Loading nixos/modules/services/networking/ssh/sshd.nix +2 −3 Original line number Diff line number Diff line Loading @@ -346,6 +346,7 @@ in violates the privacy of users and is not recommended. ''; }; UsePAM = mkEnableOption "PAM authentication" // { default = true; }; UseDns = mkOption { type = types.bool; # apply if cfg.useDns then "yes" else "no" Loading Loading @@ -622,7 +623,7 @@ in networking.firewall.allowedTCPPorts = optionals cfg.openFirewall cfg.ports; security.pam.services.sshd = security.pam.services.sshd = lib.mkIf cfg.settings.UsePAM { startSession = true; showMotd = true; unixAuth = cfg.settings.PasswordAuthentication; Loading @@ -638,8 +639,6 @@ in services.openssh.extraConfig = mkOrder 0 '' UsePAM yes Banner ${if cfg.banner == null then "none" else pkgs.writeText "ssh_banner" cfg.banner} AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"} Loading nixos/tests/openssh.nix +28 −0 Original line number Diff line number Diff line Loading @@ -108,6 +108,23 @@ in { }; }; server-no-pam = { pkgs, ... }: { programs.ssh.package = pkgs.opensshPackages.openssh.override { withPAM = false; }; services.openssh = { enable = true; settings = { UsePAM = false; }; }; users.users.root.openssh.authorizedKeys.keys = [ snakeOilPublicKey ]; }; client = { ... }: { virtualisation.vlans = [ 1 2 ]; Loading @@ -122,6 +139,7 @@ in { server_allowed_users.wait_for_unit("sshd", timeout=30) server_localhost_only.wait_for_unit("sshd", timeout=30) server_match_rule.wait_for_unit("sshd", timeout=30) server_no_pam.wait_for_unit("sshd", timeout=30) server_lazy.wait_for_unit("sshd.socket", timeout=30) server_localhost_only_lazy.wait_for_unit("sshd.socket", timeout=30) Loading Loading @@ -211,5 +229,15 @@ in { "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil carol@server-allowed-users true", timeout=30 ) with subtest("no-pam"): client.succeed( "cat ${snakeOilPrivateKey} > privkey.snakeoil" ) client.succeed("chmod 600 privkey.snakeoil") client.succeed( "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server-no-pam true", timeout=30 ) ''; }) Loading
nixos/modules/services/networking/ssh/sshd.nix +2 −3 Original line number Diff line number Diff line Loading @@ -346,6 +346,7 @@ in violates the privacy of users and is not recommended. ''; }; UsePAM = mkEnableOption "PAM authentication" // { default = true; }; UseDns = mkOption { type = types.bool; # apply if cfg.useDns then "yes" else "no" Loading Loading @@ -622,7 +623,7 @@ in networking.firewall.allowedTCPPorts = optionals cfg.openFirewall cfg.ports; security.pam.services.sshd = security.pam.services.sshd = lib.mkIf cfg.settings.UsePAM { startSession = true; showMotd = true; unixAuth = cfg.settings.PasswordAuthentication; Loading @@ -638,8 +639,6 @@ in services.openssh.extraConfig = mkOrder 0 '' UsePAM yes Banner ${if cfg.banner == null then "none" else pkgs.writeText "ssh_banner" cfg.banner} AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"} Loading
nixos/tests/openssh.nix +28 −0 Original line number Diff line number Diff line Loading @@ -108,6 +108,23 @@ in { }; }; server-no-pam = { pkgs, ... }: { programs.ssh.package = pkgs.opensshPackages.openssh.override { withPAM = false; }; services.openssh = { enable = true; settings = { UsePAM = false; }; }; users.users.root.openssh.authorizedKeys.keys = [ snakeOilPublicKey ]; }; client = { ... }: { virtualisation.vlans = [ 1 2 ]; Loading @@ -122,6 +139,7 @@ in { server_allowed_users.wait_for_unit("sshd", timeout=30) server_localhost_only.wait_for_unit("sshd", timeout=30) server_match_rule.wait_for_unit("sshd", timeout=30) server_no_pam.wait_for_unit("sshd", timeout=30) server_lazy.wait_for_unit("sshd.socket", timeout=30) server_localhost_only_lazy.wait_for_unit("sshd.socket", timeout=30) Loading Loading @@ -211,5 +229,15 @@ in { "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil carol@server-allowed-users true", timeout=30 ) with subtest("no-pam"): client.succeed( "cat ${snakeOilPrivateKey} > privkey.snakeoil" ) client.succeed("chmod 600 privkey.snakeoil") client.succeed( "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server-no-pam true", timeout=30 ) ''; })
