From 41911ed9d2ce9bc43fa32d796a62697bc62641b9 Mon Sep 17 00:00:00 2001 From: Tom Fitzhenry Date: Tue, 23 Apr 2024 22:31:51 +1000 Subject: [PATCH 1/3] tests/openssh: tidy up tests This test renames server_allowedusers to server-allowed-users. As a side-effect, since IPs are allocated to machines in alphabetical order, the IP assigned to server-lazy-socket changed, so the corresponding test had its IP updated. --- nixos/tests/openssh.nix | 36 +++++++++++++++++++----------------- 1 file changed, 19 insertions(+), 17 deletions(-) diff --git a/nixos/tests/openssh.nix b/nixos/tests/openssh.nix index 8074fd2ed483..f71b0a22fe63 100644 --- a/nixos/tests/openssh.nix +++ b/nixos/tests/openssh.nix @@ -22,6 +22,19 @@ in { ]; }; + server-allowed-users = + { ... }: + + { + services.openssh = { enable = true; settings.AllowUsers = [ "alice" "bob" ]; }; + users.groups = { alice = { }; bob = { }; carol = { }; }; + users.users = { + alice = { isNormalUser = true; group = "alice"; openssh.authorizedKeys.keys = [ snakeOilPublicKey ]; }; + bob = { isNormalUser = true; group = "bob"; openssh.authorizedKeys.keys = [ snakeOilPublicKey ]; }; + carol = { isNormalUser = true; group = "carol"; openssh.authorizedKeys.keys = [ snakeOilPublicKey ]; }; + }; + }; + server-lazy = { ... }: @@ -95,19 +108,6 @@ in { }; }; - server_allowedusers = - { ... }: - - { - services.openssh = { enable = true; settings.AllowUsers = [ "alice" "bob" ]; }; - users.groups = { alice = { }; bob = { }; carol = { }; }; - users.users = { - alice = { isNormalUser = true; group = "alice"; openssh.authorizedKeys.keys = [ snakeOilPublicKey ]; }; - bob = { isNormalUser = true; group = "bob"; openssh.authorizedKeys.keys = [ snakeOilPublicKey ]; }; - carol = { isNormalUser = true; group = "carol"; openssh.authorizedKeys.keys = [ snakeOilPublicKey ]; }; - }; - }; - client = { ... }: { virtualisation.vlans = [ 1 2 ]; @@ -119,6 +119,7 @@ in { start_all() server.wait_for_unit("sshd", timeout=30) + server_allowed_users.wait_for_unit("sshd", timeout=30) server_localhost_only.wait_for_unit("sshd", timeout=30) server_match_rule.wait_for_unit("sshd", timeout=30) @@ -166,8 +167,9 @@ in { "cat ${snakeOilPrivateKey} > privkey.snakeoil" ) client.succeed("chmod 600 privkey.snakeoil") + # The final segment in this IP is allocated according to the alphabetical order of machines in this test. client.succeed( - "ssh -p 2222 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil root@192.168.2.4 true", + "ssh -p 2222 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil root@192.168.2.5 true", timeout=30 ) @@ -198,15 +200,15 @@ in { ) client.succeed("chmod 600 privkey.snakeoil") client.succeed( - "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil alice@server_allowedusers true", + "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil alice@server-allowed-users true", timeout=30 ) client.succeed( - "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil bob@server_allowedusers true", + "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil bob@server-allowed-users true", timeout=30 ) client.fail( - "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil carol@server_allowedusers true", + "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil carol@server-allowed-users true", timeout=30 ) ''; From 2e51a2fd03972819ef4e3fb8001a7e286a2469bb Mon Sep 17 00:00:00 2001 From: Tom Fitzhenry Date: Sun, 21 Apr 2024 22:51:02 +1000 Subject: [PATCH 2/3] nixos/ssh: allow UsePAM to be disabled --- .../modules/services/networking/ssh/sshd.nix | 5 ++-- nixos/tests/openssh.nix | 28 +++++++++++++++++++ 2 files changed, 30 insertions(+), 3 deletions(-) diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index 5f2f6cb07af7..90cdadf66a6d 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -346,6 +346,7 @@ in violates the privacy of users and is not recommended. ''; }; + UsePAM = mkEnableOption "PAM authentication" // { default = true; }; UseDns = mkOption { type = types.bool; # apply if cfg.useDns then "yes" else "no" @@ -622,7 +623,7 @@ in networking.firewall.allowedTCPPorts = optionals cfg.openFirewall cfg.ports; - security.pam.services.sshd = + security.pam.services.sshd = lib.mkIf cfg.settings.UsePAM { startSession = true; showMotd = true; unixAuth = cfg.settings.PasswordAuthentication; @@ -638,8 +639,6 @@ in services.openssh.extraConfig = mkOrder 0 '' - UsePAM yes - Banner ${if cfg.banner == null then "none" else pkgs.writeText "ssh_banner" cfg.banner} AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"} diff --git a/nixos/tests/openssh.nix b/nixos/tests/openssh.nix index f71b0a22fe63..a039986621ca 100644 --- a/nixos/tests/openssh.nix +++ b/nixos/tests/openssh.nix @@ -108,6 +108,23 @@ in { }; }; + server-no-pam = + { pkgs, ... }: + { + programs.ssh.package = pkgs.opensshPackages.openssh.override { + withPAM = false; + }; + services.openssh = { + enable = true; + settings = { + UsePAM = false; + }; + }; + users.users.root.openssh.authorizedKeys.keys = [ + snakeOilPublicKey + ]; + }; + client = { ... }: { virtualisation.vlans = [ 1 2 ]; @@ -122,6 +139,7 @@ in { server_allowed_users.wait_for_unit("sshd", timeout=30) server_localhost_only.wait_for_unit("sshd", timeout=30) server_match_rule.wait_for_unit("sshd", timeout=30) + server_no_pam.wait_for_unit("sshd", timeout=30) server_lazy.wait_for_unit("sshd.socket", timeout=30) server_localhost_only_lazy.wait_for_unit("sshd.socket", timeout=30) @@ -211,5 +229,15 @@ in { "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil carol@server-allowed-users true", timeout=30 ) + + with subtest("no-pam"): + client.succeed( + "cat ${snakeOilPrivateKey} > privkey.snakeoil" + ) + client.succeed("chmod 600 privkey.snakeoil") + client.succeed( + "ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil server-no-pam true", + timeout=30 + ) ''; }) From 3fd9ef4b4094b2b8be327d3f64deb30849e61c84 Mon Sep 17 00:00:00 2001 From: Tom Fitzhenry Date: Tue, 23 Apr 2024 22:53:09 +1000 Subject: [PATCH 3/3] nixos/ssh: allow PrintMotd to be enabled --- nixos/modules/services/networking/ssh/sshd.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index 90cdadf66a6d..c62bccd462d3 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -490,6 +490,8 @@ in {manpage}`sshd_config(5)` for details. ''; }; + # Disabled by default, since pam_motd handles this. + PrintMotd = mkEnableOption "printing /etc/motd when a user logs in interactively"; }; }); }; @@ -656,7 +658,6 @@ in ${optionalString cfg.allowSFTP '' Subsystem sftp ${cfg.sftpServerExecutable} ${concatStringsSep " " cfg.sftpFlags} ''} - PrintMotd no # handled by pam_motd AuthorizedKeysFile ${toString cfg.authorizedKeysFiles} ${optionalString (cfg.authorizedKeysCommand != "none") '' AuthorizedKeysCommand ${cfg.authorizedKeysCommand}