Loading nixos/modules/services/networking/ssh/sshd.nix +1 −1 Original line number Diff line number Diff line Loading @@ -793,7 +793,7 @@ in networking.firewall.allowedTCPPorts = lib.optionals cfg.openFirewall cfg.ports; security.pam.services.sshd = lib.mkIf cfg.settings.UsePAM { security.pam.services.sshd = lib.mkIf (cfg.settings.UsePAM == true) { startSession = true; showMotd = true; unixAuth = if cfg.settings.PasswordAuthentication == true then true else false; Loading nixos/tests/openssh.nix +29 −0 Original line number Diff line number Diff line Loading @@ -224,6 +224,23 @@ in ]; }; server-null-pam = { pkgs, ... }: { services.openssh = { enable = true; package = pkgs.opensshPackages.openssh.override { withPAM = false; }; settings = { UsePAM = null; }; }; users.users.root.openssh.authorizedKeys.keys = [ snakeOilPublicKey ]; }; server-sftp = { pkgs, ... }: { Loading Loading @@ -279,6 +296,8 @@ in server_match_rule.wait_for_unit("sshd", timeout=30) server_no_openssl.wait_for_unit("sshd", timeout=30) server_no_pam.wait_for_unit("sshd", timeout=30) server_null_pam.wait_for_unit("sshd", timeout=30) server_null_pam.fail("journalctl -u sshd.service | grep 'Unsupported option UsePAM'") server_sftp.wait_for_unit("sshd", timeout=30) server_lazy.wait_for_unit("sshd.socket", timeout=30) Loading Loading @@ -391,6 +410,16 @@ in timeout=30 ) with subtest("null-pam"): client.succeed( "cat ${snakeOilPrivateKey} > privkey.snakeoil" ) client.succeed("chmod 600 privkey.snakeoil") client.succeed( "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server-null-pam true", timeout=30 ) with subtest("sftp"): server_sftp.succeed( "mkdir -p /srv/sftp/uploads" Loading Loading
nixos/modules/services/networking/ssh/sshd.nix +1 −1 Original line number Diff line number Diff line Loading @@ -793,7 +793,7 @@ in networking.firewall.allowedTCPPorts = lib.optionals cfg.openFirewall cfg.ports; security.pam.services.sshd = lib.mkIf cfg.settings.UsePAM { security.pam.services.sshd = lib.mkIf (cfg.settings.UsePAM == true) { startSession = true; showMotd = true; unixAuth = if cfg.settings.PasswordAuthentication == true then true else false; Loading
nixos/tests/openssh.nix +29 −0 Original line number Diff line number Diff line Loading @@ -224,6 +224,23 @@ in ]; }; server-null-pam = { pkgs, ... }: { services.openssh = { enable = true; package = pkgs.opensshPackages.openssh.override { withPAM = false; }; settings = { UsePAM = null; }; }; users.users.root.openssh.authorizedKeys.keys = [ snakeOilPublicKey ]; }; server-sftp = { pkgs, ... }: { Loading Loading @@ -279,6 +296,8 @@ in server_match_rule.wait_for_unit("sshd", timeout=30) server_no_openssl.wait_for_unit("sshd", timeout=30) server_no_pam.wait_for_unit("sshd", timeout=30) server_null_pam.wait_for_unit("sshd", timeout=30) server_null_pam.fail("journalctl -u sshd.service | grep 'Unsupported option UsePAM'") server_sftp.wait_for_unit("sshd", timeout=30) server_lazy.wait_for_unit("sshd.socket", timeout=30) Loading Loading @@ -391,6 +410,16 @@ in timeout=30 ) with subtest("null-pam"): client.succeed( "cat ${snakeOilPrivateKey} > privkey.snakeoil" ) client.succeed("chmod 600 privkey.snakeoil") client.succeed( "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server-null-pam true", timeout=30 ) with subtest("sftp"): server_sftp.succeed( "mkdir -p /srv/sftp/uploads" Loading
