diff --git a/third_party/nixpkgs/patches/pr163673.patch b/third_party/nixpkgs/patches/pr163673.patch deleted file mode 100644 index 1c26e465bf..0000000000 --- a/third_party/nixpkgs/patches/pr163673.patch +++ /dev/null @@ -1,251 +0,0 @@ -From 860cc90fec86ea49d1f73ac5f5920f11afaba28d Mon Sep 17 00:00:00 2001 -From: Luke Granger-Brown -Date: Fri, 11 Mar 2022 13:54:14 +0000 -Subject: [PATCH 1/4] pomerium: 0.15.7 -> 0.17.0 - ---- - pkgs/servers/http/pomerium/default.nix | 8 +++----- - 1 file changed, 3 insertions(+), 5 deletions(-) - -diff --git a/pkgs/servers/http/pomerium/default.nix b/pkgs/servers/http/pomerium/default.nix -index cbf2fe1943542..4a8381bccc996 100644 ---- a/pkgs/servers/http/pomerium/default.nix -+++ b/pkgs/servers/http/pomerium/default.nix -@@ -11,18 +11,17 @@ let - in - buildGoModule rec { - pname = "pomerium"; -- version = "0.15.7"; -+ version = "0.17.0"; - src = fetchFromGitHub { - owner = "pomerium"; - repo = "pomerium"; - rev = "v${version}"; -- hash = "sha256:0adlk4ylny1z43x1dw3ny0s1932vhb61hpf5wdz4r65y8k9qyfgr"; -+ hash = "sha256:1hv76i6k9f0kp527nxlxqhklsvkh2cmfnqlszmlk2hxij31qnf8q"; - }; - -- vendorSha256 = "sha256:1fszfbra84pcs8v1h2kf7iy603vf9v2ysg6il76aqmqrxmb1p7nv"; -+ vendorSha256 = "sha256:1cq4m5a7z64yg3v1c68d15ilw78il6p53vaqzxgn338zjggr3kig"; - subPackages = [ - "cmd/pomerium" -- "cmd/pomerium-cli" - ]; - - ldflags = let -@@ -74,7 +73,6 @@ buildGoModule rec { - - installPhase = '' - install -Dm0755 $GOPATH/bin/pomerium $out/bin/pomerium -- install -Dm0755 $GOPATH/bin/pomerium-cli $out/bin/pomerium-cli - ''; - - passthru.tests = { - -From 6659ba52480b2881c89c104370c2e7528fb34a0e Mon Sep 17 00:00:00 2001 -From: Luke Granger-Brown -Date: Fri, 11 Mar 2022 14:01:27 +0000 -Subject: [PATCH 2/4] pomerium-cli: init at 0.17.0 - ---- - pkgs/servers/http/pomerium/default.nix | 2 + - pkgs/tools/security/pomerium-cli/default.nix | 58 ++++++++++++++++++++ - pkgs/top-level/all-packages.nix | 1 + - 3 files changed, 61 insertions(+) - create mode 100644 pkgs/tools/security/pomerium-cli/default.nix - -diff --git a/pkgs/servers/http/pomerium/default.nix b/pkgs/servers/http/pomerium/default.nix -index 4a8381bccc996..8a5580d5d0dba 100644 ---- a/pkgs/servers/http/pomerium/default.nix -+++ b/pkgs/servers/http/pomerium/default.nix -@@ -4,6 +4,7 @@ - , envoy - , zip - , nixosTests -+, pomerium-cli - }: - - let -@@ -77,6 +78,7 @@ buildGoModule rec { - - passthru.tests = { - inherit (nixosTests) pomerium; -+ inherit pomerium-cli; - }; - - meta = with lib; { -diff --git a/pkgs/tools/security/pomerium-cli/default.nix b/pkgs/tools/security/pomerium-cli/default.nix -new file mode 100644 -index 0000000000000..7dc7e3a7a903c ---- /dev/null -+++ b/pkgs/tools/security/pomerium-cli/default.nix -@@ -0,0 +1,58 @@ -+{ buildGoModule -+, fetchFromGitHub -+, lib -+, pomerium -+}: -+ -+let -+ inherit (lib) concatStringsSep concatMap id mapAttrsToList; -+in -+buildGoModule rec { -+ pname = "pomerium-cli"; -+ version = pomerium.version; -+ src = fetchFromGitHub { -+ owner = "pomerium"; -+ repo = "cli"; -+ rev = "v${version}"; -+ hash = "sha256:0230b22xjnpykj8bcdahzzlsvlrd63z2cmg6yb246c5ngjs835q1"; -+ }; -+ -+ vendorSha256 = "sha256:0xx22lmh6wip1d1bjrp4lgab3q9yilw54v4lg24lf3xhbsr5si9b"; -+ subPackages = [ -+ "cmd/pomerium-cli" -+ ]; -+ -+ ldflags = let -+ # Set a variety of useful meta variables for stamping the build with. -+ setVars = { -+ "github.com/pomerium/cli/version" = { -+ Version = "v${version}"; -+ BuildMeta = "nixpkgs"; -+ ProjectName = "pomerium-cli"; -+ ProjectURL = "github.com/pomerium/cli"; -+ }; -+ }; -+ concatStringsSpace = list: concatStringsSep " " list; -+ mapAttrsToFlatList = fn: list: concatMap id (mapAttrsToList fn list); -+ varFlags = concatStringsSpace ( -+ mapAttrsToFlatList (package: packageVars: -+ mapAttrsToList (variable: value: -+ "-X ${package}.${variable}=${value}" -+ ) packageVars -+ ) setVars); -+ in [ -+ "${varFlags}" -+ ]; -+ -+ installPhase = '' -+ install -Dm0755 $GOPATH/bin/pomerium-cli $out/bin/pomerium-cli -+ ''; -+ -+ meta = with lib; { -+ homepage = "https://pomerium.io"; -+ description = "Client-side helper for Pomerium authenticating reverse proxy"; -+ license = licenses.asl20; -+ maintainers = with maintainers; [ lukegb ]; -+ platforms = platforms.unix; -+ }; -+} -diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix -index a2880d70e6457..7b01dfe3fe72d 100644 ---- a/pkgs/top-level/all-packages.nix -+++ b/pkgs/top-level/all-packages.nix -@@ -21613,6 +21613,7 @@ with pkgs; - pflogsumm = callPackage ../servers/mail/postfix/pflogsumm.nix { }; - - pomerium = callPackage ../servers/http/pomerium { }; -+ pomerium-cli = callPackage ../tools/security/pomerium-cli { }; - - postgrey = callPackage ../servers/mail/postgrey { }; - - -From 3004e58f6a0817080f40db34dc96fdf4d5da6c18 Mon Sep 17 00:00:00 2001 -From: Luke Granger-Brown -Date: Fri, 11 Mar 2022 14:03:22 +0000 -Subject: [PATCH 3/4] nixos/pomerium: avoid blocking when renewing ACME - certificates - ---- - nixos/modules/services/web-servers/pomerium.nix | 10 +++++++--- - 1 file changed, 7 insertions(+), 3 deletions(-) - -diff --git a/nixos/modules/services/web-servers/pomerium.nix b/nixos/modules/services/web-servers/pomerium.nix -index 2bc7d01c7c287..0b460755f50ef 100644 ---- a/nixos/modules/services/web-servers/pomerium.nix -+++ b/nixos/modules/services/web-servers/pomerium.nix -@@ -69,11 +69,16 @@ in - CERTIFICATE_KEY_FILE = "key.pem"; - }; - startLimitIntervalSec = 60; -+ script = '' -+ if [[ -v CREDENTIALS_DIRECTORY ]]; then -+ cd "$CREDENTIALS_DIRECTORY" -+ fi -+ exec "${pkgs.pomerium}/bin/pomerium" -config "${cfgFile}" -+ ''; - - serviceConfig = { - DynamicUser = true; - StateDirectory = [ "pomerium" ]; -- ExecStart = "${pkgs.pomerium}/bin/pomerium -config ${cfgFile}"; - - PrivateUsers = false; # breaks CAP_NET_BIND_SERVICE - MemoryDenyWriteExecute = false; # breaks LuaJIT -@@ -99,7 +104,6 @@ in - AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ]; - CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ]; - -- WorkingDirectory = mkIf (cfg.useACMEHost != null) "$CREDENTIALS_DIRECTORY"; - LoadCredential = optionals (cfg.useACMEHost != null) [ - "fullchain.pem:/var/lib/acme/${cfg.useACMEHost}/fullchain.pem" - "key.pem:/var/lib/acme/${cfg.useACMEHost}/key.pem" -@@ -124,7 +128,7 @@ in - Type = "oneshot"; - TimeoutSec = 60; - ExecCondition = "/run/current-system/systemd/bin/systemctl -q is-active pomerium.service"; -- ExecStart = "/run/current-system/systemd/bin/systemctl restart pomerium.service"; -+ ExecStart = "/run/current-system/systemd/bin/systemctl --no-block restart pomerium.service"; - }; - }; - }); - -From c19e76b29f7bd0d225ab89feb0a3726676f915c8 Mon Sep 17 00:00:00 2001 -From: Luke Granger-Brown -Date: Fri, 11 Mar 2022 14:07:12 +0000 -Subject: [PATCH 4/4] pomerium: note changes in packaging in 22.05 release - notes - ---- - .../manual/from_md/release-notes/rl-2205.section.xml | 10 ++++++++++ - nixos/doc/manual/release-notes/rl-2205.section.md | 5 +++++ - 2 files changed, 15 insertions(+) - -diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml -index 9cf27e56827a1..333994c0957d6 100644 ---- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml -+++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml -@@ -1322,6 +1322,16 @@ - warning. - - -+ -+ -+ The pomerium-cli command has been moved out -+ of the pomerium package into the -+ pomerium-cli package, following upstream’s -+ repository split. If you are using the -+ pomerium-cli command, you should now -+ install the pomerium-cli package. -+ -+ - - - The option -diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md -index 58a1b23d17bf6..222c101a2842d 100644 ---- a/nixos/doc/manual/release-notes/rl-2205.section.md -+++ b/nixos/doc/manual/release-notes/rl-2205.section.md -@@ -479,6 +479,11 @@ In addition to numerous new and upgraded packages, this release has the followin - Reason is that the old name has been deprecated upstream. - Using the old option name will still work, but produce a warning. - -+- The `pomerium-cli` command has been moved out of the `pomerium` package into -+ the `pomerium-cli` package, following upstream's repository split. If you are -+ using the `pomerium-cli` command, you should now install the `pomerium-cli` -+ package. -+ - - The option - [services.networking.networkmanager.enableFccUnlock](#opt-networking.networkmanager.enableFccUnlock) - was added to support FCC unlock procedures. Since release 1.18.4, the ModemManager diff --git a/third_party/nixpkgs/patches/pr163678.patch b/third_party/nixpkgs/patches/pr163678.patch deleted file mode 100644 index 662097c942..0000000000 --- a/third_party/nixpkgs/patches/pr163678.patch +++ /dev/null @@ -1,24 +0,0 @@ -From f491e8c3326f102c0ef45f6b0abe0868d6df5bbd Mon Sep 17 00:00:00 2001 -From: Luke Granger-Brown -Date: Fri, 11 Mar 2022 15:42:05 +0000 -Subject: [PATCH] mercurial: disable all non-essential phases in withExtensions - ---- - pkgs/applications/version-management/mercurial/default.nix | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/pkgs/applications/version-management/mercurial/default.nix b/pkgs/applications/version-management/mercurial/default.nix -index 17d21f30e3b24..0124cf0646e5e 100644 ---- a/pkgs/applications/version-management/mercurial/default.nix -+++ b/pkgs/applications/version-management/mercurial/default.nix -@@ -181,6 +181,10 @@ in - nativeBuildInputs = self.nativeBuildInputs; - - dontUnpack = true; -+ dontPatch = true; -+ dontConfigure = true; -+ dontBuild = true; -+ doCheck = false; - - installPhase = '' - runHook preInstall diff --git a/third_party/nixpkgs/patches/pr164025.patch b/third_party/nixpkgs/patches/pr164025.patch deleted file mode 100644 index 237cdd315e..0000000000 --- a/third_party/nixpkgs/patches/pr164025.patch +++ /dev/null @@ -1,433 +0,0 @@ -From f63d93bc3d0ad73b24b2cf9c0ee0381161071395 Mon Sep 17 00:00:00 2001 -From: Luke Granger-Brown -Date: Sun, 13 Mar 2022 17:20:16 +0000 -Subject: [PATCH 1/2] pam_ussh: init at unstable-20210615 - ---- - pkgs/os-specific/linux/pam_ussh/default.nix | 64 +++++++++++++++++++++ - pkgs/os-specific/linux/pam_ussh/go.mod | 15 +++++ - pkgs/top-level/all-packages.nix | 2 + - 3 files changed, 81 insertions(+) - create mode 100644 pkgs/os-specific/linux/pam_ussh/default.nix - create mode 100644 pkgs/os-specific/linux/pam_ussh/go.mod - -diff --git a/pkgs/os-specific/linux/pam_ussh/default.nix b/pkgs/os-specific/linux/pam_ussh/default.nix -new file mode 100644 -index 0000000000000..499239500acce ---- /dev/null -+++ b/pkgs/os-specific/linux/pam_ussh/default.nix -@@ -0,0 +1,64 @@ -+{ buildGoModule -+, fetchFromGitHub -+, pam -+, lib -+}: -+ -+buildGoModule rec { -+ pname = "pam_ussh"; -+ version = "unstable-20210615"; -+ -+ src = fetchFromGitHub { -+ owner = "uber"; -+ repo = "pam-ussh"; -+ rev = "e9524bda90ba19d3b9eb24f49cb63a6a56a19193"; # HEAD as of 2022-03-13 -+ sha256 = "0nb9hpqbghgi3zvq41kabydzyc6ffaaw9b4jkc5jrwn1klpw1xk8"; -+ }; -+ -+ prePatch = '' -+ cp ${./go.mod} go.mod -+ ''; -+ overrideModAttrs = (_: { -+ inherit prePatch; -+ }); -+ -+ vendorSha256 = "0hjifc3kbwmx7kjn858vi05cwwra6q19cqjfd94k726pwhk37qkw"; -+ -+ buildInputs = [ -+ pam -+ ]; -+ -+ buildPhase = '' -+ runHook preBuild -+ -+ if [ -z "$enableParallelBuilding" ]; then -+ export NIX_BUILD_CORES=1 -+ fi -+ go build -buildmode=c-shared -o pam_ussh.so -v -p $NIX_BUILD_CORES . -+ -+ runHook postBuild -+ ''; -+ checkPhase = '' -+ runHook preCheck -+ -+ go test -v -p $NIX_BUILD_CORES . -+ -+ runHook postCheck -+ ''; -+ installPhase = '' -+ runHook preInstall -+ -+ mkdir -p $out/lib/security -+ cp pam_ussh.so $out/lib/security -+ -+ runHook postInstall -+ ''; -+ -+ meta = with lib; { -+ homepage = "https://github.com/uber/pam-ussh"; -+ description = "PAM module to authenticate using SSH certificates"; -+ license = licenses.mit; -+ platforms = platforms.linux; -+ maintainers = with maintainers; [ lukegb ]; -+ }; -+} -diff --git a/pkgs/os-specific/linux/pam_ussh/go.mod b/pkgs/os-specific/linux/pam_ussh/go.mod -new file mode 100644 -index 0000000000000..9adc453560a43 ---- /dev/null -+++ b/pkgs/os-specific/linux/pam_ussh/go.mod -@@ -0,0 +1,15 @@ -+module github.com/uber/pam-ussh -+ -+go 1.17 -+ -+require ( -+ github.com/stretchr/testify v1.7.0 -+ golang.org/x/crypto v0.0.0-20220313003712-b769efc7c000 -+) -+ -+require ( -+ github.com/davecgh/go-spew v1.1.0 // indirect -+ github.com/pmezard/go-difflib v1.0.0 // indirect -+ golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 // indirect -+ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c // indirect -+) -diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix -index 6c6832ae05475..539ecd4ec481b 100644 ---- a/pkgs/top-level/all-packages.nix -+++ b/pkgs/top-level/all-packages.nix -@@ -23052,6 +23052,8 @@ with pkgs; - - pam_usb = callPackage ../os-specific/linux/pam_usb { }; - -+ pam_ussh = callPackage ../os-specific/linux/pam_ussh { }; -+ - paxctl = callPackage ../os-specific/linux/paxctl { }; - - paxtest = callPackage ../os-specific/linux/paxtest { }; - -From 1853015550a78acbc3e9d090d174120796c4b784 Mon Sep 17 00:00:00 2001 -From: Luke Granger-Brown -Date: Sun, 13 Mar 2022 17:20:23 +0000 -Subject: [PATCH 2/2] nixos/pam: add support for pam-ussh - -pam-ussh allows authorizing using an SSH certificate stored in your -SSH agent, in a similar manner to pam-ssh-agent-auth, but for -certificates rather than raw public keys. ---- - .../from_md/release-notes/rl-2205.section.xml | 9 ++ - .../manual/release-notes/rl-2205.section.md | 2 + - nixos/modules/security/pam.nix | 109 ++++++++++++++++++ - nixos/modules/security/sudo.nix | 2 +- - nixos/tests/all-tests.nix | 1 + - nixos/tests/pam/pam-ussh.nix | 70 +++++++++++ - pkgs/os-specific/linux/pam_ussh/default.nix | 3 + - 7 files changed, 195 insertions(+), 1 deletion(-) - create mode 100644 nixos/tests/pam/pam-ussh.nix - -diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml -index 9cf27e56827a1..ede0e10e03466 100644 ---- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml -+++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml -@@ -1286,6 +1286,15 @@ - been added by default. - - -+ -+ -+ security.pam.ussh has been added, which -+ allows authorizing PAM sessions based on SSH -+ certificates held within an SSH agent, -+ using -+ pam-ussh. -+ -+ - - - The zrepl package has been updated from -diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md -index 58a1b23d17bf6..90ac7e90e7295 100644 ---- a/nixos/doc/manual/release-notes/rl-2205.section.md -+++ b/nixos/doc/manual/release-notes/rl-2205.section.md -@@ -470,6 +470,8 @@ In addition to numerous new and upgraded packages, this release has the followin - - `services.logrotate.enable` now defaults to true if any rotate path has - been defined, and some paths have been added by default. - -+- `security.pam.ussh` has been added, which allows authorizing PAM sessions based on SSH _certificates_ held within an SSH agent, using [pam-ussh](https://github.com/uber/pam-ussh). -+ - - The `zrepl` package has been updated from 0.4.0 to 0.5: - - - The RPC protocol version was bumped; all zrepl daemons in a setup must be updated and restarted before replication can resume. -diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix -index c0ef8b5f30bd4..f9697d61f1b27 100644 ---- a/nixos/modules/security/pam.nix -+++ b/nixos/modules/security/pam.nix -@@ -61,6 +61,19 @@ let - ''; - }; - -+ usshAuth = mkOption { -+ default = false; -+ type = types.bool; -+ description = '' -+ If set, users with an SSH certificate containing an authorized principal -+ in their SSH agent are able to log in. Specific options are controlled -+ using the options. -+ -+ Note that the must also be -+ set for this option to take effect. -+ ''; -+ }; -+ - yubicoAuth = mkOption { - default = config.security.pam.yubico.enable; - defaultText = literalExpression "config.security.pam.yubico.enable"; -@@ -475,6 +488,9 @@ let - optionalString cfg.usbAuth '' - auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so - '' + -+ (let ussh = config.security.pam.ussh; in optionalString (config.security.pam.ussh.enable && cfg.usshAuth) '' -+ auth ${ussh.control} ${pkgs.pam_ussh}/lib/security/pam_ussh.so ${optionalString (ussh.caFile != null) "ca_file=${ussh.caFile}"} ${optionalString (ussh.authorizedPrincipals != null) "authorized_principals=${ussh.authorizedPrincipals}"} ${optionalString (ussh.authorizedPrincipalsFile != null) "authorized_principals_file=${ussh.authorizedPrincipalsFile}"} ${optionalString (ussh.group != null) "group=${ussh.group}"} -+ '') + - (let oath = config.security.pam.oath; in optionalString cfg.oathAuth '' - auth requisite ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits} - '') + -@@ -926,6 +942,96 @@ in - }; - }; - -+ security.pam.ussh = { -+ enable = mkOption { -+ default = false; -+ type = types.bool; -+ description = '' -+ Enables Uber's USSH PAM (pam-ussh) module. -+ -+ This is similar to pam-ssh-agent, except that -+ the presence of a CA-signed SSH key with a valid principal is checked -+ instead. -+ -+ Note that this module must both be enabled using this option and on a -+ per-PAM-service level as well (using usshAuth). -+ -+ More information can be found here. -+ ''; -+ }; -+ -+ caFile = mkOption { -+ default = null; -+ type = with types; nullOr path; -+ description = '' -+ By default pam-ussh reads the trusted user CA keys -+ from /etc/ssh/trusted_user_ca. -+ -+ This should be set the same as your TrustedUserCAKeys -+ option for sshd. -+ ''; -+ }; -+ -+ authorizedPrincipals = mkOption { -+ default = null; -+ type = with types; nullOr commas; -+ description = '' -+ Comma-separated list of authorized principals to permit; if the user -+ presents a certificate with one of these principals, then they will be -+ authorized. -+ -+ Note that pam-ussh also requires that the certificate -+ contain a principal matching the user's username. The principals from -+ this list are in addition to those principals. -+ -+ Mutually exclusive with authorizedPrincipalsFile. -+ ''; -+ }; -+ -+ authorizedPrincipalsFile = mkOption { -+ default = null; -+ type = with types; nullOr path; -+ description = '' -+ Path to a list of principals; if the user presents a certificate with -+ one of these principals, then they will be authorized. -+ -+ Note that pam-ussh also requires that the certificate -+ contain a principal matching the user's username. The principals from -+ this file are in addition to those principals. -+ -+ Mutually exclusive with authorizedPrincipals. -+ ''; -+ }; -+ -+ group = mkOption { -+ default = null; -+ type = with types; nullOr str; -+ description = '' -+ If set, then the authenticating user must be a member of this group -+ to use this module. -+ ''; -+ }; -+ -+ control = mkOption { -+ default = "sufficient"; -+ type = types.enum [ "required" "requisite" "sufficient" "optional" ]; -+ description = '' -+ This option sets pam "control". -+ If you want to have multi factor authentication, use "required". -+ If you want to use the SSH certificate instead of the regular password, -+ use "sufficient". -+ -+ Read -+ -+ pam.conf -+ 5 -+ -+ for better understanding of this option. -+ ''; -+ }; -+ }; -+ - security.pam.yubico = { - enable = mkOption { - default = false; -@@ -1110,6 +1216,9 @@ in - optionalString (isEnabled (cfg: cfg.usbAuth)) '' - mr ${pkgs.pam_usb}/lib/security/pam_usb.so, - '' + -+ optionalString (isEnabled (cfg: cfg.usshAuth)) '' -+ mr ${pkgs.pam_ussh}/lib/security/pam_ussh.so, -+ '' + - optionalString (isEnabled (cfg: cfg.oathAuth)) '' - "mr ${pkgs.oathToolkit}/lib/security/pam_oath.so, - '' + -diff --git a/nixos/modules/security/sudo.nix b/nixos/modules/security/sudo.nix -index 99e578f8adae6..4bf239fca8f90 100644 ---- a/nixos/modules/security/sudo.nix -+++ b/nixos/modules/security/sudo.nix -@@ -245,7 +245,7 @@ in - - environment.systemPackages = [ sudo ]; - -- security.pam.services.sudo = { sshAgentAuth = true; }; -+ security.pam.services.sudo = { sshAgentAuth = true; usshAuth = true; }; - - environment.etc.sudoers = - { source = -diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix -index 043d8a56d0c63..1ed12c54c5752 100644 ---- a/nixos/tests/all-tests.nix -+++ b/nixos/tests/all-tests.nix -@@ -388,6 +388,7 @@ in - pam-file-contents = handleTest ./pam/pam-file-contents.nix {}; - pam-oath-login = handleTest ./pam/pam-oath-login.nix {}; - pam-u2f = handleTest ./pam/pam-u2f.nix {}; -+ pam-ussh = handleTest ./pam/pam-ussh.nix {}; - pantalaimon = handleTest ./matrix/pantalaimon.nix {}; - pantheon = handleTest ./pantheon.nix {}; - paperless-ng = handleTest ./paperless-ng.nix {}; -diff --git a/nixos/tests/pam/pam-ussh.nix b/nixos/tests/pam/pam-ussh.nix -new file mode 100644 -index 0000000000000..ba0570dbf97d2 ---- /dev/null -+++ b/nixos/tests/pam/pam-ussh.nix -@@ -0,0 +1,70 @@ -+import ../make-test-python.nix ({ pkgs, lib, ... }: -+ -+let -+ testOnlySSHCredentials = pkgs.runCommand "pam-ussh-test-ca" { -+ nativeBuildInputs = [ pkgs.openssh ]; -+ } '' -+ mkdir $out -+ ssh-keygen -t ed25519 -N "" -f $out/ca -+ -+ ssh-keygen -t ed25519 -N "" -f $out/alice -+ ssh-keygen -s $out/ca -I "alice user key" -n "alice,root" -V 19700101:forever $out/alice.pub -+ -+ ssh-keygen -t ed25519 -N "" -f $out/bob -+ ssh-keygen -s $out/ca -I "bob user key" -n "bob" -V 19700101:forever $out/bob.pub -+ ''; -+ makeTestScript = user: pkgs.writeShellScript "pam-ussh-${user}-test-script" '' -+ set -euo pipefail -+ -+ eval $(${pkgs.openssh}/bin/ssh-agent) -+ -+ mkdir -p $HOME/.ssh -+ chmod 700 $HOME/.ssh -+ cp ${testOnlySSHCredentials}/${user}{,.pub,-cert.pub} $HOME/.ssh -+ chmod 600 $HOME/.ssh/${user} -+ chmod 644 $HOME/.ssh/${user}{,-cert}.pub -+ -+ set -x -+ -+ ${pkgs.openssh}/bin/ssh-add $HOME/.ssh/${user} -+ ${pkgs.openssh}/bin/ssh-add -l &>2 -+ -+ exec sudo id -u -n -+ ''; -+in { -+ name = "pam-ussh"; -+ meta.maintainers = with lib.maintainers; [ lukegb ]; -+ -+ machine = -+ { ... }: -+ { -+ users.users.alice = { isNormalUser = true; extraGroups = [ "wheel" ]; }; -+ users.users.bob = { isNormalUser = true; extraGroups = [ "wheel" ]; }; -+ -+ security.pam.ussh = { -+ enable = true; -+ authorizedPrincipals = "root"; -+ caFile = "${testOnlySSHCredentials}/ca.pub"; -+ }; -+ -+ security.sudo = { -+ enable = true; -+ extraConfig = '' -+ Defaults lecture="never" -+ ''; -+ }; -+ }; -+ -+ testScript = -+ '' -+ with subtest("alice should be allowed to escalate to root"): -+ machine.succeed( -+ 'su -c "${makeTestScript "alice"}" -l alice | grep root' -+ ) -+ -+ with subtest("bob should not be allowed to escalate to root"): -+ machine.fail( -+ 'su -c "${makeTestScript "bob"}" -l bob | grep root' -+ ) -+ ''; -+}) -diff --git a/pkgs/os-specific/linux/pam_ussh/default.nix b/pkgs/os-specific/linux/pam_ussh/default.nix -index 499239500acce..889c8bc6f57cf 100644 ---- a/pkgs/os-specific/linux/pam_ussh/default.nix -+++ b/pkgs/os-specific/linux/pam_ussh/default.nix -@@ -2,6 +2,7 @@ - , fetchFromGitHub - , pam - , lib -+, nixosTests - }: - - buildGoModule rec { -@@ -54,6 +55,8 @@ buildGoModule rec { - runHook postInstall - ''; - -+ passthru.tests = { inherit (nixosTests) pam-ussh; }; -+ - meta = with lib; { - homepage = "https://github.com/uber/pam-ussh"; - description = "PAM module to authenticate using SSH certificates"; diff --git a/third_party/nixpkgs/patches/series b/third_party/nixpkgs/patches/series index 4c07b08012..b81ed8d9b7 100644 --- a/third_party/nixpkgs/patches/series +++ b/third_party/nixpkgs/patches/series @@ -1,7 +1,4 @@ nvidia-sideband-socket.patch -pr163673.patch -pr163678.patch -pr164025.patch pr167221.patch networkd-support-more-wg-options.patch networkd-global-options.patch