import ./make-test-python.nix ( { pkgs, ... }: let sshKeys = import (pkgs.path + "/nixos/tests/ssh-keys.nix") pkgs; sshUsername = "any-user"; serverName = "server"; clientName = "client"; sshAuditPort = 2222; in { name = "ssh"; nodes = { "${serverName}" = { networking.firewall.allowedTCPPorts = [ sshAuditPort ]; services.openssh.enable = true; users.users."${sshUsername}" = { isNormalUser = true; openssh.authorizedKeys.keys = [ sshKeys.snakeOilPublicKey ]; }; }; "${clientName}" = { programs.ssh = { ciphers = [ "aes128-ctr" "aes128-gcm@openssh.com" "aes192-ctr" "aes256-ctr" "aes256-gcm@openssh.com" "chacha20-poly1305@openssh.com" ]; extraConfig = '' IdentitiesOnly yes ''; hostKeyAlgorithms = [ "rsa-sha2-256" "rsa-sha2-256-cert-v01@openssh.com" "rsa-sha2-512" "rsa-sha2-512-cert-v01@openssh.com" "sk-ssh-ed25519-cert-v01@openssh.com" "sk-ssh-ed25519@openssh.com" "ssh-ed25519" "ssh-ed25519-cert-v01@openssh.com" ]; kexAlgorithms = [ "curve25519-sha256" "curve25519-sha256@libssh.org" "diffie-hellman-group-exchange-sha256" "diffie-hellman-group16-sha512" "diffie-hellman-group18-sha512" "sntrup761x25519-sha512@openssh.com" ]; macs = [ "hmac-sha2-256-etm@openssh.com" "hmac-sha2-512-etm@openssh.com" "umac-128-etm@openssh.com" ]; }; }; }; testScript = '' start_all() ${serverName}.wait_for_open_port(22) # Should pass SSH server audit ${serverName}.succeed("${pkgs.ssh-audit}/bin/ssh-audit 127.0.0.1") # Wait for client to be able to connect to the server ${clientName}.systemctl("start network-online.target") ${clientName}.wait_for_unit("network-online.target") # Set up trusted private key ${clientName}.succeed("cat ${sshKeys.snakeOilPrivateKey} > privkey.snakeoil") ${clientName}.succeed("chmod 600 privkey.snakeoil") # Fail fast and disable interactivity ssh_options = "-o BatchMode=yes -o ConnectTimeout=1 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null" # Should deny root user ${clientName}.fail(f"ssh {ssh_options} root@${serverName} true") # Should deny non-root user password login ${clientName}.fail(f"ssh {ssh_options} -o PasswordAuthentication=yes ${sshUsername}@${serverName} true") # Should allow non-root user certificate login ${clientName}.succeed(f"ssh {ssh_options} -i privkey.snakeoil ${sshUsername}@${serverName} true") # Should pass SSH client audit service_name = "ssh-audit.service" ${serverName}.succeed(f"systemd-run --unit={service_name} ${pkgs.ssh-audit}/bin/ssh-audit --client-audit --port=${toString sshAuditPort}") ${clientName}.sleep(5) # We can't use wait_for_open_port because ssh-audit exits as soon as anything talks to it ${clientName}.execute( f"ssh {ssh_options} -i privkey.snakeoil -p ${toString sshAuditPort} ${sshUsername}@${serverName} true", check_return=False, timeout=10 ) ${serverName}.succeed(f"exit $(systemctl show --property=ExecMainStatus --value {service_name})") ''; } )