sshd: fix startWhenNeeded and listenAddresses combination

Previously, if startWhenNeeded was set, listenAddresses option was ignored and daemon was listening on all interfaces. Fixes #56325.
2024-11-01 07:01:54 +00:00 · 2019-02-25 00:48:01 +01:00 · 2019-02-25 00:48:01 +01:00 · 131e31cd1b
commit 131e31cd1b
parent 8a791f0b83
2 changed files with 27 additions and 1 deletions
--- a/nixos/modules/services/networking/ssh/sshd.nix
+++ b/nixos/modules/services/networking/ssh/sshd.nix
@ -400,7 +400,10 @@ in
        sockets.sshd =
          { description = "SSH Socket";
            wantedBy = [ "sockets.target" ];
-            socketConfig.ListenStream = cfg.ports;
+            socketConfig.ListenStream = if cfg.listenAddresses != [] then
+              map (l: "${l.addr}:${toString (if l.port != null then l.port else 22)}") cfg.listenAddresses
+            else
+              cfg.ports;
            socketConfig.Accept = true;
          };

--- a/nixos/tests/openssh.nix
+++ b/nixos/tests/openssh.nix
@ -34,6 +34,24 @@ in {
        ];
      };

+    server_localhost_only =
+      { ... }:
+
+      {
+        services.openssh = {
+          enable = true; listenAddresses = [ { addr = "127.0.0.1"; port = 22; } ];
+        };
+      };
+
+    server_localhost_only_lazy =
+      { ... }:
+
+      {
+        services.openssh = {
+          enable = true; startWhenNeeded = true; listenAddresses = [ { addr = "127.0.0.1"; port = 22; } ];
+        };
+      };
+
    client =
      { ... }: { };

@ -77,5 +95,10 @@ in {
                       " server_lazy true");

    };
+
+    subtest "localhost-only", sub {
+      $server_localhost_only->succeed("ss -nlt | grep '127.0.0.1:22'");
+      $server_localhost_only_lazy->succeed("ss -nlt | grep '127.0.0.1:22'");
+    }
  '';
 })