commit 7e70c084709574ad423159dcb461f8aede020d58 · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

fork atom

nixosTests.ssh-agent-auth: init

nicoo 2 years ago 7e70c084 6df37dc6

+52 -1

3 changed files

expand all

unified split

nixos

tests

all-tests.nix

ssh-agent-auth.nix

pkgs

os-specific

linux

pam_ssh_agent_auth

default.nix

nixos/tests/all-tests.nix

··· 782 782 spark = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./spark {}; 783 783 sqlite3-to-mysql = handleTest ./sqlite3-to-mysql.nix {}; 784 784 sslh = handleTest ./sslh.nix {}; 785 + ssh-agent-auth = handleTest ./ssh-agent-auth.nix {}; 785 786 ssh-audit = handleTest ./ssh-audit.nix {}; 786 787 sssd = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./sssd.nix {}; 787 788 sssd-ldap = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./sssd-ldap.nix {};

+48

nixos/tests/ssh-agent-auth.nix

··· 1 + import ./make-test-python.nix ({ lib, pkgs, ... }: 2 + let 3 + inherit (import ./ssh-keys.nix pkgs) snakeOilPrivateKey snakeOilPublicKey; 4 + in { 5 + name = "ssh-agent-auth"; 6 + meta.maintainers = with lib.maintainers; [ nicoo ]; 7 + 8 + nodes.sudoVM = { lib, ... }: { 9 + users.users = { 10 + admin = { 11 + isNormalUser = true; 12 + extraGroups = [ "wheel" ]; 13 + openssh.authorizedKeys.keys = [ snakeOilPublicKey ]; 14 + }; 15 + foo.isNormalUser = true; 16 + }; 17 + 18 + security.pam.enableSSHAgentAuth = true; 19 + security.sudo = { 20 + enable = true; 21 + wheelNeedsPassword = true; # We are checking `pam_ssh_agent_auth(8)` works for a sudoer 22 + }; 23 + 24 + # Necessary for pam_ssh_agent_auth >_>' 25 + services.openssh.enable = true; 26 + }; 27 + 28 + testScript = let 29 + privateKeyPath = "/home/admin/.ssh/id_ecdsa"; 30 + userScript = pkgs.writeShellScript "test-script" '' 31 + set -e 32 + ssh-add -q ${privateKeyPath} 33 + 34 + # faketty needed to ensure `sudo` doesn't write to the controlling PTY, 35 + # which would break the test-driver's line-oriented protocol. 36 + ${lib.getExe pkgs.faketty} sudo -u foo -- id -un 37 + ''; 38 + in '' 39 + sudoVM.copy_from_host("${snakeOilPrivateKey}", "${privateKeyPath}") 40 + sudoVM.succeed("chmod -R 0700 /home/admin") 41 + sudoVM.succeed("chown -R admin:users /home/admin") 42 + 43 + with subtest("sudoer can auth through pam_ssh_agent_auth(8)"): 44 + # Run `userScript` in an environment with an SSH-agent available 45 + assert sudoVM.succeed("sudo -u admin -- ssh-agent ${userScript} 2>&1").strip() == "foo" 46 + ''; 47 + } 48 + )

+3 -1

pkgs/os-specific/linux/pam_ssh_agent_auth/default.nix

··· 1 - { lib, stdenv, fetchpatch, fetchFromGitHub, pam, openssl, perl }: 1 + { lib, stdenv, nixosTests, fetchpatch, fetchFromGitHub, pam, openssl, perl }: 2 2 3 3 stdenv.mkDerivation rec { 4 4 pname = "pam_ssh_agent_auth"; ··· 45 45 prePatch = "cp -r ${ed25519-donna}/. ed25519-donna/."; 46 46 47 47 enableParallelBuilding = true; 48 + 49 + passthru.tests.sudo = nixosTests.ssh-agent-auth; 48 50 49 51 meta = { 50 52 homepage = "https://github.com/jbeverly/pam_ssh_agent_auth";