d930466b77
Dropbear lags behind OpenSSH significantly in both support for modern key formats like `ssh-ed25519`, let alone the recently-introduced U2F/FIDO2-based `sk-ssh-ed25519@openssh.com` (as I found when I switched my `authorizedKeys` over to it and promptly locked myself out of my server's initrd SSH, breaking reboots), as well as security features like multiprocess isolation. Using the same SSH daemon for stage-1 and the main system ensures key formats will always remain compatible, as well as more conveniently allowing the sharing of configuration and host keys. The main reason to use Dropbear over OpenSSH would be initrd space concerns, but NixOS initrds are already large (17 MiB currently on my server), and the size difference between the two isn't huge (the test's initrd goes from 9.7 MiB to 12 MiB with this change). If the size is still a problem, then it would be easy to shrink sshd down to a few hundred kilobytes by using an initrd-specific build that uses musl and disables things like Kerberos support. This passes the test and works on my server, but more rigorous testing and review from people who use initrd SSH would be appreciated!
76 lines
1.7 KiB
Nix
76 lines
1.7 KiB
Nix
import ../make-test-python.nix ({ lib, ... }:
|
|
|
|
{
|
|
name = "initrd-network-ssh";
|
|
meta = with lib.maintainers; {
|
|
maintainers = [ willibutz emily ];
|
|
};
|
|
|
|
nodes = with lib; {
|
|
server =
|
|
{ config, ... }:
|
|
{
|
|
boot.kernelParams = [
|
|
"ip=${config.networking.primaryIPAddress}:::255.255.255.0::eth1:none"
|
|
];
|
|
boot.initrd.network = {
|
|
enable = true;
|
|
ssh = {
|
|
enable = true;
|
|
authorizedKeys = [ (readFile ./id_ed25519.pub) ];
|
|
port = 22;
|
|
hostKeys = [ ./ssh_host_ed25519_key ];
|
|
};
|
|
};
|
|
boot.initrd.preLVMCommands = ''
|
|
while true; do
|
|
if [ -f fnord ]; then
|
|
poweroff
|
|
fi
|
|
sleep 1
|
|
done
|
|
'';
|
|
};
|
|
|
|
client =
|
|
{ config, ... }:
|
|
{
|
|
environment.etc = {
|
|
knownHosts = {
|
|
text = concatStrings [
|
|
"server,"
|
|
"${toString (head (splitString " " (
|
|
toString (elemAt (splitString "\n" config.networking.extraHosts) 2)
|
|
)))} "
|
|
"${readFile ./ssh_host_ed25519_key.pub}"
|
|
];
|
|
};
|
|
sshKey = {
|
|
source = ./id_ed25519;
|
|
mode = "0600";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
testScript = ''
|
|
start_all()
|
|
client.wait_for_unit("network.target")
|
|
|
|
|
|
def ssh_is_up(_) -> bool:
|
|
status, _ = client.execute("nc -z server 22")
|
|
return status == 0
|
|
|
|
|
|
with client.nested("waiting for SSH server to come up"):
|
|
retry(ssh_is_up)
|
|
|
|
|
|
client.succeed(
|
|
"ssh -i /etc/sshKey -o UserKnownHostsFile=/etc/knownHosts server 'touch /fnord'"
|
|
)
|
|
client.shutdown()
|
|
'';
|
|
})
|