commit
1be4ba01ac
@ -0,0 +1,70 @@ |
||||
import ../make-test-python.nix ({ pkgs, lib, ... }: |
||||
|
||||
let |
||||
testOnlySSHCredentials = pkgs.runCommand "pam-ussh-test-ca" { |
||||
nativeBuildInputs = [ pkgs.openssh ]; |
||||
} '' |
||||
mkdir $out |
||||
ssh-keygen -t ed25519 -N "" -f $out/ca |
||||
|
||||
ssh-keygen -t ed25519 -N "" -f $out/alice |
||||
ssh-keygen -s $out/ca -I "alice user key" -n "alice,root" -V 19700101:forever $out/alice.pub |
||||
|
||||
ssh-keygen -t ed25519 -N "" -f $out/bob |
||||
ssh-keygen -s $out/ca -I "bob user key" -n "bob" -V 19700101:forever $out/bob.pub |
||||
''; |
||||
makeTestScript = user: pkgs.writeShellScript "pam-ussh-${user}-test-script" '' |
||||
set -euo pipefail |
||||
|
||||
eval $(${pkgs.openssh}/bin/ssh-agent) |
||||
|
||||
mkdir -p $HOME/.ssh |
||||
chmod 700 $HOME/.ssh |
||||
cp ${testOnlySSHCredentials}/${user}{,.pub,-cert.pub} $HOME/.ssh |
||||
chmod 600 $HOME/.ssh/${user} |
||||
chmod 644 $HOME/.ssh/${user}{,-cert}.pub |
||||
|
||||
set -x |
||||
|
||||
${pkgs.openssh}/bin/ssh-add $HOME/.ssh/${user} |
||||
${pkgs.openssh}/bin/ssh-add -l &>2 |
||||
|
||||
exec sudo id -u -n |
||||
''; |
||||
in { |
||||
name = "pam-ussh"; |
||||
meta.maintainers = with lib.maintainers; [ lukegb ]; |
||||
|
||||
machine = |
||||
{ ... }: |
||||
{ |
||||
users.users.alice = { isNormalUser = true; extraGroups = [ "wheel" ]; }; |
||||
users.users.bob = { isNormalUser = true; extraGroups = [ "wheel" ]; }; |
||||
|
||||
security.pam.ussh = { |
||||
enable = true; |
||||
authorizedPrincipals = "root"; |
||||
caFile = "${testOnlySSHCredentials}/ca.pub"; |
||||
}; |
||||
|
||||
security.sudo = { |
||||
enable = true; |
||||
extraConfig = '' |
||||
Defaults lecture="never" |
||||
''; |
||||
}; |
||||
}; |
||||
|
||||
testScript = |
||||
'' |
||||
with subtest("alice should be allowed to escalate to root"): |
||||
machine.succeed( |
||||
'su -c "${makeTestScript "alice"}" -l alice | grep root' |
||||
) |
||||
|
||||
with subtest("bob should not be allowed to escalate to root"): |
||||
machine.fail( |
||||
'su -c "${makeTestScript "bob"}" -l bob | grep root' |
||||
) |
||||
''; |
||||
}) |
@ -0,0 +1,67 @@ |
||||
{ buildGoModule |
||||
, fetchFromGitHub |
||||
, pam |
||||
, lib |
||||
, nixosTests |
||||
}: |
||||
|
||||
buildGoModule rec { |
||||
pname = "pam_ussh"; |
||||
version = "unstable-20210615"; |
||||
|
||||
src = fetchFromGitHub { |
||||
owner = "uber"; |
||||
repo = "pam-ussh"; |
||||
rev = "e9524bda90ba19d3b9eb24f49cb63a6a56a19193"; # HEAD as of 2022-03-13 |
||||
sha256 = "0nb9hpqbghgi3zvq41kabydzyc6ffaaw9b4jkc5jrwn1klpw1xk8"; |
||||
}; |
||||
|
||||
prePatch = '' |
||||
cp ${./go.mod} go.mod |
||||
''; |
||||
overrideModAttrs = (_: { |
||||
inherit prePatch; |
||||
}); |
||||
|
||||
vendorSha256 = "0hjifc3kbwmx7kjn858vi05cwwra6q19cqjfd94k726pwhk37qkw"; |
||||
|
||||
buildInputs = [ |
||||
pam |
||||
]; |
||||
|
||||
buildPhase = '' |
||||
runHook preBuild |
||||
|
||||
if [ -z "$enableParallelBuilding" ]; then |
||||
export NIX_BUILD_CORES=1 |
||||
fi |
||||
go build -buildmode=c-shared -o pam_ussh.so -v -p $NIX_BUILD_CORES . |
||||
|
||||
runHook postBuild |
||||
''; |
||||
checkPhase = '' |
||||
runHook preCheck |
||||
|
||||
go test -v -p $NIX_BUILD_CORES . |
||||
|
||||
runHook postCheck |
||||
''; |
||||
installPhase = '' |
||||
runHook preInstall |
||||
|
||||
mkdir -p $out/lib/security |
||||
cp pam_ussh.so $out/lib/security |
||||
|
||||
runHook postInstall |
||||
''; |
||||
|
||||
passthru.tests = { inherit (nixosTests) pam-ussh; }; |
||||
|
||||
meta = with lib; { |
||||
homepage = "https://github.com/uber/pam-ussh"; |
||||
description = "PAM module to authenticate using SSH certificates"; |
||||
license = licenses.mit; |
||||
platforms = platforms.linux; |
||||
maintainers = with maintainers; [ lukegb ]; |
||||
}; |
||||
} |
@ -0,0 +1,15 @@ |
||||
module github.com/uber/pam-ussh |
||||
|
||||
go 1.17 |
||||
|
||||
require ( |
||||
github.com/stretchr/testify v1.7.0 |
||||
golang.org/x/crypto v0.0.0-20220313003712-b769efc7c000 |
||||
) |
||||
|
||||
require ( |
||||
github.com/davecgh/go-spew v1.1.0 // indirect |
||||
github.com/pmezard/go-difflib v1.0.0 // indirect |
||||
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 // indirect |
||||
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c // indirect |
||||
) |
Loading…
Reference in new issue