diff options
author | Aaron Andersen <aaron@fosslib.net> | 2023-10-29 08:20:22 -0400 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-10-29 08:20:22 -0400 |
commit | 3b848391b65f7ace8c234c8dcfe6771cabf9c6a9 (patch) | |
tree | 2b2c1254bdfc217a2f833191a879d8a0a4f6d9c7 /nixos/tests/openssh.nix | |
parent | f4bc9a6ef9f7833c234ab89287254b71b19a2fb1 (diff) | |
parent | cc8ba2162979b33eba280b8e20d4477871628c53 (diff) |
Merge pull request #227442 from christoph-heiss/openssh/allowusers
openssh: add {Allow,Deny}{Users,Groups} settings
Diffstat (limited to 'nixos/tests/openssh.nix')
-rw-r--r-- | nixos/tests/openssh.nix | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/nixos/tests/openssh.nix b/nixos/tests/openssh.nix index 88d3e54ee76cb..881eb9d7d91c5 100644 --- a/nixos/tests/openssh.nix +++ b/nixos/tests/openssh.nix @@ -82,6 +82,19 @@ in { }; }; + server_allowedusers = + { ... }: + + { + services.openssh = { enable = true; settings.AllowUsers = [ "alice" "bob" ]; }; + users.groups = { alice = { }; bob = { }; carol = { }; }; + users.users = { + alice = { isNormalUser = true; group = "alice"; openssh.authorizedKeys.keys = [ snakeOilPublicKey ]; }; + bob = { isNormalUser = true; group = "bob"; openssh.authorizedKeys.keys = [ snakeOilPublicKey ]; }; + carol = { isNormalUser = true; group = "carol"; openssh.authorizedKeys.keys = [ snakeOilPublicKey ]; }; + }; + }; + client = { ... }: { }; @@ -147,5 +160,23 @@ in { with subtest("match-rules"): server_match_rule.succeed("ss -nlt | grep '127.0.0.1:22'") + + with subtest("allowed-users"): + client.succeed( + "cat ${snakeOilPrivateKey} > privkey.snakeoil" + ) + client.succeed("chmod 600 privkey.snakeoil") + client.succeed( + "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil alice@server_allowedusers true", + timeout=30 + ) + client.succeed( + "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil bob@server_allowedusers true", + timeout=30 + ) + client.fail( + "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil carol@server_allowedusers true", + timeout=30 + ) ''; }) |