted networking and networkd.
2023-10-24 13:24:10 +01:00
server-localhost-only =
sshd: fix startWhenNeeded and listenAddresses combination Previously, if startWhenNeeded was set, listenAddresses option was ignored and daemon was listening on all interfaces. Fixes #56325.
2019-02-24 23:48:01 +00:00
{ ... }:
{
services.openssh = {
enable = true; listenAddresses = [ { addr = "127.0.0.1"; port = 22; } ];
};
};
nixos/tests/openssh: use dashes for hostnames Otherwise the tests will fail with `networking.useNetworkd = true;` because `systemd-resolved` ignores invalid hostnames in `/etc/hosts` (which is where all hosts from the `nodes`-attribute set end up) and subsequently e.g. `ssh server_lazy` will fail because the name cannot be resolved. In d6e84a4574a200de63e8fe86ef8574b507fd366e the test-framework was changed to replace all dashes with underscores of hostnames in the python code to have readable hostnames that are valid. I.e. nodes.foo-bar = {} represents a host with a valid hostname and it can be referenced in the `testScript` with `foo_bar`. Applying this here fixes the test for both scripted networking and networkd.
2023-10-24 13:24:10 +01:00
server-localhost-only-lazy =
sshd: fix startWhenNeeded and listenAddresses combination Previously, if startWhenNeeded was set, listenAddresses option was ignored and daemon was listening on all interfaces. Fixes #56325.
2019-02-24 23:48:01 +00:00
{ ... }:
{
services.openssh = {
enable = true; startWhenNeeded = true; listenAddresses = [ { addr = "127.0.0.1"; port = 22; } ];
};
};
nixos/tests/openssh: use dashes for hostnames Otherwise the tests will fail with `networking.useNetworkd = true;` because `systemd-resolved` ignores invalid hostnames in `/etc/hosts` (which is where all hosts from the `nodes`-attribute set end up) and subsequently e.g. `ssh server_lazy` will fail because the name cannot be resolved. In d6e84a4574a200de63e8fe86ef8574b507fd366e the test-framework was changed to replace all dashes with underscores of hostnames in the python code to have readable hostnames that are valid. I.e. nodes.foo-bar = {} represents a host with a valid hostname and it can be referenced in the `testScript` with `foo_bar`. Applying this here fixes the test for both scripted networking and networkd.
2023-10-24 13:24:10 +01:00
server-match-rule =
nixos/tests/openssh: add `Match` config for validation test
2023-09-19 12:05:59 +01:00
{ ... }:
{
services.openssh = {
nixos/sshd: fix sshd.conf validity check When using e.g. `{ addr = "[::]"; port = 22; }` at `listenAddresses`, the check fails because of an escaping issue[1] with last 1 log lines: > Invalid test mode specification -f For full logs, run 'nix log /nix/store/c6pbpw5hjkjgipmarwyic9zyqr1xaix5-check-sshd-config.drv' Using `lib.escapeShellArg` appears to solve the problem. [1] https://github.com/NixOS/nixpkgs/pull/256090#issuecomment-1738063528
2023-09-27 21:59:13 +01:00
enable = true; listenAddresses = [ { addr = "127.0.0.1"; port = 22; } { addr = "[::]"; port = 22; } ];
nixos/tests/openssh: add `Match` config for validation test
2023-09-19 12:05:59 +01:00
extraConfig = ''
# Combined test for two (predictable) Match criterias
Match LocalAddress 127.0.0.1 LocalPort 22
PermitRootLogin yes
# Separate tests for Match criterias
Match User root
PermitRootLogin yes
Match Group root
PermitRootLogin yes
Match Host nohost.example
PermitRootLogin yes
Match LocalAddress 127.0.0.1
PermitRootLogin yes
Match LocalPort 22
PermitRootLogin yes
Match RDomain nohost.example
PermitRootLogin yes
Match Address 127.0.0.1
PermitRootLogin yes
'';
};
};
openssh: fix linkOpenSSL=false by linking libxcrypt Possibly broken during https://github.com/NixOS/nixpkgs/pull/181764 Context: https://sourceware.org/legacy-ml/libc-alpha/2017-08/msg01257.html
2024-04-28 12:50:45 +01:00
server-no-openssl =
{ ... }:
{
services.openssh = {
enable = true;
nixos/ssh: add services.openssh.package Motivation: Allow the sshd package to be built differently to the ssh package (programs.ssh.package). For example, build sshd(1) without openssl, but built ssh(1) with OpenSSL support. Set the default to be programs.ssh.package, to preserve compatibility.
2024-05-04 14:02:53 +01:00
package = pkgs.opensshPackages.openssh.override {
linkOpenssl = false;
};
openssh: fix linkOpenSSL=false by linking libxcrypt Possibly broken during https://github.com/NixOS/nixpkgs/pull/181764 Context: https://sourceware.org/legacy-ml/libc-alpha/2017-08/msg01257.html
2024-04-28 12:50:45 +01:00
hostKeys = [
{ type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
];
settings = {
tests/openssh: use upstream's algorithms in "no openssl" example When I initially wrote this test, I wasn't aware that services.openssh could opt into using OpenSSH's default algorithms by just setting the relevant settings to null. That's a better approach since: * it's a simpler setting for this test to have to worry about * it introduces test coverage for the null case * the null case should be demonstrated as an example for those that want to compile without OpenSSL
2024-06-06 14:06:29 +01:00
# Since this test is against an OpenSSH-without-OpenSSL,
# we have to override NixOS's defaults ciphers (which require OpenSSL)
# and instead set these to null, which will mean OpenSSH uses its defaults.
# Expectedly, OpenSSH's defaults don't require OpenSSL when it's compiled
# without OpenSSL.
Ciphers = null;
KexAlgorithms = null;
Macs = null;
openssh: fix linkOpenSSL=false by linking libxcrypt Possibly broken during https://github.com/NixOS/nixpkgs/pull/181764 Context: https://sourceware.org/legacy-ml/libc-alpha/2017-08/msg01257.html
2024-04-28 12:50:45 +01:00
};
};
users.users.root.openssh.authorizedKeys.keys = [
snakeOilEd25519PublicKey
];
};
nixos/ssh: allow UsePAM to be disabled
2024-04-21 13:51:02 +01:00
server-no-pam =
{ pkgs, ... }:
{
services.openssh = {
enable = true;
nixos/ssh: add services.openssh.package Motivation: Allow the sshd package to be built differently to the ssh package (programs.ssh.package). For example, build sshd(1) without openssl, but built ssh(1) with OpenSSL support. Set the default to be programs.ssh.package, to preserve compatibility.
2024-05-04 14:02:53 +01:00
package = pkgs.opensshPackages.openssh.override {
withPAM = false;
};
nixos/ssh: allow UsePAM to be disabled
2024-04-21 13:51:02 +01:00
settings = {
UsePAM = false;
};
};
users.users.root.openssh.authorizedKeys.keys = [
snakeOilPublicKey
];
};
strip trailing whitespace; no functional change svn path=/nixos/trunk/; revision=29285
2011-09-14 19:20:50 +01:00
client =
nixos/sshd: fix socket activated ports when using ListenAddress Noticed that issue while reviewing #275633: when declaring `ListenAddress host` without a port, all ports declared by `Port`/`cfg.ports` will be used with `host` according to `sshd_config(5)`. However, if this is done and socket activation is used, only a socket for port 22 is created instead of a sockets for each port from `Port`/`cfg.ports`. This patch corrects that behavior. Also added a regression test for this case.
2024-01-03 18:36:51 +00:00
{ ... }: {
virtualisation.vlans = [ 1 2 ];
};
strip trailing whitespace; no functional change svn path=/nixos/trunk/; revision=29285
2011-09-14 19:20:50 +01:00
Added openssh testcase svn path=/nixos/trunk/; revision=20732
2010-03-18 13:07:56 +00:00
};
strip trailing whitespace; no functional change svn path=/nixos/trunk/; revision=29285
2011-09-14 19:20:50 +01:00
* No wonder the OpenSSH test was so unreliable: it didn't wait for the sshd Upstart job to finish. svn path=/nixos/trunk/; revision=25524
2011-01-12 17:36:15 +00:00
testScript = ''
nixos/openssh: port test to python
2019-11-04 23:33:17 +00:00
start_all()
nixos/tests/openssh: wait for sshd(.socket) units, add timeout=30 Motivated by recently observed flakiness of this test on Hydra: [1] https://github.com/NixOS/nixpkgs/pull/259051#issuecomment-1752363951 [2] https://hydra.nixos.org/build/237478399
2023-10-09 19:54:14 +01:00
server.wait_for_unit("sshd", timeout=30)
tests/openssh: tidy up tests This test renames server_allowedusers to server-allowed-users. As a side-effect, since IPs are allocated to machines in alphabetical order, the IP assigned to server-lazy-socket changed, so the corresponding test had its IP updated.
2024-04-23 13:31:51 +01:00
server_allowed_users.wait_for_unit("sshd", timeout=30)
nixos/tests/openssh: wait for sshd(.socket) units, add timeout=30 Motivated by recently observed flakiness of this test on Hydra: [1] https://github.com/NixOS/nixpkgs/pull/259051#issuecomment-1752363951 [2] https://hydra.nixos.org/build/237478399
2023-10-09 19:54:14 +01:00
server_localhost_only.wait_for_unit("sshd", timeout=30)
server_match_rule.wait_for_unit("sshd", timeout=30)
openssh: fix linkOpenSSL=false by linking libxcrypt Possibly broken during https://github.com/NixOS/nixpkgs/pull/181764 Context: https://sourceware.org/legacy-ml/libc-alpha/2017-08/msg01257.html
2024-04-28 12:50:45 +01:00
server_no_openssl.wait_for_unit("sshd", timeout=30)
nixos/ssh: allow UsePAM to be disabled
2024-04-21 13:51:02 +01:00
server_no_pam.wait_for_unit("sshd", timeout=30)
nixos/tests/openssh: wait for sshd(.socket) units, add timeout=30 Motivated by recently observed flakiness of this test on Hydra: [1] https://github.com/NixOS/nixpkgs/pull/259051#issuecomment-1752363951 [2] https://hydra.nixos.org/build/237478399
2023-10-09 19:54:14 +01:00
server_lazy.wait_for_unit("sshd.socket", timeout=30)
server_localhost_only_lazy.wait_for_unit("sshd.socket", timeout=30)
nixos/sshd: fix socket activated ports when using ListenAddress Noticed that issue while reviewing #275633: when declaring `ListenAddress host` without a port, all ports declared by `Port`/`cfg.ports` will be used with `host` according to `sshd_config(5)`. However, if this is done and socket activation is used, only a socket for port 22 is created instead of a sockets for each port from `Port`/`cfg.ports`. This patch corrects that behavior. Also added a regression test for this case.
2024-01-03 18:36:51 +00:00
server_lazy_socket.wait_for_unit("sshd.socket", timeout=30)
nixos/openssh: port test to python
2019-11-04 23:33:17 +00:00
with subtest("manual-authkey"):
client.succeed("mkdir -m 700 /root/.ssh")
client.succeed(
'${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f /root/.ssh/id_ed25519 -N ""'
)
public_key = client.succeed(
"${pkgs.openssh}/bin/ssh-keygen -y -f /root/.ssh/id_ed25519"
)
public_key = public_key.strip()
client.succeed("chmod 600 /root/.ssh/id_ed25519")
server.succeed("mkdir -m 700 /root/.ssh")
server.succeed("echo '{}' > /root/.ssh/authorized_keys".format(public_key))
server_lazy.succeed("mkdir -m 700 /root/.ssh")
server_lazy.succeed("echo '{}' > /root/.ssh/authorized_keys".format(public_key))
client.wait_for_unit("network.target")
client.succeed(
nixos/tests/openssh: add timeouts to all ssh invocations It might still lock up, but at least it won't lock up for 10 hours.
2022-05-04 05:58:52 +01:00
"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'echo hello world' >&2",
timeout=30
nixos/openssh: port test to python
2019-11-04 23:33:17 +00:00
)
client.succeed(
nixos/tests/openssh: add timeouts to all ssh invocations It might still lock up, but at least it won't lock up for 10 hours.
2022-05-04 05:58:52 +01:00
"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'ulimit -l' | grep 1024",
timeout=30
nixos/openssh: port test to python
2019-11-04 23:33:17 +00:00
)
client.succeed(
nixos/tests/openssh: use dashes for hostnames Otherwise the tests will fail with `networking.useNetworkd = true;` because `systemd-resolved` ignores invalid hostnames in `/etc/hosts` (which is where all hosts from the `nodes`-attribute set end up) and subsequently e.g. `ssh server_lazy` will fail because the name cannot be resolved. In d6e84a4574a200de63e8fe86ef8574b507fd366e the test-framework was changed to replace all dashes with underscores of hostnames in the python code to have readable hostnames that are valid. I.e. nodes.foo-bar = {} represents a host with a valid hostname and it can be referenced in the `testScript` with `foo_bar`. Applying this here fixes the test for both scripted networking and networkd.
2023-10-24 13:24:10 +01:00
"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server-lazy 'echo hello world' >&2",
nixos/tests/openssh: add timeouts to all ssh invocations It might still lock up, but at least it won't lock up for 10 hours.
2022-05-04 05:58:52 +01:00
timeout=30
nixos/openssh: port test to python
2019-11-04 23:33:17 +00:00
)
client.succeed(
nixos/tests/openssh: use dashes for hostnames Otherwise the tests will fail with `networking.useNetworkd = true;` because `systemd-resolved` ignores invalid hostnames in `/etc/hosts` (which is where all hosts from the `nodes`-attribute set end up) and subsequently e.g. `ssh server_lazy` will fail because the name cannot be resolved. In d6e84a4574a200de63e8fe86ef8574b507fd366e the test-framework was changed to replace all dashes with underscores of hostnames in the python code to have readable hostnames that are valid. I.e. nodes.foo-bar = {} represents a host with a valid hostname and it can be referenced in the `testScript` with `foo_bar`. Applying this here fixes the test for both scripted networking and networkd.
2023-10-24 13:24:10 +01:00
"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server-lazy 'ulimit -l' | grep 1024",
nixos/tests/openssh: add timeouts to all ssh invocations It might still lock up, but at least it won't lock up for 10 hours.
2022-05-04 05:58:52 +01:00
timeout=30
nixos/openssh: port test to python
2019-11-04 23:33:17 +00:00
)
nixos/sshd: fix socket activated ports when using ListenAddress Noticed that issue while reviewing #275633: when declaring `ListenAddress host` without a port, all ports declared by `Port`/`cfg.ports` will be used with `host` according to `sshd_config(5)`. However, if this is done and socket activation is used, only a socket for port 22 is created instead of a sockets for each port from `Port`/`cfg.ports`. This patch corrects that behavior. Also added a regression test for this case.
2024-01-03 18:36:51 +00:00
with subtest("socket activation on a non-standard port"):
client.succeed(
"cat ${snakeOilPrivateKey} > privkey.snakeoil"
)
client.succeed("chmod 600 privkey.snakeoil")
tests/openssh: tidy up tests This test renames server_allowedusers to server-allowed-users. As a side-effect, since IPs are allocated to machines in alphabetical order, the IP assigned to server-lazy-socket changed, so the corresponding test had its IP updated.
2024-04-23 13:31:51 +01:00
# The final segment in this IP is allocated according to the alphabetical order of machines in this test.
nixos/sshd: fix socket activated ports when using ListenAddress Noticed that issue while reviewing #275633: when declaring `ListenAddress host` without a port, all ports declared by `Port`/`cfg.ports` will be used with `host` according to `sshd_config(5)`. However, if this is done and socket activation is used, only a socket for port 22 is created instead of a sockets for each port from `Port`/`cfg.ports`. This patch corrects that behavior. Also added a regression test for this case.
2024-01-03 18:36:51 +00:00
client.succeed(
tests/openssh: tidy up tests This test renames server_allowedusers to server-allowed-users. As a side-effect, since IPs are allocated to machines in alphabetical order, the IP assigned to server-lazy-socket changed, so the corresponding test had its IP updated.
2024-04-23 13:31:51 +01:00
"ssh -p 2222 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil root@192.168.2.5 true",
nixos/sshd: fix socket activated ports when using ListenAddress Noticed that issue while reviewing #275633: when declaring `ListenAddress host` without a port, all ports declared by `Port`/`cfg.ports` will be used with `host` according to `sshd_config(5)`. However, if this is done and socket activation is used, only a socket for port 22 is created instead of a sockets for each port from `Port`/`cfg.ports`. This patch corrects that behavior. Also added a regression test for this case.
2024-01-03 18:36:51 +00:00
timeout=30
)
nixos/openssh: port test to python
2019-11-04 23:33:17 +00:00
with subtest("configured-authkey"):
client.succeed(
"cat ${snakeOilPrivateKey} > privkey.snakeoil"
)
client.succeed("chmod 600 privkey.snakeoil")
client.succeed(
nixos/tests/openssh: add timeouts to all ssh invocations It might still lock up, but at least it won't lock up for 10 hours.
2022-05-04 05:58:52 +01:00
"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server true",
timeout=30
nixos/openssh: port test to python
2019-11-04 23:33:17 +00:00
)
client.succeed(
nixos/tests/openssh: use dashes for hostnames Otherwise the tests will fail with `networking.useNetworkd = true;` because `systemd-resolved` ignores invalid hostnames in `/etc/hosts` (which is where all hosts from the `nodes`-attribute set end up) and subsequently e.g. `ssh server_lazy` will fail because the name cannot be resolved. In d6e84a4574a200de63e8fe86ef8574b507fd366e the test-framework was changed to replace all dashes with underscores of hostnames in the python code to have readable hostnames that are valid. I.e. nodes.foo-bar = {} represents a host with a valid hostname and it can be referenced in the `testScript` with `foo_bar`. Applying this here fixes the test for both scripted networking and networkd.
2023-10-24 13:24:10 +01:00
"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server-lazy true",
nixos/tests/openssh: add timeouts to all ssh invocations It might still lock up, but at least it won't lock up for 10 hours.
2022-05-04 05:58:52 +01:00
timeout=30
nixos/openssh: port test to python
2019-11-04 23:33:17 +00:00
)
with subtest("localhost-only"):
server_localhost_only.succeed("ss -nlt | grep '127.0.0.1:22'")
server_localhost_only_lazy.succeed("ss -nlt | grep '127.0.0.1:22'")
nixos/tests/openssh: add `Match` config for validation test
2023-09-19 12:05:59 +01:00
with subtest("match-rules"):
server_match_rule.succeed("ss -nlt | grep '127.0.0.1:22'")
nixos/tests/openssh: add test for `AllowUsers` Signed-off-by: Christoph Heiss <christoph@c8h4.io>
2023-10-08 22:23:51 +01:00
with subtest("allowed-users"):
client.succeed(
"cat ${snakeOilPrivateKey} > privkey.snakeoil"
)
client.succeed("chmod 600 privkey.snakeoil")
client.succeed(
tests/openssh: tidy up tests This test renames server_allowedusers to server-allowed-users. As a side-effect, since IPs are allocated to machines in alphabetical order, the IP assigned to server-lazy-socket changed, so the corresponding test had its IP updated.
2024-04-23 13:31:51 +01:00
"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil alice@server-allowed-users true",
nixos/tests/openssh: add test for `AllowUsers` Signed-off-by: Christoph Heiss <christoph@c8h4.io>
2023-10-08 22:23:51 +01:00
timeout=30
)
client.succeed(
tests/openssh: tidy up tests This test renames server_allowedusers to server-allowed-users. As a side-effect, since IPs are allocated to machines in alphabetical order, the IP assigned to server-lazy-socket changed, so the corresponding test had its IP updated.
2024-04-23 13:31:51 +01:00
"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil bob@server-allowed-users true",
nixos/tests/openssh: add test for `AllowUsers` Signed-off-by: Christoph Heiss <christoph@c8h4.io>
2023-10-08 22:23:51 +01:00
timeout=30
)
client.fail(
tests/openssh: tidy up tests This test renames server_allowedusers to server-allowed-users. As a side-effect, since IPs are allocated to machines in alphabetical order, the IP assigned to server-lazy-socket changed, so the corresponding test had its IP updated.
2024-04-23 13:31:51 +01:00
"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil carol@server-allowed-users true",
nixos/tests/openssh: add test for `AllowUsers` Signed-off-by: Christoph Heiss <christoph@c8h4.io>
2023-10-08 22:23:51 +01:00
timeout=30
)
nixos/ssh: allow UsePAM to be disabled
2024-04-21 13:51:02 +01:00
openssh: fix linkOpenSSL=false by linking libxcrypt Possibly broken during https://github.com/NixOS/nixpkgs/pull/181764 Context: https://sourceware.org/legacy-ml/libc-alpha/2017-08/msg01257.html
2024-04-28 12:50:45 +01:00
with subtest("no-openssl"):
client.succeed(
"cat ${snakeOilEd25519PrivateKey} > privkey.snakeoil"
)
client.succeed("chmod 600 privkey.snakeoil")
client.succeed(
"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server-no-openssl true",
timeout=30
)
nixos/ssh: allow UsePAM to be disabled
2024-04-21 13:51:02 +01:00
with subtest("no-pam"):
client.succeed(
"cat ${snakeOilPrivateKey} > privkey.snakeoil"
)
client.succeed("chmod 600 privkey.snakeoil")
client.succeed(
"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server-no-pam true",
timeout=30
)
Added openssh testcase svn path=/nixos/trunk/; revision=20732
2010-03-18 13:07:56 +00:00
'';
Make it easier to run the tests You can now run a test in the nixos/tests directory directly using nix-build, e.g. $ nix-build '<nixos/tests/login.nix>' -A test This gets rid of having to add the test to nixos/tests/default.nix. (Of course, you still need to add it to nixos/release.nix if you want Hydra to run the test.)
2014-04-14 13:02:44 +01:00
})
Copy permalink