Merge pull request #256090 from CRTified/sshd-validation-fix

pyrox.dev / nixpkgs

fork atom

lol

fork atom

nixos/sshd: Specify connection parameters for configuration validation

authored by

Maximilian Bosch and committed by

GitHub 2 years ago 9bd9e20e 73b3498c

+50 -4

2 changed files

expand all

nixos

modules

services

networking

ssh

sshd.nix

tests

openssh.nix

+17 -4

nixos/modules/services/networking/ssh/sshd.nix

··· 27 27 mkValueString = mkValueStringSshd; 28 28 } " ";}); 29 29 30 - configFile = settingsFormat.generate "config" cfg.settings; 31 - sshconf = pkgs.runCommand "sshd.conf-validated" { nativeBuildInputs = [ validationPackage ]; } '' 30 + configFile = settingsFormat.generate "sshd.conf-settings" cfg.settings; 31 + sshconf = pkgs.runCommand "sshd.conf-final" { } '' 32 32 cat ${configFile} - >$out <<EOL 33 33 ${cfg.extraConfig} 34 34 EOL 35 - 36 - sshd -G -f $out 37 35 ''; 38 36 39 37 cfg = config.services.openssh; ··· 575 573 HostKey ${k.path} 576 574 '')} 577 575 ''; 576 + 577 + system.checks = [ 578 + (pkgs.runCommand "check-sshd-config" 579 + { 580 + nativeBuildInputs = [ validationPackage ]; 581 + } '' 582 + ${concatMapStringsSep "\n" 583 + (lport: "sshd -G -T -C lport=${toString lport} -f ${sshconf} > /dev/null") 584 + cfg.ports} 585 + ${concatMapStringsSep "\n" 586 + (la: "sshd -G -T -C laddr=${la.addr},lport=${toString la.port} -f ${sshconf} > /dev/null") 587 + cfg.listenAddresses} 588 + touch $out 589 + '') 590 + ]; 578 591 579 592 assertions = [{ assertion = if cfg.settings.X11Forwarding then cfgc.setXAuthLocation else true; 580 593 message = "cannot enable X11 forwarding without setting xauth location";}

+33

nixos/tests/openssh.nix

··· 52 52 }; 53 53 }; 54 54 55 + server_match_rule = 56 + { ... }: 57 + 58 + { 59 + services.openssh = { 60 + enable = true; listenAddresses = [ { addr = "127.0.0.1"; port = 22; } ]; 61 + extraConfig = '' 62 + # Combined test for two (predictable) Match criterias 63 + Match LocalAddress 127.0.0.1 LocalPort 22 64 + PermitRootLogin yes 65 + 66 + # Separate tests for Match criterias 67 + Match User root 68 + PermitRootLogin yes 69 + Match Group root 70 + PermitRootLogin yes 71 + Match Host nohost.example 72 + PermitRootLogin yes 73 + Match LocalAddress 127.0.0.1 74 + PermitRootLogin yes 75 + Match LocalPort 22 76 + PermitRootLogin yes 77 + Match RDomain nohost.example 78 + PermitRootLogin yes 79 + Match Address 127.0.0.1 80 + PermitRootLogin yes 81 + ''; 82 + }; 83 + }; 84 + 55 85 client = 56 86 { ... }: { }; 57 87 ··· 114 144 with subtest("localhost-only"): 115 145 server_localhost_only.succeed("ss -nlt | grep '127.0.0.1:22'") 116 146 server_localhost_only_lazy.succeed("ss -nlt | grep '127.0.0.1:22'") 147 + 148 + with subtest("match-rules"): 149 + server_match_rule.succeed("ss -nlt | grep '127.0.0.1:22'") 117 150 ''; 118 151 })