diff options
author | Vladimír Čunát <v@cunat.cz> | 2024-05-02 09:05:49 +0200 |
---|---|---|
committer | Vladimír Čunát <v@cunat.cz> | 2024-05-02 09:05:49 +0200 |
commit | 725f48a252336419d97f118e015f1b6ef5bbcea8 (patch) | |
tree | b972cb7d31ba489685b4094351960168fe2381c0 /nixos/tests | |
parent | dd897ede49954633e34ae9ec694ab7be361993d2 (diff) | |
parent | 0599892e8e36e089c742574ed6c9fd2b1cc7514f (diff) |
Merge branch 'master' into staging-next
Diffstat (limited to 'nixos/tests')
-rw-r--r-- | nixos/tests/installed-tests/default.nix | 2 | ||||
-rw-r--r-- | nixos/tests/libreswan.nix | 6 | ||||
-rw-r--r-- | nixos/tests/openssh.nix | 38 | ||||
-rw-r--r-- | nixos/tests/ssh-keys.nix | 12 |
4 files changed, 53 insertions, 5 deletions
diff --git a/nixos/tests/installed-tests/default.nix b/nixos/tests/installed-tests/default.nix index e87edb2007e93..b1ddfe3dcbd80 100644 --- a/nixos/tests/installed-tests/default.nix +++ b/nixos/tests/installed-tests/default.nix @@ -1,5 +1,5 @@ # NixOS tests for gnome-desktop-testing-runner using software -# See https://wiki.gnome.org/Initiatives/GnomeGoals/InstalledTests +# See https://github.com/NixOS/nixpkgs/issues/34987 { system ? builtins.currentSystem, config ? {}, diff --git a/nixos/tests/libreswan.nix b/nixos/tests/libreswan.nix index aadba941fab17..c798a04645bc0 100644 --- a/nixos/tests/libreswan.nix +++ b/nixos/tests/libreswan.nix @@ -119,11 +119,11 @@ in with subtest("Libreswan is ready"): alice.wait_for_unit("ipsec") bob.wait_for_unit("ipsec") - alice.succeed("ipsec verify 1>&2") + alice.succeed("ipsec checkconfig") with subtest("Alice and Bob can start the tunnel"): - alice.execute("ipsec auto --start tunnel >&2 &") - bob.succeed("ipsec auto --start tunnel") + alice.execute("ipsec start tunnel >&2 &") + bob.succeed("ipsec start tunnel") # apparently this is needed to "wake" the tunnel bob.execute("ping -c1 alice") diff --git a/nixos/tests/openssh.nix b/nixos/tests/openssh.nix index a039986621cab..2684b6f45e84e 100644 --- a/nixos/tests/openssh.nix +++ b/nixos/tests/openssh.nix @@ -1,7 +1,7 @@ import ./make-test-python.nix ({ pkgs, ... }: let inherit (import ./ssh-keys.nix pkgs) - snakeOilPrivateKey snakeOilPublicKey; + snakeOilPrivateKey snakeOilPublicKey snakeOilEd25519PrivateKey snakeOilEd25519PublicKey; in { name = "openssh"; meta = with pkgs.lib.maintainers; { @@ -108,6 +108,31 @@ in { }; }; + server-no-openssl = + { ... }: + { + programs.ssh.package = pkgs.opensshPackages.openssh.override { + linkOpenssl = false; + }; + services.openssh = { + enable = true; + hostKeys = [ + { type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; } + ]; + settings = { + # Must not specify the OpenSSL provided algorithms. + Ciphers = [ "chacha20-poly1305@openssh.com" ]; + KexAlgorithms = [ + "curve25519-sha256" + "curve25519-sha256@libssh.org" + ]; + }; + }; + users.users.root.openssh.authorizedKeys.keys = [ + snakeOilEd25519PublicKey + ]; + }; + server-no-pam = { pkgs, ... }: { @@ -139,6 +164,7 @@ in { server_allowed_users.wait_for_unit("sshd", timeout=30) server_localhost_only.wait_for_unit("sshd", timeout=30) server_match_rule.wait_for_unit("sshd", timeout=30) + server_no_openssl.wait_for_unit("sshd", timeout=30) server_no_pam.wait_for_unit("sshd", timeout=30) server_lazy.wait_for_unit("sshd.socket", timeout=30) @@ -230,6 +256,16 @@ in { timeout=30 ) + with subtest("no-openssl"): + client.succeed( + "cat ${snakeOilEd25519PrivateKey} > privkey.snakeoil" + ) + client.succeed("chmod 600 privkey.snakeoil") + client.succeed( + "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server-no-openssl true", + timeout=30 + ) + with subtest("no-pam"): client.succeed( "cat ${snakeOilPrivateKey} > privkey.snakeoil" diff --git a/nixos/tests/ssh-keys.nix b/nixos/tests/ssh-keys.nix index df9ff38a3b22a..675f3a0b43947 100644 --- a/nixos/tests/ssh-keys.nix +++ b/nixos/tests/ssh-keys.nix @@ -12,4 +12,16 @@ pkgs: "yNTYAAABBBChdA2BmwcG49OrQN33f/sj+OHL5sJhwVl2Qim0vkUJQCry1zFpKTa" "9ZcDMiWaEhoAR6FGoaGI04ff7CS+1yybQ= snakeoil" ]; + + snakeOilEd25519PrivateKey = pkgs.writeText "privkey.snakeoil" '' + -----BEGIN OPENSSH PRIVATE KEY----- + b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW + QyNTUxOQAAACAYBTIWo1J4PkY4/7AhVyPT8xvAUI67tp+yYFFRdSm7+QAAAJC89yCivPcg + ogAAAAtzc2gtZWQyNTUxOQAAACAYBTIWo1J4PkY4/7AhVyPT8xvAUI67tp+yYFFRdSm7+Q + AAAEDJmKp3lX6Pz0unTc0QZwrHb8Eyr9fJUopE9d2/+q+eCxgFMhajUng+Rjj/sCFXI9Pz + G8BQjru2n7JgUVF1Kbv5AAAACnRvbUBvemRlc2sBAgM= + -----END OPENSSH PRIVATE KEY----- + ''; + + snakeOilEd25519PublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBgFMhajUng+Rjj/sCFXI9PzG8BQjru2n7JgUVF1Kbv5 snakeoil"; } |