Merge pull request #307464 from tomfitzhenry/ssh-minimal (e83dd85f) · Commits · nix / nixpkgs

nixos/tests/openssh.nix

+37 −1

Original line number	Diff line number	Diff line
		import ./make-test-python.nix ({ pkgs, ... }:

		let inherit (import ./ssh-keys.nix pkgs)
		snakeOilPrivateKey snakeOilPublicKey;
		snakeOilPrivateKey snakeOilPublicKey snakeOilEd25519PrivateKey snakeOilEd25519PublicKey;
		in {
		name = "openssh";
		meta = with pkgs.lib.maintainers; {
		@@ -108,6 +108,31 @@ in {
		};
		};

		server-no-openssl =
		{ ... }:
		{
		programs.ssh.package = pkgs.opensshPackages.openssh.override {
		linkOpenssl = false;
		};
		services.openssh = {
		enable = true;
		hostKeys = [
		{ type = "ed25519"; path = "/etc/ssh/ssh_host_ed25519_key"; }
		];
		settings = {
		# Must not specify the OpenSSL provided algorithms.
		Ciphers = [ "chacha20-poly1305@openssh.com" ];
		KexAlgorithms = [
		"curve25519-sha256"
		"curve25519-sha256@libssh.org"
		];
		};
		};
		users.users.root.openssh.authorizedKeys.keys = [
		snakeOilEd25519PublicKey
		];
		};

		server-no-pam =
		{ pkgs, ... }:
		{
		@@ -139,6 +164,7 @@ in {
		server_allowed_users.wait_for_unit("sshd", timeout=30)
		server_localhost_only.wait_for_unit("sshd", timeout=30)
		server_match_rule.wait_for_unit("sshd", timeout=30)
		server_no_openssl.wait_for_unit("sshd", timeout=30)
		server_no_pam.wait_for_unit("sshd", timeout=30)

		server_lazy.wait_for_unit("sshd.socket", timeout=30)
		@@ -230,6 +256,16 @@ in {
		timeout=30
		)

		with subtest("no-openssl"):
		client.succeed(
		"cat ${snakeOilEd25519PrivateKey} > privkey.snakeoil"
		)
		client.succeed("chmod 600 privkey.snakeoil")
		client.succeed(
		"ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server-no-openssl true",
		timeout=30
		)

		with subtest("no-pam"):
		client.succeed(
		"cat ${snakeOilPrivateKey} > privkey.snakeoil"

nixos/tests/ssh-keys.nix

+12 −0

Original line number	Diff line number	Diff line
		@@ -12,4 +12,16 @@ pkgs:
		"yNTYAAABBBChdA2BmwcG49OrQN33f/sj+OHL5sJhwVl2Qim0vkUJQCry1zFpKTa"
		"9ZcDMiWaEhoAR6FGoaGI04ff7CS+1yybQ= snakeoil"
		];

		snakeOilEd25519PrivateKey = pkgs.writeText "privkey.snakeoil" ''
		-----BEGIN OPENSSH PRIVATE KEY-----
		b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
		QyNTUxOQAAACAYBTIWo1J4PkY4/7AhVyPT8xvAUI67tp+yYFFRdSm7+QAAAJC89yCivPcg
		ogAAAAtzc2gtZWQyNTUxOQAAACAYBTIWo1J4PkY4/7AhVyPT8xvAUI67tp+yYFFRdSm7+Q
		AAAEDJmKp3lX6Pz0unTc0QZwrHb8Eyr9fJUopE9d2/+q+eCxgFMhajUng+Rjj/sCFXI9Pz
		G8BQjru2n7JgUVF1Kbv5AAAACnRvbUBvemRlc2sBAgM=
		-----END OPENSSH PRIVATE KEY-----
		'';

		snakeOilEd25519PublicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBgFMhajUng+Rjj/sCFXI9PzG8BQjru2n7JgUVF1Kbv5 snakeoil";
		}

pkgs/tools/networking/openssh/common.nix

+3 −1

Original line number	Diff line number	Diff line
		@@ -26,6 +26,7 @@
		, withLdns ? true
		, libkrb5
		, libfido2
		, libxcrypt
		, hostname
		, nixosTests
		, withFIDO ? stdenv.hostPlatform.isUnix && !stdenv.hostPlatform.isMusl
		@@ -63,7 +64,8 @@ stdenv.mkDerivation {
		# https://github.com/NixOS/nixpkgs/pull/107606
		++ lib.optional withKerberos pkgs.libkrb5
		++ extraNativeBuildInputs;
		buildInputs = [ zlib openssl libedit ]
		buildInputs = [ zlib libedit ]
		++ [ (if linkOpenssl then openssl else libxcrypt) ]
		++ lib.optional withFIDO libfido2
		++ lib.optional withKerberos libkrb5
		++ lib.optional withLdns ldns

Admin message