Commit 494a5d58 authored by Thomas Gerbet's avatar Thomas Gerbet
Browse files

nixos/ssh: use known test keys 

The SSH keys have been updated to use either the official test vectors
or keys from upstream OpenSSH repository.

The goal is to, hopefully, eliminate the false positive reports the
security team receive about these keys.
parent 1d9f1af3

nixos/tests/ssh-keys.nix

+18 −10
Original line number Diff line number Diff line 
pkgs: {

  # This key is used in integration tests

  # This is NOT a security issue

  # It uses the test key defined in RFC 9500

  # https://datatracker.ietf.org/doc/rfc9500/

  snakeOilPrivateKey = pkgs.writeText "privkey.snakeoil" ''

    -----BEGIN EC PRIVATE KEY-----

    MHcCAQEEIHQf/khLvYrQ8IOika5yqtWvI0oquHlpRLTZiJy5dRJmoAoGCCqGSM49

    AwEHoUQDQgAEKF0DYGbBwbj06tA3fd/+yP44cvmwmHBWXZCKbS+RQlAKvLXMWkpN

    r1lwMyJZoSGgBHoUahoYjTh9/sJL7XLJtA==

    MHcCAQEEIObLW92AqkWunJXowVR2Z5/+yVPBaFHnEedDk5WJxk/BoAoGCCqGSM49

    AwEHoUQDQgAEQiVI+I+3gv+17KN0RFLHKh5Vj71vc75eSOkyMsxFxbFsTNEMTLjV

    uKFxOelIgsiZJXKZNCX0FBmrfpCkKklCcg==

    -----END EC PRIVATE KEY-----

  '';



  snakeOilPublicKey = pkgs.lib.concatStrings [

    "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHA"

    "yNTYAAABBBChdA2BmwcG49OrQN33f/sj+OHL5sJhwVl2Qim0vkUJQCry1zFpKTa"

    "9ZcDMiWaEhoAR6FGoaGI04ff7CS+1yybQ= snakeoil"

    "yNTYAAABBBEIlSPiPt4L/teyjdERSxyoeVY+9b3O+XkjpMjLMRcWxbEzRDEy41b"

    "ihcTnpSILImSVymTQl9BQZq36QpCpJQnI= snakeoil"

  ];



  # This key is used in integration tests

  # This is NOT a security issue

  # It uses the same key than the one used in OpenSSH fuzz tests

  # https://github.com/openssh/openssh-portable/blob/V_9_9_P2/regress/misc/fuzz-harness/fixed-keys.h#L76-L85

  snakeOilEd25519PrivateKey = pkgs.writeText "privkey.snakeoil" ''

    -----BEGIN OPENSSH PRIVATE KEY-----

    b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW

    QyNTUxOQAAACAYBTIWo1J4PkY4/7AhVyPT8xvAUI67tp+yYFFRdSm7+QAAAJC89yCivPcg

    ogAAAAtzc2gtZWQyNTUxOQAAACAYBTIWo1J4PkY4/7AhVyPT8xvAUI67tp+yYFFRdSm7+Q

    AAAEDJmKp3lX6Pz0unTc0QZwrHb8Eyr9fJUopE9d2/+q+eCxgFMhajUng+Rjj/sCFXI9Pz

    G8BQjru2n7JgUVF1Kbv5AAAACnRvbUBvemRlc2sBAgM=

    QyNTUxOQAAACAz0F5hFTFS5nhUcmnyjFVoDw5L/P7kQU8JnBA2rWczAwAAAIhWlP99VpT/

    fQAAAAtzc2gtZWQyNTUxOQAAACAz0F5hFTFS5nhUcmnyjFVoDw5L/P7kQU8JnBA2rWczAw

    AAAEDE1rlcMC0s0X3TKVZAOVavZOywwkXw8tO5dLObxaCMEDPQXmEVMVLmeFRyafKMVWgP

    Dkv8/uRBTwmcEDatZzMDAAAAAAECAwQF

    -----END OPENSSH PRIVATE KEY-----

  '';



  snakeOilEd25519PublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBgFMhajUng+Rjj/sCFXI9PzG8BQjru2n7JgUVF1Kbv5 snakeoil";

  snakeOilEd25519PublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDPQXmEVMVLmeFRyafKMVWgPDkv8/uRBTwmcEDatZzMD snakeoil";

}