nixpkgs/nixos/tests/openssh.nix

import ./make-test.nix ({ pkgs, ... }:

let
  snakeOilPrivateKey = pkgs.writeText "privkey.snakeoil" ''
    -----BEGIN EC PRIVATE KEY-----
    MHcCAQEEIHQf/khLvYrQ8IOika5yqtWvI0oquHlpRLTZiJy5dRJmoAoGCCqGSM49
    AwEHoUQDQgAEKF0DYGbBwbj06tA3fd/+yP44cvmwmHBWXZCKbS+RQlAKvLXMWkpN
    r1lwMyJZoSGgBHoUahoYjTh9/sJL7XLJtA==
    -----END EC PRIVATE KEY-----
  '';

  snakeOilPublicKey = pkgs.lib.concatStrings [
    "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHA"
    "yNTYAAABBBChdA2BmwcG49OrQN33f/sj+OHL5sJhwVl2Qim0vkUJQCry1zFpKTa"
    "9ZcDMiWaEhoAR6FGoaGI04ff7CS+1yybQ= sakeoil"
  ];

in {
  name = "openssh";
  meta = with pkgs.stdenv.lib.maintainers; {
    maintainers = [ aszlig eelco chaoflow ];
  };

  nodes = {

    server =
      { config, pkgs, ... }:

      {
        services.openssh.enable = true;
        security.pam.services.sshd.limits =
          [ { domain = "*"; item = "memlock"; type = "-"; value = 1024; } ];
        users.extraUsers.root.openssh.authorizedKeys.keys = [
          snakeOilPublicKey
        ];
      };

    server_lazy =
      { config, pkgs, ... }:

      {
        services.openssh = { enable = true; startWhenNeeded = true; };
        security.pam.services.sshd.limits =
          [ { domain = "*"; item = "memlock"; type = "-"; value = 1024; } ];
        users.extraUsers.root.openssh.authorizedKeys.keys = [
          snakeOilPublicKey
        ];
      };

    client =
      { config, pkgs, ... }: { };

  };

  testScript = ''
    startAll;

    my $key=`${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f key -N ""`;

    $server->waitForUnit("sshd");

    subtest "manual-authkey", sub {
      $server->succeed("mkdir -m 700 /root/.ssh");
      $server->copyFileFromHost("key.pub", "/root/.ssh/authorized_keys");
      $server_lazy->succeed("mkdir -m 700 /root/.ssh");
      $server_lazy->copyFileFromHost("key.pub", "/root/.ssh/authorized_keys");

      $client->succeed("mkdir -m 700 /root/.ssh");
      $client->copyFileFromHost("key", "/root/.ssh/id_ed25519");
      $client->succeed("chmod 600 /root/.ssh/id_ed25519");

      $client->waitForUnit("network.target");
      $client->succeed("ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'echo hello world' >&2");
      $client->succeed("ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'ulimit -l' | grep 1024");

      $client->succeed("ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server_lazy 'echo hello world' >&2");
      $client->succeed("ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server_lazy 'ulimit -l' | grep 1024");

    };

    subtest "configured-authkey", sub {
      $client->succeed("cat ${snakeOilPrivateKey} > privkey.snakeoil");
      $client->succeed("chmod 600 privkey.snakeoil");
      $client->succeed("ssh -o UserKnownHostsFile=/dev/null" .
                       " -o StrictHostKeyChecking=no -i privkey.snakeoil" .
                       " server true");

      $client->succeed("ssh -o UserKnownHostsFile=/dev/null" .
                       " -o StrictHostKeyChecking=no -i privkey.snakeoil" .
                       " server_lazy true");

    };
  '';
})
nixos/tests/openssh: Test configured auth keys. So far the test only uses an authorized key that is copied over to the target machine instead of being set by the target's configuration. Now, we cover both cases. Signed-off-by: aszlig <aszlig@redmoonstudios.org> 2014-06-27 08:34:59 +02:00			`import ./make-test.nix ({ pkgs, ... }:`

			`let`
			`snakeOilPrivateKey = pkgs.writeText "privkey.snakeoil" ''`
			`-----BEGIN EC PRIVATE KEY-----`
			`MHcCAQEEIHQf/khLvYrQ8IOika5yqtWvI0oquHlpRLTZiJy5dRJmoAoGCCqGSM49`
			`AwEHoUQDQgAEKF0DYGbBwbj06tA3fd/+yP44cvmwmHBWXZCKbS+RQlAKvLXMWkpN`
			`r1lwMyJZoSGgBHoUahoYjTh9/sJL7XLJtA==`
			`-----END EC PRIVATE KEY-----`
			`'';`

			`snakeOilPublicKey = pkgs.lib.concatStrings [`
			`"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHA"`
			`"yNTYAAABBBChdA2BmwcG49OrQN33f/sj+OHL5sJhwVl2Qim0vkUJQCry1zFpKTa"`
			`"9ZcDMiWaEhoAR6FGoaGI04ff7CS+1yybQ= sakeoil"`
			`];`

			`in {`
name nixos tests, close #3078 2014-06-28 16:04:49 +02:00			`name = "openssh";`
all tests: added meta.maintainers section 2015-07-12 12:09:40 +02:00			`meta = with pkgs.stdenv.lib.maintainers; {`
			`maintainers = [ aszlig eelco chaoflow ];`
			`};`
Added openssh testcase svn path=/nixos/trunk/; revision=20732 2010-03-18 13:07:56 +00:00
			`nodes = {`
strip trailing whitespace; no functional change svn path=/nixos/trunk/; revision=29285 2011-09-14 18:20:50 +00:00
			`server =`
* No wonder the OpenSSH test was so unreliable: it didn't wait for the sshd Upstart job to finish. svn path=/nixos/trunk/; revision=25524 2011-01-12 17:36:15 +00:00			`{ config, pkgs, ... }:`
strip trailing whitespace; no functional change svn path=/nixos/trunk/; revision=29285 2011-09-14 18:20:50 +00:00
Added openssh testcase svn path=/nixos/trunk/; revision=20732 2010-03-18 13:07:56 +00:00			`{`
			`services.openssh.enable = true;`
Test whether PAM resource limits work 2013-10-17 15:37:08 +02:00			`security.pam.services.sshd.limits =`
			`[ { domain = "*"; item = "memlock"; type = "-"; value = 1024; } ];`
nixos/tests/openssh: Test configured auth keys. So far the test only uses an authorized key that is copied over to the target machine instead of being set by the target's configuration. Now, we cover both cases. Signed-off-by: aszlig <aszlig@redmoonstudios.org> 2014-06-27 08:34:59 +02:00			`users.extraUsers.root.openssh.authorizedKeys.keys = [`
			`snakeOilPublicKey`
			`];`
* Slight cleanup. svn path=/nixos/trunk/; revision=21998 2010-05-27 10:05:17 +00:00			`};`
strip trailing whitespace; no functional change svn path=/nixos/trunk/; revision=29285 2011-09-14 18:20:50 +00:00
openssh: test that startWhenNeeded works 2016-12-29 09:49:43 -05:00			`server_lazy =`
			`{ config, pkgs, ... }:`

			`{`
			`services.openssh = { enable = true; startWhenNeeded = true; };`
			`security.pam.services.sshd.limits =`
			`[ { domain = "*"; item = "memlock"; type = "-"; value = 1024; } ];`
			`users.extraUsers.root.openssh.authorizedKeys.keys = [`
			`snakeOilPublicKey`
			`];`
			`};`

strip trailing whitespace; no functional change svn path=/nixos/trunk/; revision=29285 2011-09-14 18:20:50 +00:00			`client =`
* No wonder the OpenSSH test was so unreliable: it didn't wait for the sshd Upstart job to finish. svn path=/nixos/trunk/; revision=25524 2011-01-12 17:36:15 +00:00			`{ config, pkgs, ... }: { };`
strip trailing whitespace; no functional change svn path=/nixos/trunk/; revision=29285 2011-09-14 18:20:50 +00:00
Added openssh testcase svn path=/nixos/trunk/; revision=20732 2010-03-18 13:07:56 +00:00			`};`
strip trailing whitespace; no functional change svn path=/nixos/trunk/; revision=29285 2011-09-14 18:20:50 +00:00
* No wonder the OpenSSH test was so unreliable: it didn't wait for the sshd Upstart job to finish. svn path=/nixos/trunk/; revision=25524 2011-01-12 17:36:15 +00:00			`testScript = ''`
			`startAll;`
strip trailing whitespace; no functional change svn path=/nixos/trunk/; revision=29285 2011-09-14 18:20:50 +00:00
nixos/tests/openssh: Fix test by using safe public keys 2015-08-12 11:16:26 -07:00			my $key=`${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f key -N ""`;
* No wonder the OpenSSH test was so unreliable: it didn't wait for the sshd Upstart job to finish. svn path=/nixos/trunk/; revision=25524 2011-01-12 17:36:15 +00:00
Tests: global search/replace of obsolete functions 2012-10-24 18:22:53 +02:00			`$server->waitForUnit("sshd");`
strip trailing whitespace; no functional change svn path=/nixos/trunk/; revision=29285 2011-09-14 18:20:50 +00:00
nixos/tests/openssh: Test configured auth keys. So far the test only uses an authorized key that is copied over to the target machine instead of being set by the target's configuration. Now, we cover both cases. Signed-off-by: aszlig <aszlig@redmoonstudios.org> 2014-06-27 08:34:59 +02:00			`subtest "manual-authkey", sub {`
			`$server->succeed("mkdir -m 700 /root/.ssh");`
			`$server->copyFileFromHost("key.pub", "/root/.ssh/authorized_keys");`
openssh: test that startWhenNeeded works 2016-12-29 09:49:43 -05:00			`$server_lazy->succeed("mkdir -m 700 /root/.ssh");`
			`$server_lazy->copyFileFromHost("key.pub", "/root/.ssh/authorized_keys");`
nixos/tests/openssh: Test configured auth keys. So far the test only uses an authorized key that is copied over to the target machine instead of being set by the target's configuration. Now, we cover both cases. Signed-off-by: aszlig <aszlig@redmoonstudios.org> 2014-06-27 08:34:59 +02:00
			`$client->succeed("mkdir -m 700 /root/.ssh");`
nixos/tests/openssh: Fix test by using safe public keys 2015-08-12 11:16:26 -07:00			`$client->copyFileFromHost("key", "/root/.ssh/id_ed25519");`
			`$client->succeed("chmod 600 /root/.ssh/id_ed25519");`
strip trailing whitespace; no functional change svn path=/nixos/trunk/; revision=29285 2011-09-14 18:20:50 +00:00
nixos/tests/openssh: Test configured auth keys. So far the test only uses an authorized key that is copied over to the target machine instead of being set by the target's configuration. Now, we cover both cases. Signed-off-by: aszlig <aszlig@redmoonstudios.org> 2014-06-27 08:34:59 +02:00			`$client->waitForUnit("network.target");`
			`$client->succeed("ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'echo hello world' >&2");`
			`$client->succeed("ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'ulimit -l' \| grep 1024");`
openssh: test that startWhenNeeded works 2016-12-29 09:49:43 -05:00
			`$client->succeed("ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server_lazy 'echo hello world' >&2");`
			`$client->succeed("ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server_lazy 'ulimit -l' \| grep 1024");`

nixos/tests/openssh: Test configured auth keys. So far the test only uses an authorized key that is copied over to the target machine instead of being set by the target's configuration. Now, we cover both cases. Signed-off-by: aszlig <aszlig@redmoonstudios.org> 2014-06-27 08:34:59 +02:00			`};`
strip trailing whitespace; no functional change svn path=/nixos/trunk/; revision=29285 2011-09-14 18:20:50 +00:00
nixos/tests/openssh: Test configured auth keys. So far the test only uses an authorized key that is copied over to the target machine instead of being set by the target's configuration. Now, we cover both cases. Signed-off-by: aszlig <aszlig@redmoonstudios.org> 2014-06-27 08:34:59 +02:00			`subtest "configured-authkey", sub {`
			`$client->succeed("cat ${snakeOilPrivateKey} > privkey.snakeoil");`
			`$client->succeed("chmod 600 privkey.snakeoil");`
			`$client->succeed("ssh -o UserKnownHostsFile=/dev/null" .`
			`" -o StrictHostKeyChecking=no -i privkey.snakeoil" .`
			`" server true");`
openssh: test that startWhenNeeded works 2016-12-29 09:49:43 -05:00
			`$client->succeed("ssh -o UserKnownHostsFile=/dev/null" .`
			`" -o StrictHostKeyChecking=no -i privkey.snakeoil" .`
			`" server_lazy true");`

nixos/tests/openssh: Test configured auth keys. So far the test only uses an authorized key that is copied over to the target machine instead of being set by the target's configuration. Now, we cover both cases. Signed-off-by: aszlig <aszlig@redmoonstudios.org> 2014-06-27 08:34:59 +02:00			`};`
Added openssh testcase svn path=/nixos/trunk/; revision=20732 2010-03-18 13:07:56 +00:00			`'';`
Make it easier to run the tests You can now run a test in the nixos/tests directory directly using nix-build, e.g. $ nix-build '<nixos/tests/login.nix>' -A test This gets rid of having to add the test to nixos/tests/default.nix. (Of course, you still need to add it to nixos/release.nix if you want Hydra to run the test.) 2014-04-14 14:02:44 +02:00			`})`