nathan/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2026-06-05 21:03:40 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
nixpkgs/nixos/tests/openssh.nix
Tom Fitzhenry 41c383338e nixos/sshd: add enableRecommendedAlgorithms option 
Prior to this commit, NixOS enabled a set of curated algorithms.

This commit allows users to opt-out of this curation, and instead use
the upstream algorithms. This also allows users to set
Ciphers/KexAlgorithms/Macs themselves without lib.mkForce (and thus
wield NixOS modules to build the list).

Tests have been added to ensure test this new option works.
2026-04-13 01:03:11 +00:00

514 lines
15 KiB
Nix
Raw Permalink Blame History

{ pkgs, ... }:
let
inherit (import ./ssh-keys.nix pkgs)
snakeOilPrivateKey
snakeOilPublicKey
snakeOilEd25519PrivateKey
snakeOilEd25519PublicKey
;
in
{
name = "openssh";
meta = with pkgs.lib.maintainers; {
maintainers = [ aszlig ];
};
nodes = {
server =
{ ... }:
{
services.openssh.enable = true;
security.pam.services.sshd.limits = [
{
domain = "*";
item = "memlock";
type = "-";
value = 1024;
}
];
users.users.root.openssh.authorizedKeys.keys = [
snakeOilPublicKey
];
};
server-allowed-users =
{ ... }:
{
services.openssh = {
enable = true;
settings.AllowUsers = [
"alice"
"bob"
];
};
users.groups = {
alice = { };
bob = { };
carol = { };
};
users.users = {
alice = {
isNormalUser = true;
group = "alice";
openssh.authorizedKeys.keys = [ snakeOilPublicKey ];
};
bob = {
isNormalUser = true;
group = "bob";
openssh.authorizedKeys.keys = [ snakeOilPublicKey ];
};
carol = {
isNormalUser = true;
group = "carol";
openssh.authorizedKeys.keys = [ snakeOilPublicKey ];
};
};
};
server-lazy =
{ ... }:
{
services.openssh = {
enable = true;
startWhenNeeded = true;
};
security.pam.services.sshd.limits = [
{
domain = "*";
item = "memlock";
type = "-";
value = 1024;
}
];
users.users.root.openssh.authorizedKeys.keys = [
snakeOilPublicKey
];
};
# IP addresses are allocated according to the alphabetical order of the machine name, and since tests rely on the IP address of this machine, let's name it so it's order (and thus address) is predictable.
aaa-server-lazy-socket = {
virtualisation.vlans = [
1
# Allocate another VLAN so we can exercise listening on a non-standard address.
2
];
services.openssh = {
enable = true;
startWhenNeeded = true;
ports = [ 2222 ];
listenAddresses = [ { addr = "0.0.0.0"; } ];
};
users.users.root.openssh.authorizedKeys.keys = [
snakeOilPublicKey
];
};
server-localhost-only =
{ ... }:
{
services.openssh = {
enable = true;
listenAddresses = [
{
addr = "127.0.0.1";
port = 22;
}
];
};
};
server-localhost-only-lazy =
{ ... }:
{
services.openssh = {
enable = true;
startWhenNeeded = true;
listenAddresses = [
{
addr = "127.0.0.1";
port = 22;
}
];
};
};
server-match-rule =
{ ... }:
{
services.openssh = {
enable = true;
listenAddresses = [
{
addr = "127.0.0.1";
port = 22;
}
{
addr = "[::]";
port = 22;
}
];
extraConfig = ''
# Combined test for two (predictable) Match criterias
Match LocalAddress 127.0.0.1 LocalPort 22
PermitRootLogin yes
# Separate tests for Match criterias
Match User root
PermitRootLogin yes
Match Group root
PermitRootLogin yes
Match Host nohost.example
PermitRootLogin yes
Match LocalAddress 127.0.0.1
PermitRootLogin yes
Match LocalPort 22
PermitRootLogin yes
Match RDomain nohost.example
PermitRootLogin yes
Match Address 127.0.0.1
PermitRootLogin yes
'';
};
};
server-no-openssl =
{ ... }:
{
services.openssh = {
enable = true;
package = pkgs.opensshPackages.openssh.override {
linkOpenssl = false;
};
hostKeys = [
{
type = "ed25519";
path = "/etc/ssh/ssh_host_ed25519_key";
}
];
# The NixOS-curated algorithms require OpenSSL, and so since this test is against an OpenSSH-without-OpenSSL, we have to use the default algorithms, which adapt to not having OpenSSL.
enableRecommendedAlgorithms = false;
};
users.users.root.openssh.authorizedKeys.keys = [
snakeOilEd25519PublicKey
];
};
server-default-algorithms =
{ ... }:
{
services.openssh = {
enable = true;
enableRecommendedAlgorithms = false;
};
users.users.root.openssh.authorizedKeys.keys = [
snakeOilEd25519PublicKey
];
};
server-null-algorithms =
{ ... }:
{
services.openssh = {
enable = true;
settings = {
Ciphers = null;
KexAlgorithms = null;
Macs = null;
};
};
users.users.root.openssh.authorizedKeys.keys = [
snakeOilEd25519PublicKey
];
};
server-no-pam =
{ pkgs, ... }:
{
services.openssh = {
enable = true;
package = pkgs.opensshPackages.openssh.override {
withPAM = false;
};
settings = {
UsePAM = false;
};
};
users.users.root.openssh.authorizedKeys.keys = [
snakeOilPublicKey
];
};
server-null-pam =
{ pkgs, ... }:
{
services.openssh = {
enable = true;
package = pkgs.opensshPackages.openssh.override {
withPAM = false;
};
settings = {
UsePAM = null;
};
};
users.users.root.openssh.authorizedKeys.keys = [
snakeOilPublicKey
];
};
server-sftp =
{ pkgs, ... }:
{
services.openssh = {
enable = true;
extraConfig = ''
Match Group sftponly
ChrootDirectory /srv/sftp
ForceCommand internal-sftp
'';
};
users.groups = {
sftponly = { };
};
users.users = {
alice = {
isNormalUser = true;
createHome = false;
group = "sftponly";
shell = "/run/current-system/sw/bin/nologin";
openssh.authorizedKeys.keys = [ snakeOilPublicKey ];
};
};
};
server-no-sshd-with-key =
{ pkgs, ... }:
{
services.openssh.generateHostKeys = true;
users.users.root.openssh.authorizedKeys.keys = [
snakeOilPublicKey
];
};
client =
{ ... }:
{
virtualisation.vlans = [
1
2
];
};
};
testScript = ''
start_all()
server.wait_for_unit("sshd", timeout=60)
server_allowed_users.wait_for_unit("sshd", timeout=60)
server_default_algorithms.wait_for_unit("sshd", timeout=60)
server_localhost_only.wait_for_unit("sshd", timeout=60)
server_match_rule.wait_for_unit("sshd", timeout=60)
server_no_openssl.wait_for_unit("sshd", timeout=60)
server_no_pam.wait_for_unit("sshd", timeout=60)
server_null_algorithms.wait_for_unit("sshd", timeout=60)
server_null_pam.wait_for_unit("sshd", timeout=60)
server_null_pam.fail("journalctl -u sshd.service | grep 'Unsupported option UsePAM'")
server_sftp.wait_for_unit("sshd", timeout=60)
server_lazy.wait_for_unit("sshd.socket", timeout=60)
server_localhost_only_lazy.wait_for_unit("sshd.socket", timeout=60)
aaa_server_lazy_socket.wait_for_unit("sshd.socket", timeout=60)
# sshd-keygen is a oneshot unit, so just wait for multi-user.target, which
# pulls it in.
server_no_sshd_with_key.wait_for_unit("multi-user.target", timeout=60)
with subtest("manual-authkey"):
client.succeed(
'${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f /root/.ssh/id_ed25519 -N ""'
)
public_key = client.succeed(
"${pkgs.openssh}/bin/ssh-keygen -y -f /root/.ssh/id_ed25519"
)
public_key = public_key.strip()
client.succeed("chmod 600 /root/.ssh/id_ed25519")
server.succeed("echo '{}' > /root/.ssh/authorized_keys".format(public_key))
server_lazy.succeed("echo '{}' > /root/.ssh/authorized_keys".format(public_key))
client.wait_for_unit("network.target")
client.succeed(
"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'echo hello world' >&2",
timeout=30
)
client.succeed(
"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'ulimit -l' | grep 1024",
timeout=30
)
client.succeed(
"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server-lazy 'echo hello world' >&2",
timeout=30
)
client.succeed(
"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server-lazy 'ulimit -l' | grep 1024",
timeout=30
)
with subtest("socket activation on a non-standard address and port"):
client.succeed(
"cat ${snakeOilPrivateKey} > privkey.snakeoil"
)
client.succeed("chmod 600 privkey.snakeoil")
# The final segment in this IP is allocated according to the alphabetical order of machines in this test.
client.succeed(
"ssh -p 2222 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil root@192.168.2.1 true",
timeout=30
)
with subtest("configured-authkey"):
client.succeed(
"cat ${snakeOilPrivateKey} > privkey.snakeoil"
)
client.succeed("chmod 600 privkey.snakeoil")
client.succeed(
"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server true",
timeout=30
)
client.succeed(
"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server-lazy true",
timeout=30
)
with subtest("localhost-only"):
server_localhost_only.succeed("ss -nlt | grep '127.0.0.1:22'")
server_localhost_only_lazy.succeed("ss -nlt | grep '127.0.0.1:22'")
with subtest("match-rules"):
server_match_rule.succeed("ss -nlt | grep '127.0.0.1:22'")
with subtest("allowed-users"):
client.succeed(
"cat ${snakeOilPrivateKey} > privkey.snakeoil"
)
client.succeed("chmod 600 privkey.snakeoil")
client.succeed(
"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil alice@server-allowed-users true",
timeout=30
)
client.succeed(
"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil bob@server-allowed-users true",
timeout=30
)
client.fail(
"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil carol@server-allowed-users true",
timeout=30
)
with subtest("no-openssl"):
client.succeed(
"cat ${snakeOilEd25519PrivateKey} > privkey.snakeoil"
)
client.succeed("chmod 600 privkey.snakeoil")
client.succeed(
"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server-no-openssl true",
timeout=30
)
with subtest("null-algorithms"):
client.succeed(
"cat ${snakeOilEd25519PrivateKey} > privkey.snakeoil"
)
client.succeed("chmod 600 privkey.snakeoil")
client.succeed(
"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server-null-algorithms true",
timeout=30
)
with subtest("no-openssl"):
client.succeed(
"cat ${snakeOilEd25519PrivateKey} > privkey.snakeoil"
)
client.succeed("chmod 600 privkey.snakeoil")
client.succeed(
"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server-default-algorithms true",
timeout=30
)
with subtest("no-pam"):
client.succeed(
"cat ${snakeOilPrivateKey} > privkey.snakeoil"
)
client.succeed("chmod 600 privkey.snakeoil")
client.succeed(
"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server-no-pam true",
timeout=30
)
with subtest("null-pam"):
client.succeed(
"cat ${snakeOilPrivateKey} > privkey.snakeoil"
)
client.succeed("chmod 600 privkey.snakeoil")
client.succeed(
"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server-null-pam true",
timeout=30
)
with subtest("sftp"):
server_sftp.succeed(
"mkdir -p /srv/sftp/uploads"
)
server_sftp.succeed(
"chown alice:sftponly /srv/sftp/uploads"
)
server_sftp.succeed(
"chmod 0755 /srv/sftp/uploads"
)
client.succeed(
"cat ${snakeOilPrivateKey} > privkey.snakeoil"
)
client.succeed("chmod 600 privkey.snakeoil")
client.succeed(
"echo 'hello-sftp-world' > test-file"
)
client.succeed(
"echo 'put test-file uploads/' > put-batch-file"
)
client.succeed(
"sftp -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil -b put-batch-file alice@server-sftp",
timeout=30
)
server_sftp.wait_for_file("/srv/sftp/uploads/test-file")
with subtest("keygen without sshd"):
client.fail(
"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil root@server-no-sshd-with-key true",
timeout=30
)
server_no_sshd_with_key.succeed("test -e /etc/ssh/ssh_host_ed25519_key")
server_no_sshd_with_key.succeed("test -e /etc/ssh/ssh_host_ed25519_key.pub")
server_no_sshd_with_key.fail("pgrep sshd")
# Validate the above check for sshd using pgrep does pass on a server
# that should have sshd running, just to prove it's a useful test.
server.succeed("pgrep sshd")
# None of the per-connection units should have failed.
server_lazy.fail("systemctl is-failed 'sshd@*.service'")
'';
}
Reference in New Issue View Git Blame Copy Permalink