Revert "tests/openssh: write a test for CVE-2025-32728"

2025-06-10 11:45:45 +03:00 · 2025-05-05 07:49:25 +03:00 · 2025-05-05 07:49:25 +03:00 · 353a572642
commit 353a572642
parent f94860f4f8
1 changed files with 0 additions and 44 deletions
--- a/nixos/tests/openssh.nix
+++ b/nixos/tests/openssh.nix
@ -35,38 +35,6 @@ import ./make-test-python.nix (
          ];
        };

-      server-x11 =
-        { ... }:
-
-        {
-          environment.systemPackages = [ pkgs.xorg.xauth ];
-          services.openssh = {
-            enable = true;
-            settings.X11Forwarding = true;
-          };
-          users.users.root.openssh.authorizedKeys.keys = [
-            snakeOilPublicKey
-          ];
-        };
-
-      server-x11-disable =
-        { ... }:
-
-        {
-          environment.systemPackages = [ pkgs.xorg.xauth ];
-          services.openssh = {
-            enable = true;
-            settings = {
-              X11Forwarding = true;
-              # CVE-2025-32728: the following line is ineffectual
-              DisableForwarding = true;
-            };
-          };
-          users.users.root.openssh.authorizedKeys.keys = [
-            snakeOilPublicKey
-          ];
-        };
-
      server-allowed-users =
        { ... }:

@ -272,8 +240,6 @@ import ./make-test-python.nix (
      start_all()

      server.wait_for_unit("sshd", timeout=30)
-      server_x11.wait_for_unit("sshd", timeout=30)
-      server_x11_disable.wait_for_unit("sshd", timeout=30)
      server_allowed_users.wait_for_unit("sshd", timeout=30)
      server_localhost_only.wait_for_unit("sshd", timeout=30)
      server_match_rule.wait_for_unit("sshd", timeout=30)
@ -341,16 +307,6 @@ import ./make-test-python.nix (
              timeout=30
          )

-      with subtest("x11-forwarding"):
-          client.succeed(
-              "[ \"$(ssh -Y -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server-x11 'xauth list' | tee /dev/stderr | wc -l)\" -eq 1 ]",
-              timeout=30
-          )
-          client.succeed(
-              "[ \"$(ssh -Y -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server-x11-disable 'xauth list' | tee /dev/stderr | wc -l)\" -eq 0 ]",
-              timeout=30
-          )
-
      with subtest("localhost-only"):
          server_localhost_only.succeed("ss -nlt | grep '127.0.0.1:22'")
          server_localhost_only_lazy.succeed("ss -nlt | grep '127.0.0.1:22'")