diff options
author | Maximilian Bosch <maximilian@mbosch.me> | 2023-09-24 14:12:46 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2023-09-24 14:12:46 +0200 |
commit | 9bd9e20e9a15d9f2e1e10335df26b89fecc29363 (patch) | |
tree | c0f7901af9df31ac5587b7548d39cd5404d05d5b /nixos | |
parent | 73b3498c817cc54bf76f3a79f7a9441dd5ef18f6 (diff) | |
parent | cd2dead42cf9053523b8ab3ab68f93fa23422db9 (diff) |
Merge pull request #256090 from CRTified/sshd-validation-fix
nixos/sshd: Specify connection parameters for configuration validation
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/networking/ssh/sshd.nix | 21 | ||||
-rw-r--r-- | nixos/tests/openssh.nix | 33 |
2 files changed, 50 insertions, 4 deletions
diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index 702423ef09cd0..bf2f5230c7381 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -27,13 +27,11 @@ let mkValueString = mkValueStringSshd; } " ";}); - configFile = settingsFormat.generate "config" cfg.settings; - sshconf = pkgs.runCommand "sshd.conf-validated" { nativeBuildInputs = [ validationPackage ]; } '' + configFile = settingsFormat.generate "sshd.conf-settings" cfg.settings; + sshconf = pkgs.runCommand "sshd.conf-final" { } '' cat ${configFile} - >$out <<EOL ${cfg.extraConfig} EOL - - sshd -G -f $out ''; cfg = config.services.openssh; @@ -576,6 +574,21 @@ in '')} ''; + system.checks = [ + (pkgs.runCommand "check-sshd-config" + { + nativeBuildInputs = [ validationPackage ]; + } '' + ${concatMapStringsSep "\n" + (lport: "sshd -G -T -C lport=${toString lport} -f ${sshconf} > /dev/null") + cfg.ports} + ${concatMapStringsSep "\n" + (la: "sshd -G -T -C laddr=${la.addr},lport=${toString la.port} -f ${sshconf} > /dev/null") + cfg.listenAddresses} + touch $out + '') + ]; + assertions = [{ assertion = if cfg.settings.X11Forwarding then cfgc.setXAuthLocation else true; message = "cannot enable X11 forwarding without setting xauth location";} (let diff --git a/nixos/tests/openssh.nix b/nixos/tests/openssh.nix index 4083f5906d79a..d771ffd3e0f79 100644 --- a/nixos/tests/openssh.nix +++ b/nixos/tests/openssh.nix @@ -52,6 +52,36 @@ in { }; }; + server_match_rule = + { ... }: + + { + services.openssh = { + enable = true; listenAddresses = [ { addr = "127.0.0.1"; port = 22; } ]; + extraConfig = '' + # Combined test for two (predictable) Match criterias + Match LocalAddress 127.0.0.1 LocalPort 22 + PermitRootLogin yes + + # Separate tests for Match criterias + Match User root + PermitRootLogin yes + Match Group root + PermitRootLogin yes + Match Host nohost.example + PermitRootLogin yes + Match LocalAddress 127.0.0.1 + PermitRootLogin yes + Match LocalPort 22 + PermitRootLogin yes + Match RDomain nohost.example + PermitRootLogin yes + Match Address 127.0.0.1 + PermitRootLogin yes + ''; + }; + }; + client = { ... }: { }; @@ -114,5 +144,8 @@ in { with subtest("localhost-only"): server_localhost_only.succeed("ss -nlt | grep '127.0.0.1:22'") server_localhost_only_lazy.succeed("ss -nlt | grep '127.0.0.1:22'") + + with subtest("match-rules"): + server_match_rule.succeed("ss -nlt | grep '127.0.0.1:22'") ''; }) |