BoomMicrophone/nixpkgs-suyu
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

nixos/sshd: fix socket activated ports when using ListenAddress

Browse source 
Noticed that issue while reviewing #275633: when declaring
`ListenAddress host` without a port, all ports declared by
`Port`/`cfg.ports` will be used with `host` according to
`sshd_config(5)`.

However, if this is done and socket activation is used, only a socket
for port 22 is created instead of a sockets for each port from
`Port`/`cfg.ports`. This patch corrects that behavior.

Also added a regression test for this case.
This commit is contained in:
Maximilian Bosch 2024-01-03 19:36:51 +01:00
parent cb274aea01
commit 7e45990c06
No known key found for this signature in database
2 changed files with 32 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
nixos/modules/services/networking/ssh/sshd.nix
View file

@ -600,7 +600,11 @@ in
{ description = "SSH Socket"; { description = "SSH Socket";
wantedBy = [ "sockets.target" ]; wantedBy = [ "sockets.target" ];
socketConfig.ListenStream = if cfg.listenAddresses != [] then socketConfig.ListenStream = if cfg.listenAddresses != [] then
map (l: "${l.addr}:${toString (if l.port != null then l.port else 22)}") cfg.listenAddresses concatMap
({ addr, port }:
if port != null then [ "${addr}:${toString port}" ]
else map (p: "${addr}:${toString p}") cfg.ports)
cfg.listenAddresses
else else
cfg.ports; cfg.ports;
socketConfig.Accept = true; socketConfig.Accept = true;

28
nixos/tests/openssh.nix
View file

@ -34,6 +34,19 @@ in {
]; ];
}; };
server-lazy-socket = {
virtualisation.vlans = [ 1 2 ];
services.openssh = {
enable = true;
startWhenNeeded = true;
ports = [ 2222 ];
listenAddresses = [ { addr = "0.0.0.0"; } ];
};
users.users.root.openssh.authorizedKeys.keys = [
snakeOilPublicKey
];
};
server-localhost-only = server-localhost-only =
{ ... }: { ... }:
@ -96,7 +109,9 @@ in {
}; };
client = client =
{ ... }: { }; { ... }: {
virtualisation.vlans = [ 1 2 ];
};
}; };
@ -109,6 +124,7 @@ in {
server_lazy.wait_for_unit("sshd.socket", timeout=30) server_lazy.wait_for_unit("sshd.socket", timeout=30)
server_localhost_only_lazy.wait_for_unit("sshd.socket", timeout=30) server_localhost_only_lazy.wait_for_unit("sshd.socket", timeout=30)
server_lazy_socket.wait_for_unit("sshd.socket", timeout=30)
with subtest("manual-authkey"): with subtest("manual-authkey"):
client.succeed("mkdir -m 700 /root/.ssh") client.succeed("mkdir -m 700 /root/.ssh")
@ -145,6 +161,16 @@ in {
timeout=30 timeout=30
) )
with subtest("socket activation on a non-standard port"):
client.succeed(
"cat ${snakeOilPrivateKey} > privkey.snakeoil"
)
client.succeed("chmod 600 privkey.snakeoil")
client.succeed(
"ssh -p 2222 -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -i privkey.snakeoil root@192.168.2.4 true",
timeout=30
)
with subtest("configured-authkey"): with subtest("configured-authkey"):
client.succeed( client.succeed(
"cat ${snakeOilPrivateKey} > privkey.snakeoil" "cat ${snakeOilPrivateKey} > privkey.snakeoil"