From 131e31cd1b7bbef6214a0e711136bf4093fde7b5 Mon Sep 17 00:00:00 2001 From: Nikita Uvarov Date: Mon, 25 Feb 2019 00:48:01 +0100 Subject: [PATCH] sshd: fix startWhenNeeded and listenAddresses combination Previously, if startWhenNeeded was set, listenAddresses option was ignored and daemon was listening on all interfaces. Fixes #56325. --- .../modules/services/networking/ssh/sshd.nix | 5 +++- nixos/tests/openssh.nix | 23 +++++++++++++++++++ 2 files changed, 27 insertions(+), 1 deletion(-) diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index 95dc8a62a454..b9b5d40c4574 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -400,7 +400,10 @@ in sockets.sshd = { description = "SSH Socket"; wantedBy = [ "sockets.target" ]; - socketConfig.ListenStream = cfg.ports; + socketConfig.ListenStream = if cfg.listenAddresses != [] then + map (l: "${l.addr}:${toString (if l.port != null then l.port else 22)}") cfg.listenAddresses + else + cfg.ports; socketConfig.Accept = true; }; diff --git a/nixos/tests/openssh.nix b/nixos/tests/openssh.nix index 219a20c5c7e1..8b9e2170f150 100644 --- a/nixos/tests/openssh.nix +++ b/nixos/tests/openssh.nix @@ -34,6 +34,24 @@ in { ]; }; + server_localhost_only = + { ... }: + + { + services.openssh = { + enable = true; listenAddresses = [ { addr = "127.0.0.1"; port = 22; } ]; + }; + }; + + server_localhost_only_lazy = + { ... }: + + { + services.openssh = { + enable = true; startWhenNeeded = true; listenAddresses = [ { addr = "127.0.0.1"; port = 22; } ]; + }; + }; + client = { ... }: { }; @@ -77,5 +95,10 @@ in { " server_lazy true"); }; + + subtest "localhost-only", sub { + $server_localhost_only->succeed("ss -nlt | grep '127.0.0.1:22'"); + $server_localhost_only_lazy->succeed("ss -nlt | grep '127.0.0.1:22'"); + } ''; })