diff options
author | Tom Fitzhenry <tom@tom-fitzhenry.me.uk> | 2024-04-28 21:50:45 +1000 |
---|---|---|
committer | Tom Fitzhenry <tom@tom-fitzhenry.me.uk> | 2024-04-29 00:17:17 +1000 |
commit | 03e851ea8e2da7d497fc7368621abc78c29c18af (patch) | |
tree | 3039cc588c347ec73734469fdfabd8db0530fe86 /nixos/tests/openssh.nix | |
parent | f02aa0f18fd0bea8de8476c26ac66cb277e32370 (diff) |
openssh: fix linkOpenSSL=false by linking libxcrypt
Possibly broken during https://github.com/NixOS/nixpkgs/pull/181764 Context: https://sourceware.org/legacy-ml/libc-alpha/2017-08/msg01257.html
Diffstat (limited to 'nixos/tests/openssh.nix')
-rw-r--r-- | nixos/tests/openssh.nix | 38 |
1 files changed, 37 insertions, 1 deletions
diff --git a/nixos/tests/openssh.nix b/nixos/tests/openssh.nix index a039986621cab..2684b6f45e84e 100644 --- a/nixos/tests/openssh.nix +++ b/nixos/tests/openssh.nix @@ -1,7 +1,7 @@ import ./make-test-python.nix ({ pkgs, ... }: let inherit (import ./ssh-keys.nix pkgs) - snakeOilPrivateKey snakeOilPublicKey; + snakeOilPrivateKey snakeOilPublicKey snakeOilEd25519PrivateKey snakeOilEd25519PublicKey; in { name = "openssh"; meta = with pkgs.lib.maintainers; { @@ -108,6 +108,31 @@ in { }; }; + server-no-openssl = + { ... }: + { + programs.ssh.package = pkgs.opensshPackages.openssh.override { + linkOpenssl = false; + }; + services.openssh = { + enable = true; + hostKeys = [ + { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } + ]; + settings = { + # Must not specify the OpenSSL provided algorithms. + Ciphers = [ "chacha20-poly1305@openssh.com" ]; + KexAlgorithms = [ + "curve25519-sha256" + "curve25519-sha256@libssh.org" + ]; + }; + }; + users.users.root.openssh.authorizedKeys.keys = [ + snakeOilEd25519PublicKey + ]; + }; + server-no-pam = { pkgs, ... }: { @@ -139,6 +164,7 @@ in { server_allowed_users.wait_for_unit("sshd", timeout=30) server_localhost_only.wait_for_unit("sshd", timeout=30) server_match_rule.wait_for_unit("sshd", timeout=30) + server_no_openssl.wait_for_unit("sshd", timeout=30) server_no_pam.wait_for_unit("sshd", timeout=30) server_lazy.wait_for_unit("sshd.socket", timeout=30) @@ -230,6 +256,16 @@ in { timeout=30 ) + with subtest("no-openssl"): + client.succeed( + "cat ${snakeOilEd25519PrivateKey} > privkey.snakeoil" + ) + client.succeed("chmod 600 privkey.snakeoil") + client.succeed( + "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server-no-openssl true", + timeout=30 + ) + with subtest("no-pam"): client.succeed( "cat ${snakeOilPrivateKey} > privkey.snakeoil" |