PR #401506 fixed CVE-2025-32728. We can write a test for it, because
NixOS is awesome that way. So, check X11Forwarding and DisableForwarding
in the test suite.
Format all Nix files using the officially approved formatter,
making the CI check introduced in the previous commit succeed:
nix-build ci -A fmt.check
This is the next step of the of the [implementation](https://github.com/NixOS/nixfmt/issues/153)
of the accepted [RFC 166](https://github.com/NixOS/rfcs/pull/166).
This commit will lead to merge conflicts for a number of PRs,
up to an estimated ~1100 (~33%) among the PRs with activity in the past 2
months, but that should be lower than what it would be without the previous
[partial treewide format](https://github.com/NixOS/nixpkgs/pull/322537).
Merge conflicts caused by this commit can now automatically be resolved while rebasing using the
[auto-rebase script](8616af08d9/maintainers/scripts/auto-rebase).
If you run into any problems regarding any of this, please reach out to the
[formatting team](https://nixos.org/community/teams/formatting/) by
pinging @NixOS/nix-formatting.
In afeb76d628, sshd.service and
sshd@.service were switched to Type=notify. This apparently works for
sshd.service, but not for sshd@.service. Given that the reason for
this working with sshd.service isn't exactly clear, let's revert it
for both of them for now, and revisit Type=notify later.
When I initially wrote this test, I wasn't aware that services.openssh
could opt into using OpenSSH's default algorithms by just setting the
relevant settings to null.
That's a better approach since:
* it's a simpler setting for this test to have to worry about
* it introduces test coverage for the null case
* the null case should be demonstrated as an example for those that
want to compile without OpenSSL
Eelco has made several early contributions to NixOS including writing
the samba module among other things, but is more or less inactive these
days.
By my brief inspection, he has not committed to the nixos/ tree since
releasing Nix 2.13 in early 2023 and merging a PR to networking tests
slightly before that. A lot of these tests/modules are actually
unmaintained in practice, so we should update the code to reflect the
practical reality so someone can consider picking them up.
Motivation: Allow the sshd package to be built differently to the ssh
package (programs.ssh.package). For example, build sshd(1) without
openssl, but built ssh(1) with OpenSSL support.
Set the default to be programs.ssh.package, to preserve compatibility.
This test renames server_allowedusers to server-allowed-users.
As a side-effect, since IPs are allocated to machines in alphabetical order,
the IP assigned to server-lazy-socket changed, so the corresponding test had
its IP updated.
Noticed that issue while reviewing #275633: when declaring
`ListenAddress host` without a port, all ports declared by
`Port`/`cfg.ports` will be used with `host` according to
`sshd_config(5)`.
However, if this is done and socket activation is used, only a socket
for port 22 is created instead of a sockets for each port from
`Port`/`cfg.ports`. This patch corrects that behavior.
Also added a regression test for this case.
Otherwise the tests will fail with `networking.useNetworkd = true;`
because `systemd-resolved` ignores invalid hostnames in `/etc/hosts`
(which is where all hosts from the `nodes`-attribute set end up) and
subsequently e.g. `ssh server_lazy` will fail because the name cannot be
resolved.
In d6e84a4574 the test-framework was
changed to replace all dashes with underscores of hostnames in the
python code to have readable hostnames that are valid. I.e.
nodes.foo-bar = {}
represents a host with a valid hostname and it can be referenced in the
`testScript` with `foo_bar`.
Applying this here fixes the test for both scripted networking and
networkd.
When using e.g. `{ addr = "[::]"; port = 22; }` at `listenAddresses`,
the check fails because of an escaping issue[1] with
last 1 log lines:
> Invalid test mode specification -f
For full logs, run 'nix log /nix/store/c6pbpw5hjkjgipmarwyic9zyqr1xaix5-check-sshd-config.drv'
Using `lib.escapeShellArg` appears to solve the problem.
[1] https://github.com/NixOS/nixpkgs/pull/256090#issuecomment-1738063528
So far the test only uses an authorized key that is copied over to the
target machine instead of being set by the target's configuration.
Now, we cover both cases.
Signed-off-by: aszlig <aszlig@redmoonstudios.org>
You can now run a test in the nixos/tests directory directly using
nix-build, e.g.
$ nix-build '<nixos/tests/login.nix>' -A test
This gets rid of having to add the test to nixos/tests/default.nix.
(Of course, you still need to add it to nixos/release.nix if you want
Hydra to run the test.)
