3p/nixpkgs: remove old PR patches

This commit is contained in:
Luke Granger-Brown 2022-04-04 19:05:49 +00:00
parent 11f8adeb43
commit 6f81c9d464
4 changed files with 0 additions and 711 deletions

View file

@ -1,251 +0,0 @@
From 860cc90fec86ea49d1f73ac5f5920f11afaba28d Mon Sep 17 00:00:00 2001
From: Luke Granger-Brown <git@lukegb.com>
Date: Fri, 11 Mar 2022 13:54:14 +0000
Subject: [PATCH 1/4] pomerium: 0.15.7 -> 0.17.0
---
pkgs/servers/http/pomerium/default.nix | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/pkgs/servers/http/pomerium/default.nix b/pkgs/servers/http/pomerium/default.nix
index cbf2fe1943542..4a8381bccc996 100644
--- a/pkgs/servers/http/pomerium/default.nix
+++ b/pkgs/servers/http/pomerium/default.nix
@@ -11,18 +11,17 @@ let
in
buildGoModule rec {
pname = "pomerium";
- version = "0.15.7";
+ version = "0.17.0";
src = fetchFromGitHub {
owner = "pomerium";
repo = "pomerium";
rev = "v${version}";
- hash = "sha256:0adlk4ylny1z43x1dw3ny0s1932vhb61hpf5wdz4r65y8k9qyfgr";
+ hash = "sha256:1hv76i6k9f0kp527nxlxqhklsvkh2cmfnqlszmlk2hxij31qnf8q";
};
- vendorSha256 = "sha256:1fszfbra84pcs8v1h2kf7iy603vf9v2ysg6il76aqmqrxmb1p7nv";
+ vendorSha256 = "sha256:1cq4m5a7z64yg3v1c68d15ilw78il6p53vaqzxgn338zjggr3kig";
subPackages = [
"cmd/pomerium"
- "cmd/pomerium-cli"
];
ldflags = let
@@ -74,7 +73,6 @@ buildGoModule rec {
installPhase = ''
install -Dm0755 $GOPATH/bin/pomerium $out/bin/pomerium
- install -Dm0755 $GOPATH/bin/pomerium-cli $out/bin/pomerium-cli
'';
passthru.tests = {
From 6659ba52480b2881c89c104370c2e7528fb34a0e Mon Sep 17 00:00:00 2001
From: Luke Granger-Brown <git@lukegb.com>
Date: Fri, 11 Mar 2022 14:01:27 +0000
Subject: [PATCH 2/4] pomerium-cli: init at 0.17.0
---
pkgs/servers/http/pomerium/default.nix | 2 +
pkgs/tools/security/pomerium-cli/default.nix | 58 ++++++++++++++++++++
pkgs/top-level/all-packages.nix | 1 +
3 files changed, 61 insertions(+)
create mode 100644 pkgs/tools/security/pomerium-cli/default.nix
diff --git a/pkgs/servers/http/pomerium/default.nix b/pkgs/servers/http/pomerium/default.nix
index 4a8381bccc996..8a5580d5d0dba 100644
--- a/pkgs/servers/http/pomerium/default.nix
+++ b/pkgs/servers/http/pomerium/default.nix
@@ -4,6 +4,7 @@
, envoy
, zip
, nixosTests
+, pomerium-cli
}:
let
@@ -77,6 +78,7 @@ buildGoModule rec {
passthru.tests = {
inherit (nixosTests) pomerium;
+ inherit pomerium-cli;
};
meta = with lib; {
diff --git a/pkgs/tools/security/pomerium-cli/default.nix b/pkgs/tools/security/pomerium-cli/default.nix
new file mode 100644
index 0000000000000..7dc7e3a7a903c
--- /dev/null
+++ b/pkgs/tools/security/pomerium-cli/default.nix
@@ -0,0 +1,58 @@
+{ buildGoModule
+, fetchFromGitHub
+, lib
+, pomerium
+}:
+
+let
+ inherit (lib) concatStringsSep concatMap id mapAttrsToList;
+in
+buildGoModule rec {
+ pname = "pomerium-cli";
+ version = pomerium.version;
+ src = fetchFromGitHub {
+ owner = "pomerium";
+ repo = "cli";
+ rev = "v${version}";
+ hash = "sha256:0230b22xjnpykj8bcdahzzlsvlrd63z2cmg6yb246c5ngjs835q1";
+ };
+
+ vendorSha256 = "sha256:0xx22lmh6wip1d1bjrp4lgab3q9yilw54v4lg24lf3xhbsr5si9b";
+ subPackages = [
+ "cmd/pomerium-cli"
+ ];
+
+ ldflags = let
+ # Set a variety of useful meta variables for stamping the build with.
+ setVars = {
+ "github.com/pomerium/cli/version" = {
+ Version = "v${version}";
+ BuildMeta = "nixpkgs";
+ ProjectName = "pomerium-cli";
+ ProjectURL = "github.com/pomerium/cli";
+ };
+ };
+ concatStringsSpace = list: concatStringsSep " " list;
+ mapAttrsToFlatList = fn: list: concatMap id (mapAttrsToList fn list);
+ varFlags = concatStringsSpace (
+ mapAttrsToFlatList (package: packageVars:
+ mapAttrsToList (variable: value:
+ "-X ${package}.${variable}=${value}"
+ ) packageVars
+ ) setVars);
+ in [
+ "${varFlags}"
+ ];
+
+ installPhase = ''
+ install -Dm0755 $GOPATH/bin/pomerium-cli $out/bin/pomerium-cli
+ '';
+
+ meta = with lib; {
+ homepage = "https://pomerium.io";
+ description = "Client-side helper for Pomerium authenticating reverse proxy";
+ license = licenses.asl20;
+ maintainers = with maintainers; [ lukegb ];
+ platforms = platforms.unix;
+ };
+}
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index a2880d70e6457..7b01dfe3fe72d 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -21613,6 +21613,7 @@ with pkgs;
pflogsumm = callPackage ../servers/mail/postfix/pflogsumm.nix { };
pomerium = callPackage ../servers/http/pomerium { };
+ pomerium-cli = callPackage ../tools/security/pomerium-cli { };
postgrey = callPackage ../servers/mail/postgrey { };
From 3004e58f6a0817080f40db34dc96fdf4d5da6c18 Mon Sep 17 00:00:00 2001
From: Luke Granger-Brown <git@lukegb.com>
Date: Fri, 11 Mar 2022 14:03:22 +0000
Subject: [PATCH 3/4] nixos/pomerium: avoid blocking when renewing ACME
certificates
---
nixos/modules/services/web-servers/pomerium.nix | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/nixos/modules/services/web-servers/pomerium.nix b/nixos/modules/services/web-servers/pomerium.nix
index 2bc7d01c7c287..0b460755f50ef 100644
--- a/nixos/modules/services/web-servers/pomerium.nix
+++ b/nixos/modules/services/web-servers/pomerium.nix
@@ -69,11 +69,16 @@ in
CERTIFICATE_KEY_FILE = "key.pem";
};
startLimitIntervalSec = 60;
+ script = ''
+ if [[ -v CREDENTIALS_DIRECTORY ]]; then
+ cd "$CREDENTIALS_DIRECTORY"
+ fi
+ exec "${pkgs.pomerium}/bin/pomerium" -config "${cfgFile}"
+ '';
serviceConfig = {
DynamicUser = true;
StateDirectory = [ "pomerium" ];
- ExecStart = "${pkgs.pomerium}/bin/pomerium -config ${cfgFile}";
PrivateUsers = false; # breaks CAP_NET_BIND_SERVICE
MemoryDenyWriteExecute = false; # breaks LuaJIT
@@ -99,7 +104,6 @@ in
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
- WorkingDirectory = mkIf (cfg.useACMEHost != null) "$CREDENTIALS_DIRECTORY";
LoadCredential = optionals (cfg.useACMEHost != null) [
"fullchain.pem:/var/lib/acme/${cfg.useACMEHost}/fullchain.pem"
"key.pem:/var/lib/acme/${cfg.useACMEHost}/key.pem"
@@ -124,7 +128,7 @@ in
Type = "oneshot";
TimeoutSec = 60;
ExecCondition = "/run/current-system/systemd/bin/systemctl -q is-active pomerium.service";
- ExecStart = "/run/current-system/systemd/bin/systemctl restart pomerium.service";
+ ExecStart = "/run/current-system/systemd/bin/systemctl --no-block restart pomerium.service";
};
};
});
From c19e76b29f7bd0d225ab89feb0a3726676f915c8 Mon Sep 17 00:00:00 2001
From: Luke Granger-Brown <git@lukegb.com>
Date: Fri, 11 Mar 2022 14:07:12 +0000
Subject: [PATCH 4/4] pomerium: note changes in packaging in 22.05 release
notes
---
.../manual/from_md/release-notes/rl-2205.section.xml | 10 ++++++++++
nixos/doc/manual/release-notes/rl-2205.section.md | 5 +++++
2 files changed, 15 insertions(+)
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
index 9cf27e56827a1..333994c0957d6 100644
--- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
@@ -1322,6 +1322,16 @@
warning.
</para>
</listitem>
+ <listitem>
+ <para>
+ The <literal>pomerium-cli</literal> command has been moved out
+ of the <literal>pomerium</literal> package into the
+ <literal>pomerium-cli</literal> package, following upstreams
+ repository split. If you are using the
+ <literal>pomerium-cli</literal> command, you should now
+ install the <literal>pomerium-cli</literal> package.
+ </para>
+ </listitem>
<listitem>
<para>
The option
diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md
index 58a1b23d17bf6..222c101a2842d 100644
--- a/nixos/doc/manual/release-notes/rl-2205.section.md
+++ b/nixos/doc/manual/release-notes/rl-2205.section.md
@@ -479,6 +479,11 @@ In addition to numerous new and upgraded packages, this release has the followin
Reason is that the old name has been deprecated upstream.
Using the old option name will still work, but produce a warning.
+- The `pomerium-cli` command has been moved out of the `pomerium` package into
+ the `pomerium-cli` package, following upstream's repository split. If you are
+ using the `pomerium-cli` command, you should now install the `pomerium-cli`
+ package.
+
- The option
[services.networking.networkmanager.enableFccUnlock](#opt-networking.networkmanager.enableFccUnlock)
was added to support FCC unlock procedures. Since release 1.18.4, the ModemManager

View file

@ -1,24 +0,0 @@
From f491e8c3326f102c0ef45f6b0abe0868d6df5bbd Mon Sep 17 00:00:00 2001
From: Luke Granger-Brown <git@lukegb.com>
Date: Fri, 11 Mar 2022 15:42:05 +0000
Subject: [PATCH] mercurial: disable all non-essential phases in withExtensions
---
pkgs/applications/version-management/mercurial/default.nix | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/pkgs/applications/version-management/mercurial/default.nix b/pkgs/applications/version-management/mercurial/default.nix
index 17d21f30e3b24..0124cf0646e5e 100644
--- a/pkgs/applications/version-management/mercurial/default.nix
+++ b/pkgs/applications/version-management/mercurial/default.nix
@@ -181,6 +181,10 @@ in
nativeBuildInputs = self.nativeBuildInputs;
dontUnpack = true;
+ dontPatch = true;
+ dontConfigure = true;
+ dontBuild = true;
+ doCheck = false;
installPhase = ''
runHook preInstall

View file

@ -1,433 +0,0 @@
From f63d93bc3d0ad73b24b2cf9c0ee0381161071395 Mon Sep 17 00:00:00 2001
From: Luke Granger-Brown <git@lukegb.com>
Date: Sun, 13 Mar 2022 17:20:16 +0000
Subject: [PATCH 1/2] pam_ussh: init at unstable-20210615
---
pkgs/os-specific/linux/pam_ussh/default.nix | 64 +++++++++++++++++++++
pkgs/os-specific/linux/pam_ussh/go.mod | 15 +++++
pkgs/top-level/all-packages.nix | 2 +
3 files changed, 81 insertions(+)
create mode 100644 pkgs/os-specific/linux/pam_ussh/default.nix
create mode 100644 pkgs/os-specific/linux/pam_ussh/go.mod
diff --git a/pkgs/os-specific/linux/pam_ussh/default.nix b/pkgs/os-specific/linux/pam_ussh/default.nix
new file mode 100644
index 0000000000000..499239500acce
--- /dev/null
+++ b/pkgs/os-specific/linux/pam_ussh/default.nix
@@ -0,0 +1,64 @@
+{ buildGoModule
+, fetchFromGitHub
+, pam
+, lib
+}:
+
+buildGoModule rec {
+ pname = "pam_ussh";
+ version = "unstable-20210615";
+
+ src = fetchFromGitHub {
+ owner = "uber";
+ repo = "pam-ussh";
+ rev = "e9524bda90ba19d3b9eb24f49cb63a6a56a19193"; # HEAD as of 2022-03-13
+ sha256 = "0nb9hpqbghgi3zvq41kabydzyc6ffaaw9b4jkc5jrwn1klpw1xk8";
+ };
+
+ prePatch = ''
+ cp ${./go.mod} go.mod
+ '';
+ overrideModAttrs = (_: {
+ inherit prePatch;
+ });
+
+ vendorSha256 = "0hjifc3kbwmx7kjn858vi05cwwra6q19cqjfd94k726pwhk37qkw";
+
+ buildInputs = [
+ pam
+ ];
+
+ buildPhase = ''
+ runHook preBuild
+
+ if [ -z "$enableParallelBuilding" ]; then
+ export NIX_BUILD_CORES=1
+ fi
+ go build -buildmode=c-shared -o pam_ussh.so -v -p $NIX_BUILD_CORES .
+
+ runHook postBuild
+ '';
+ checkPhase = ''
+ runHook preCheck
+
+ go test -v -p $NIX_BUILD_CORES .
+
+ runHook postCheck
+ '';
+ installPhase = ''
+ runHook preInstall
+
+ mkdir -p $out/lib/security
+ cp pam_ussh.so $out/lib/security
+
+ runHook postInstall
+ '';
+
+ meta = with lib; {
+ homepage = "https://github.com/uber/pam-ussh";
+ description = "PAM module to authenticate using SSH certificates";
+ license = licenses.mit;
+ platforms = platforms.linux;
+ maintainers = with maintainers; [ lukegb ];
+ };
+}
diff --git a/pkgs/os-specific/linux/pam_ussh/go.mod b/pkgs/os-specific/linux/pam_ussh/go.mod
new file mode 100644
index 0000000000000..9adc453560a43
--- /dev/null
+++ b/pkgs/os-specific/linux/pam_ussh/go.mod
@@ -0,0 +1,15 @@
+module github.com/uber/pam-ussh
+
+go 1.17
+
+require (
+ github.com/stretchr/testify v1.7.0
+ golang.org/x/crypto v0.0.0-20220313003712-b769efc7c000
+)
+
+require (
+ github.com/davecgh/go-spew v1.1.0 // indirect
+ github.com/pmezard/go-difflib v1.0.0 // indirect
+ golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 // indirect
+ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c // indirect
+)
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index 6c6832ae05475..539ecd4ec481b 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -23052,6 +23052,8 @@ with pkgs;
pam_usb = callPackage ../os-specific/linux/pam_usb { };
+ pam_ussh = callPackage ../os-specific/linux/pam_ussh { };
+
paxctl = callPackage ../os-specific/linux/paxctl { };
paxtest = callPackage ../os-specific/linux/paxtest { };
From 1853015550a78acbc3e9d090d174120796c4b784 Mon Sep 17 00:00:00 2001
From: Luke Granger-Brown <git@lukegb.com>
Date: Sun, 13 Mar 2022 17:20:23 +0000
Subject: [PATCH 2/2] nixos/pam: add support for pam-ussh
pam-ussh allows authorizing using an SSH certificate stored in your
SSH agent, in a similar manner to pam-ssh-agent-auth, but for
certificates rather than raw public keys.
---
.../from_md/release-notes/rl-2205.section.xml | 9 ++
.../manual/release-notes/rl-2205.section.md | 2 +
nixos/modules/security/pam.nix | 109 ++++++++++++++++++
nixos/modules/security/sudo.nix | 2 +-
nixos/tests/all-tests.nix | 1 +
nixos/tests/pam/pam-ussh.nix | 70 +++++++++++
pkgs/os-specific/linux/pam_ussh/default.nix | 3 +
7 files changed, 195 insertions(+), 1 deletion(-)
create mode 100644 nixos/tests/pam/pam-ussh.nix
diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
index 9cf27e56827a1..ede0e10e03466 100644
--- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
@@ -1286,6 +1286,15 @@
been added by default.
</para>
</listitem>
+ <listitem>
+ <para>
+ <literal>security.pam.ussh</literal> has been added, which
+ allows authorizing PAM sessions based on SSH
+ <emphasis>certificates</emphasis> held within an SSH agent,
+ using
+ <link xlink:href="https://github.com/uber/pam-ussh">pam-ussh</link>.
+ </para>
+ </listitem>
<listitem>
<para>
The <literal>zrepl</literal> package has been updated from
diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md
index 58a1b23d17bf6..90ac7e90e7295 100644
--- a/nixos/doc/manual/release-notes/rl-2205.section.md
+++ b/nixos/doc/manual/release-notes/rl-2205.section.md
@@ -470,6 +470,8 @@ In addition to numerous new and upgraded packages, this release has the followin
- `services.logrotate.enable` now defaults to true if any rotate path has
been defined, and some paths have been added by default.
+- `security.pam.ussh` has been added, which allows authorizing PAM sessions based on SSH _certificates_ held within an SSH agent, using [pam-ussh](https://github.com/uber/pam-ussh).
+
- The `zrepl` package has been updated from 0.4.0 to 0.5:
- The RPC protocol version was bumped; all zrepl daemons in a setup must be updated and restarted before replication can resume.
diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix
index c0ef8b5f30bd4..f9697d61f1b27 100644
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@@ -61,6 +61,19 @@ let
'';
};
+ usshAuth = mkOption {
+ default = false;
+ type = types.bool;
+ description = ''
+ If set, users with an SSH certificate containing an authorized principal
+ in their SSH agent are able to log in. Specific options are controlled
+ using the <option>security.pam.ussh</option> options.
+
+ Note that the <option>security.pam.ussh.enable</option> must also be
+ set for this option to take effect.
+ '';
+ };
+
yubicoAuth = mkOption {
default = config.security.pam.yubico.enable;
defaultText = literalExpression "config.security.pam.yubico.enable";
@@ -475,6 +488,9 @@ let
optionalString cfg.usbAuth ''
auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so
'' +
+ (let ussh = config.security.pam.ussh; in optionalString (config.security.pam.ussh.enable && cfg.usshAuth) ''
+ auth ${ussh.control} ${pkgs.pam_ussh}/lib/security/pam_ussh.so ${optionalString (ussh.caFile != null) "ca_file=${ussh.caFile}"} ${optionalString (ussh.authorizedPrincipals != null) "authorized_principals=${ussh.authorizedPrincipals}"} ${optionalString (ussh.authorizedPrincipalsFile != null) "authorized_principals_file=${ussh.authorizedPrincipalsFile}"} ${optionalString (ussh.group != null) "group=${ussh.group}"}
+ '') +
(let oath = config.security.pam.oath; in optionalString cfg.oathAuth ''
auth requisite ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}
'') +
@@ -926,6 +942,96 @@ in
};
};
+ security.pam.ussh = {
+ enable = mkOption {
+ default = false;
+ type = types.bool;
+ description = ''
+ Enables Uber's USSH PAM (<literal>pam-ussh</literal>) module.
+
+ This is similar to <literal>pam-ssh-agent</literal>, except that
+ the presence of a CA-signed SSH key with a valid principal is checked
+ instead.
+
+ Note that this module must both be enabled using this option and on a
+ per-PAM-service level as well (using <literal>usshAuth</literal>).
+
+ More information can be found <link
+ xlink:href="https://github.com/uber/pam-ussh">here</link>.
+ '';
+ };
+
+ caFile = mkOption {
+ default = null;
+ type = with types; nullOr path;
+ description = ''
+ By default <literal>pam-ussh</literal> reads the trusted user CA keys
+ from <filename>/etc/ssh/trusted_user_ca</filename>.
+
+ This should be set the same as your <literal>TrustedUserCAKeys</literal>
+ option for sshd.
+ '';
+ };
+
+ authorizedPrincipals = mkOption {
+ default = null;
+ type = with types; nullOr commas;
+ description = ''
+ Comma-separated list of authorized principals to permit; if the user
+ presents a certificate with one of these principals, then they will be
+ authorized.
+
+ Note that <literal>pam-ussh</literal> also requires that the certificate
+ contain a principal matching the user's username. The principals from
+ this list are in addition to those principals.
+
+ Mutually exclusive with <literal>authorizedPrincipalsFile</literal>.
+ '';
+ };
+
+ authorizedPrincipalsFile = mkOption {
+ default = null;
+ type = with types; nullOr path;
+ description = ''
+ Path to a list of principals; if the user presents a certificate with
+ one of these principals, then they will be authorized.
+
+ Note that <literal>pam-ussh</literal> also requires that the certificate
+ contain a principal matching the user's username. The principals from
+ this file are in addition to those principals.
+
+ Mutually exclusive with <literal>authorizedPrincipals</literal>.
+ '';
+ };
+
+ group = mkOption {
+ default = null;
+ type = with types; nullOr str;
+ description = ''
+ If set, then the authenticating user must be a member of this group
+ to use this module.
+ '';
+ };
+
+ control = mkOption {
+ default = "sufficient";
+ type = types.enum [ "required" "requisite" "sufficient" "optional" ];
+ description = ''
+ This option sets pam "control".
+ If you want to have multi factor authentication, use "required".
+ If you want to use the SSH certificate instead of the regular password,
+ use "sufficient".
+
+ Read
+ <citerefentry>
+ <refentrytitle>pam.conf</refentrytitle>
+ <manvolnum>5</manvolnum>
+ </citerefentry>
+ for better understanding of this option.
+ '';
+ };
+ };
+
security.pam.yubico = {
enable = mkOption {
default = false;
@@ -1110,6 +1216,9 @@ in
optionalString (isEnabled (cfg: cfg.usbAuth)) ''
mr ${pkgs.pam_usb}/lib/security/pam_usb.so,
'' +
+ optionalString (isEnabled (cfg: cfg.usshAuth)) ''
+ mr ${pkgs.pam_ussh}/lib/security/pam_ussh.so,
+ '' +
optionalString (isEnabled (cfg: cfg.oathAuth)) ''
"mr ${pkgs.oathToolkit}/lib/security/pam_oath.so,
'' +
diff --git a/nixos/modules/security/sudo.nix b/nixos/modules/security/sudo.nix
index 99e578f8adae6..4bf239fca8f90 100644
--- a/nixos/modules/security/sudo.nix
+++ b/nixos/modules/security/sudo.nix
@@ -245,7 +245,7 @@ in
environment.systemPackages = [ sudo ];
- security.pam.services.sudo = { sshAgentAuth = true; };
+ security.pam.services.sudo = { sshAgentAuth = true; usshAuth = true; };
environment.etc.sudoers =
{ source =
diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
index 043d8a56d0c63..1ed12c54c5752 100644
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -388,6 +388,7 @@ in
pam-file-contents = handleTest ./pam/pam-file-contents.nix {};
pam-oath-login = handleTest ./pam/pam-oath-login.nix {};
pam-u2f = handleTest ./pam/pam-u2f.nix {};
+ pam-ussh = handleTest ./pam/pam-ussh.nix {};
pantalaimon = handleTest ./matrix/pantalaimon.nix {};
pantheon = handleTest ./pantheon.nix {};
paperless-ng = handleTest ./paperless-ng.nix {};
diff --git a/nixos/tests/pam/pam-ussh.nix b/nixos/tests/pam/pam-ussh.nix
new file mode 100644
index 0000000000000..ba0570dbf97d2
--- /dev/null
+++ b/nixos/tests/pam/pam-ussh.nix
@@ -0,0 +1,70 @@
+import ../make-test-python.nix ({ pkgs, lib, ... }:
+
+let
+ testOnlySSHCredentials = pkgs.runCommand "pam-ussh-test-ca" {
+ nativeBuildInputs = [ pkgs.openssh ];
+ } ''
+ mkdir $out
+ ssh-keygen -t ed25519 -N "" -f $out/ca
+
+ ssh-keygen -t ed25519 -N "" -f $out/alice
+ ssh-keygen -s $out/ca -I "alice user key" -n "alice,root" -V 19700101:forever $out/alice.pub
+
+ ssh-keygen -t ed25519 -N "" -f $out/bob
+ ssh-keygen -s $out/ca -I "bob user key" -n "bob" -V 19700101:forever $out/bob.pub
+ '';
+ makeTestScript = user: pkgs.writeShellScript "pam-ussh-${user}-test-script" ''
+ set -euo pipefail
+
+ eval $(${pkgs.openssh}/bin/ssh-agent)
+
+ mkdir -p $HOME/.ssh
+ chmod 700 $HOME/.ssh
+ cp ${testOnlySSHCredentials}/${user}{,.pub,-cert.pub} $HOME/.ssh
+ chmod 600 $HOME/.ssh/${user}
+ chmod 644 $HOME/.ssh/${user}{,-cert}.pub
+
+ set -x
+
+ ${pkgs.openssh}/bin/ssh-add $HOME/.ssh/${user}
+ ${pkgs.openssh}/bin/ssh-add -l &>2
+
+ exec sudo id -u -n
+ '';
+in {
+ name = "pam-ussh";
+ meta.maintainers = with lib.maintainers; [ lukegb ];
+
+ machine =
+ { ... }:
+ {
+ users.users.alice = { isNormalUser = true; extraGroups = [ "wheel" ]; };
+ users.users.bob = { isNormalUser = true; extraGroups = [ "wheel" ]; };
+
+ security.pam.ussh = {
+ enable = true;
+ authorizedPrincipals = "root";
+ caFile = "${testOnlySSHCredentials}/ca.pub";
+ };
+
+ security.sudo = {
+ enable = true;
+ extraConfig = ''
+ Defaults lecture="never"
+ '';
+ };
+ };
+
+ testScript =
+ ''
+ with subtest("alice should be allowed to escalate to root"):
+ machine.succeed(
+ 'su -c "${makeTestScript "alice"}" -l alice | grep root'
+ )
+
+ with subtest("bob should not be allowed to escalate to root"):
+ machine.fail(
+ 'su -c "${makeTestScript "bob"}" -l bob | grep root'
+ )
+ '';
+})
diff --git a/pkgs/os-specific/linux/pam_ussh/default.nix b/pkgs/os-specific/linux/pam_ussh/default.nix
index 499239500acce..889c8bc6f57cf 100644
--- a/pkgs/os-specific/linux/pam_ussh/default.nix
+++ b/pkgs/os-specific/linux/pam_ussh/default.nix
@@ -2,6 +2,7 @@
, fetchFromGitHub
, pam
, lib
+, nixosTests
}:
buildGoModule rec {
@@ -54,6 +55,8 @@ buildGoModule rec {
runHook postInstall
'';
+ passthru.tests = { inherit (nixosTests) pam-ussh; };
+
meta = with lib; {
homepage = "https://github.com/uber/pam-ussh";
description = "PAM module to authenticate using SSH certificates";

View file

@ -1,7 +1,4 @@
nvidia-sideband-socket.patch
pr163673.patch
pr163678.patch
pr164025.patch
pr167221.patch
networkd-support-more-wg-options.patch
networkd-global-options.patch