Skip to content

Commit

Permalink
Merge pull request NixOS#261356 from l0b0/test/ssh-audit
Browse files Browse the repository at this point in the history
  • Loading branch information
Artturin authored Nov 3, 2023
2 parents 4f3186b + c15e1f6 commit 891e7b4
Show file tree
Hide file tree
Showing 3 changed files with 109 additions and 0 deletions.
1 change: 1 addition & 0 deletions nixos/tests/all-tests.nix
Original file line number Diff line number Diff line change
Expand Up @@ -762,6 +762,7 @@ in {
spark = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./spark {};
sqlite3-to-mysql = handleTest ./sqlite3-to-mysql.nix {};
sslh = handleTest ./sslh.nix {};
ssh-audit = handleTest ./ssh-audit.nix {};
sssd = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./sssd.nix {};
sssd-ldap = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./sssd-ldap.nix {};
stalwart-mail = handleTest ./stalwart-mail.nix {};
Expand Down
103 changes: 103 additions & 0 deletions nixos/tests/ssh-audit.nix
Original file line number Diff line number Diff line change
@@ -0,0 +1,103 @@
import ./make-test-python.nix (
{pkgs, ...}: let
sshKeys = import (pkgs.path + "/nixos/tests/ssh-keys.nix") pkgs;
sshUsername = "any-user";
serverName = "server";
clientName = "client";
sshAuditPort = 2222;
in {
name = "ssh";

nodes = {
"${serverName}" = {
networking.firewall.allowedTCPPorts = [
sshAuditPort
];
services.openssh.enable = true;
users.users."${sshUsername}" = {
isNormalUser = true;
openssh.authorizedKeys.keys = [
sshKeys.snakeOilPublicKey
];
};
};
"${clientName}" = {
programs.ssh = {
ciphers = [
"aes128-ctr"
"[email protected]"
"aes192-ctr"
"aes256-ctr"
"[email protected]"
"[email protected]"
];
extraConfig = ''
IdentitiesOnly yes
'';
hostKeyAlgorithms = [
"rsa-sha2-256"
"[email protected]"
"rsa-sha2-512"
"[email protected]"
"[email protected]"
"[email protected]"
"ssh-ed25519"
"[email protected]"
];
kexAlgorithms = [
"curve25519-sha256"
"[email protected]"
"diffie-hellman-group-exchange-sha256"
"diffie-hellman-group16-sha512"
"diffie-hellman-group18-sha512"
"[email protected]"
];
macs = [
"[email protected]"
"[email protected]"
"[email protected]"
];
};
};
};

testScript = ''
start_all()
${serverName}.wait_for_open_port(22)
# Should pass SSH server audit
${serverName}.succeed("${pkgs.ssh-audit}/bin/ssh-audit 127.0.0.1")
# Wait for client to be able to connect to the server
${clientName}.wait_for_unit("network-online.target")
# Set up trusted private key
${clientName}.succeed("cat ${sshKeys.snakeOilPrivateKey} > privkey.snakeoil")
${clientName}.succeed("chmod 600 privkey.snakeoil")
# Fail fast and disable interactivity
ssh_options = "-o BatchMode=yes -o ConnectTimeout=1 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null"
# Should deny root user
${clientName}.fail(f"ssh {ssh_options} root@${serverName} true")
# Should deny non-root user password login
${clientName}.fail(f"ssh {ssh_options} -o PasswordAuthentication=yes ${sshUsername}@${serverName} true")
# Should allow non-root user certificate login
${clientName}.succeed(f"ssh {ssh_options} -i privkey.snakeoil ${sshUsername}@${serverName} true")
# Should pass SSH client audit
service_name = "ssh-audit.service"
${serverName}.succeed(f"systemd-run --unit={service_name} ${pkgs.ssh-audit}/bin/ssh-audit --client-audit --port=${toString sshAuditPort}")
${clientName}.sleep(5) # We can't use wait_for_open_port because ssh-audit exits as soon as anything talks to it
${clientName}.execute(
f"ssh {ssh_options} -i privkey.snakeoil -p ${toString sshAuditPort} ${sshUsername}@${serverName} true",
check_return=False,
timeout=10
)
${serverName}.succeed(f"exit $(systemctl show --property=ExecMainStatus --value {service_name})")
'';
}
)
5 changes: 5 additions & 0 deletions pkgs/tools/security/ssh-audit/default.nix
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
{ lib
, fetchFromGitHub
, nixosTests
, python3Packages
}:

Expand All @@ -19,6 +20,10 @@ python3Packages.buildPythonApplication rec {
pytestCheckHook
];

passthru.tests = {
inherit (nixosTests) ssh-audit;
};

meta = with lib; {
description = "Tool for ssh server auditing";
homepage = "https://github.com/jtesta/ssh-audit";
Expand Down

0 comments on commit 891e7b4

Please sign in to comment.