Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/initrd-ssh: set more defensive pemissions on sshd test key #99173

Merged
merged 1 commit into from Nov 29, 2020
Merged

nixos/initrd-ssh: set more defensive pemissions on sshd test key #99173

merged 1 commit into from Nov 29, 2020

Conversation

johanot
Copy link
Contributor

@johanot johanot commented Sep 30, 2020

Motivation for this change

Make nixos-install not fail on extraUtilsCommandsTest for initrd-ssh.

It looks like the test sshd key can never be used, because of too open permissions in the store. But since sshd tries all available keys one by one, my guess is that the test script starts working fine once the user defined ssh-hostkey has been copied into initrd.

At "nixos-install" however, the user specified host key is not present in initrd fs yet and validation fails.

fixes #91486

cc @sorpaas @reyman @emilazy

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

nixos/initrd-ssh: set more defensive pemissions on sshd test key
8f5949f 
It looks like the test sshd key can never be used, because of too open
permissions. My guess is that the current test script works fine once
the user defined ssh-key has been copied into initrd.

At "nixos-install" however, the user specified host key is not present
in initrd yet and validation fails.

fixes NixOS#91486
@johanot johanot requested a review from emilazy November 3, 2020 08:20
@rissson
Copy link
Member

rissson commented Nov 3, 2020

Running into the same problem here. This fixes it. Thanks!

emilazy
emilazy approved these changes Nov 3, 2020
View reviewed changes
Copy link
Member

@emilazy emilazy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems reasonable to me. Passing the test key is just a workaround for sshd being unhappy with finding no host keys at all. The mktemp dance is unfortunate but it's probably still better than generating a new throwaway key on each generation switch.

@srhb
Copy link
Contributor

srhb commented Nov 29, 2020

Seems fine to me too!

@srhb srhb merged commit a7a5f79 into NixOS:master Nov 29, 2020
@johanot johanot deleted the fix-initrd-ssh-commands-test branch November 29, 2020 10:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@emilazy emilazy emilazy approved these changes

Assignees
No one assigned
Labels
6.topic: nixos 8.has: module (update) 10.rebuild-darwin: 0 10.rebuild-linux: 0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

initrd-ssh: permissions for key are too open
4 participants
@johanot @rissson @srhb @emilazy