nixos/tests/openssh: Test configured auth keys.

So far the test only uses an authorized key that is copied over to the
target machine instead of being set by the target's configuration.

Now, we cover both cases.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This commit is contained in:
aszlig 2014-06-27 08:34:59 +02:00
parent 48f2ca07f4
commit 865787ef32
No known key found for this signature in database
GPG Key ID: D0EBD0EC8C2DC961

View File

@ -1,4 +1,21 @@
import ./make-test.nix ({ pkgs, ... }: {
import ./make-test.nix ({ pkgs, ... }:
let
snakeOilPrivateKey = pkgs.writeText "privkey.snakeoil" ''
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIHQf/khLvYrQ8IOika5yqtWvI0oquHlpRLTZiJy5dRJmoAoGCCqGSM49
AwEHoUQDQgAEKF0DYGbBwbj06tA3fd/+yP44cvmwmHBWXZCKbS+RQlAKvLXMWkpN
r1lwMyJZoSGgBHoUahoYjTh9/sJL7XLJtA==
-----END EC PRIVATE KEY-----
'';
snakeOilPublicKey = pkgs.lib.concatStrings [
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHA"
"yNTYAAABBBChdA2BmwcG49OrQN33f/sj+OHL5sJhwVl2Qim0vkUJQCry1zFpKTa"
"9ZcDMiWaEhoAR6FGoaGI04ff7CS+1yybQ= sakeoil"
];
in {
nodes = {
@ -9,6 +26,9 @@ import ./make-test.nix ({ pkgs, ... }: {
services.openssh.enable = true;
security.pam.services.sshd.limits =
[ { domain = "*"; item = "memlock"; type = "-"; value = 1024; } ];
users.extraUsers.root.openssh.authorizedKeys.keys = [
snakeOilPublicKey
];
};
client =
@ -23,15 +43,25 @@ import ./make-test.nix ({ pkgs, ... }: {
$server->waitForUnit("sshd");
$server->succeed("mkdir -m 700 /root/.ssh");
$server->copyFileFromHost("key.pub", "/root/.ssh/authorized_keys");
subtest "manual-authkey", sub {
$server->succeed("mkdir -m 700 /root/.ssh");
$server->copyFileFromHost("key.pub", "/root/.ssh/authorized_keys");
$client->succeed("mkdir -m 700 /root/.ssh");
$client->copyFileFromHost("key", "/root/.ssh/id_dsa");
$client->succeed("chmod 600 /root/.ssh/id_dsa");
$client->succeed("mkdir -m 700 /root/.ssh");
$client->copyFileFromHost("key", "/root/.ssh/id_dsa");
$client->succeed("chmod 600 /root/.ssh/id_dsa");
$client->waitForUnit("network.target");
$client->succeed("ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'echo hello world' >&2");
$client->succeed("ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'ulimit -l' | grep 1024");
$client->waitForUnit("network.target");
$client->succeed("ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'echo hello world' >&2");
$client->succeed("ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'ulimit -l' | grep 1024");
};
subtest "configured-authkey", sub {
$client->succeed("cat ${snakeOilPrivateKey} > privkey.snakeoil");
$client->succeed("chmod 600 privkey.snakeoil");
$client->succeed("ssh -o UserKnownHostsFile=/dev/null" .
" -o StrictHostKeyChecking=no -i privkey.snakeoil" .
" server true");
};
'';
})