diff options
author | Christoph Heiss <christoph@c8h4.io> | 2023-10-08 23:23:51 +0200 |
---|---|---|
committer | Christoph Heiss <christoph@c8h4.io> | 2023-10-19 18:30:52 +0200 |
commit | 4714845327dd4e972ee34cc4a8fa23c6b745e921 (patch) | |
tree | c61aaaad2ac20c25dbea429ee54437394a9c4780 /nixos/tests/openssh.nix | |
parent | a077b7fadb95813e3b72c10407974673a336c48e (diff) |
nixos/tests/openssh: add test for `AllowUsers`
Signed-off-by: Christoph Heiss <christoph@c8h4.io>
Diffstat (limited to 'nixos/tests/openssh.nix')
-rw-r--r-- | nixos/tests/openssh.nix | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/nixos/tests/openssh.nix b/nixos/tests/openssh.nix index e88625678fec3..ce17cc7482b04 100644 --- a/nixos/tests/openssh.nix +++ b/nixos/tests/openssh.nix @@ -82,6 +82,19 @@ in { }; }; + server_allowedusers = + { ... }: + + { + services.openssh = { enable = true; settings.AllowUsers = [ "alice" "bob" ]; }; + users.groups = { alice = { }; bob = { }; carol = { }; }; + users.users = { + alice = { isNormalUser = true; group = "alice"; openssh.authorizedKeys.keys = [ snakeOilPublicKey ]; }; + bob = { isNormalUser = true; group = "bob"; openssh.authorizedKeys.keys = [ snakeOilPublicKey ]; }; + carol = { isNormalUser = true; group = "carol"; openssh.authorizedKeys.keys = [ snakeOilPublicKey ]; }; + }; + }; + client = { ... }: { }; @@ -147,5 +160,23 @@ in { with subtest("match-rules"): server_match_rule.succeed("ss -nlt | grep '127.0.0.1:22'") + + with subtest("allowed-users"): + client.succeed( + "cat ${snakeOilPrivateKey} > privkey.snakeoil" + ) + client.succeed("chmod 600 privkey.snakeoil") + client.succeed( + "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil alice@server_allowedusers true", + timeout=30 + ) + client.succeed( + "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil bob@server_allowedusers true", + timeout=30 + ) + client.fail( + "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil carol@server_allowedusers true", + timeout=30 + ) ''; }) |