movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-11 20:25:32 +03:00
Code Issues Projects Releases Packages Wiki Activity

Revert "tests/openssh: write a test for CVE-2025-32728"

Browse source
This commit is contained in:
K900 2025-05-05 07:49:25 +03:00 committed by GitHub
parent f94860f4f8
commit 353a572642
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 0 additions and 44 deletions
Download patch file Download diff file Expand all files Collapse all files

44
nixos/tests/openssh.nix
View file

@ -35,38 +35,6 @@ import ./make-test-python.nix (
]; ];
}; };
server-x11 =
{ ... }:
{
environment.systemPackages = [ pkgs.xorg.xauth ];
services.openssh = {
enable = true;
settings.X11Forwarding = true;
};
users.users.root.openssh.authorizedKeys.keys = [
snakeOilPublicKey
];
};
server-x11-disable =
{ ... }:
{
environment.systemPackages = [ pkgs.xorg.xauth ];
services.openssh = {
enable = true;
settings = {
X11Forwarding = true;
# CVE-2025-32728: the following line is ineffectual
DisableForwarding = true;
};
};
users.users.root.openssh.authorizedKeys.keys = [
snakeOilPublicKey
];
};
server-allowed-users = server-allowed-users =
{ ... }: { ... }:
@ -272,8 +240,6 @@ import ./make-test-python.nix (
start_all() start_all()
server.wait_for_unit("sshd", timeout=30) server.wait_for_unit("sshd", timeout=30)
server_x11.wait_for_unit("sshd", timeout=30)
server_x11_disable.wait_for_unit("sshd", timeout=30)
server_allowed_users.wait_for_unit("sshd", timeout=30) server_allowed_users.wait_for_unit("sshd", timeout=30)
server_localhost_only.wait_for_unit("sshd", timeout=30) server_localhost_only.wait_for_unit("sshd", timeout=30)
server_match_rule.wait_for_unit("sshd", timeout=30) server_match_rule.wait_for_unit("sshd", timeout=30)
@ -341,16 +307,6 @@ import ./make-test-python.nix (
timeout=30 timeout=30
) )
with subtest("x11-forwarding"):
client.succeed(
"[ \"$(ssh -Y -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server-x11 'xauth list' | tee /dev/stderr | wc -l)\" -eq 1 ]",
timeout=30
)
client.succeed(
"[ \"$(ssh -Y -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server-x11-disable 'xauth list' | tee /dev/stderr | wc -l)\" -eq 0 ]",
timeout=30
)
with subtest("localhost-only"): with subtest("localhost-only"):
server_localhost_only.succeed("ss -nlt | grep '127.0.0.1:22'") server_localhost_only.succeed("ss -nlt | grep '127.0.0.1:22'")
server_localhost_only_lazy.succeed("ss -nlt | grep '127.0.0.1:22'") server_localhost_only_lazy.succeed("ss -nlt | grep '127.0.0.1:22'")