Merge master into staging-next

2025-07-13 13:40:28 +03:00 · 2025-05-05 00:17:30 +00:00 · 2025-05-05 00:17:30 +00:00 · 94a9466a41
commit 94a9466a41
parent bad8eb7a8b 61f968627e
80 changed files with 2170 additions and 12503 deletions
--- a/nixos/tests/openssh.nix
+++ b/nixos/tests/openssh.nix
@ -35,6 +35,38 @@ import ./make-test-python.nix (
          ];
        };

+      server-x11 =
+        { ... }:
+
+        {
+          environment.systemPackages = [ pkgs.xorg.xauth ];
+          services.openssh = {
+            enable = true;
+            settings.X11Forwarding = true;
+          };
+          users.users.root.openssh.authorizedKeys.keys = [
+            snakeOilPublicKey
+          ];
+        };
+
+      server-x11-disable =
+        { ... }:
+
+        {
+          environment.systemPackages = [ pkgs.xorg.xauth ];
+          services.openssh = {
+            enable = true;
+            settings = {
+              X11Forwarding = true;
+              # CVE-2025-32728: the following line is ineffectual
+              DisableForwarding = true;
+            };
+          };
+          users.users.root.openssh.authorizedKeys.keys = [
+            snakeOilPublicKey
+          ];
+        };
+
      server-allowed-users =
        { ... }:

@ -240,6 +272,8 @@ import ./make-test-python.nix (
      start_all()

      server.wait_for_unit("sshd", timeout=30)
+      server_x11.wait_for_unit("sshd", timeout=30)
+      server_x11_disable.wait_for_unit("sshd", timeout=30)
      server_allowed_users.wait_for_unit("sshd", timeout=30)
      server_localhost_only.wait_for_unit("sshd", timeout=30)
      server_match_rule.wait_for_unit("sshd", timeout=30)
@ -307,6 +341,16 @@ import ./make-test-python.nix (
              timeout=30
          )

+      with subtest("x11-forwarding"):
+          client.succeed(
+              "[ \"$(ssh -Y -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server-x11 'xauth list' | tee /dev/stderr | wc -l)\" -eq 1 ]",
+              timeout=30
+          )
+          client.succeed(
+              "[ \"$(ssh -Y -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server-x11-disable 'xauth list' | tee /dev/stderr | wc -l)\" -eq 0 ]",
+              timeout=30
+          )
+
      with subtest("localhost-only"):
          server_localhost_only.succeed("ss -nlt | grep '127.0.0.1:22'")
          server_localhost_only_lazy.succeed("ss -nlt | grep '127.0.0.1:22'")