| 16 Oct 2023 |
 Artturin | failState successState | 06:12:13 |
 l0b0 | Weird. I just tried this:
service_name = "ssh-audit.service"
${serverName}.succeed(f"systemd-run --unit={service_name} ${pkgs.ssh-audit}/bin/ssh-audit --client-audit --port=${toString sshAuditPort}")
${serverName}.wait_for_unit(service_name)
${clientName}.execute(
f"ssh {ssh_options} -i privkey.snakeoil -p ${toString sshAuditPort} ${sshUsername}@server true",
check_return=False,
timeout=10
)
${serverName}.succeed(f"exit $(systemctl show --property=ExecMainStatus --value {service_name})")
Couldn't get it to fail when the configuration was bad.
| 06:15:40 |
| Artturin | Btw it's possible to add env vars to the systemd-run env
dbus-update-activation-environment --systemd PATH this would add the PATH
| 06:17:55 |
| Artturin | * Btw it's possible to add env vars to the systemd-run env
dbus-update-activation-environment --systemd PATH this would add the PATH, the sway module has dbus-update-activation-environment --systemd DISPLAY WAYLAND_DISPLAY SWAYSOCK XDG_CURRENT_DESKTOP
| 06:18:27 |
| Artturin | In reply to @vengmark2:matrix.org
Weird. I just tried this:
service_name = "ssh-audit.service"
${serverName}.succeed(f"systemd-run --unit={service_name} ${pkgs.ssh-audit}/bin/ssh-audit --client-audit --port=${toString sshAuditPort}")
${serverName}.wait_for_unit(service_name)
${clientName}.execute(
f"ssh {ssh_options} -i privkey.snakeoil -p ${toString sshAuditPort} ${sshUsername}@server true",
check_return=False,
timeout=10
)
${serverName}.succeed(f"exit $(systemctl show --property=ExecMainStatus --value {service_name})")
Couldn't get it to fail when the configuration was bad.
All the outputted thing should be in the output | 06:20:24 |
| Artturin | did it print the expected output but just didn't fail | 06:20:34 |
| l0b0 | OIC, ${serverName}.wait_for_unit(service_name) doesn't wait long enough, so the next line just never talks to ssh-audit. | 06:22:36 |
| l0b0 | I think I might still need the sleep(5) then. | 06:23:00 |
| Artturin | hm yeah it just waits for active | 06:23:19 |
| l0b0 | Because there's just no way to check that the port is open without shutting down ssh-audit. | 06:23:28 |
| l0b0 | Yay, it worked! This is something I've been hoping to be able to do for years. Thank you, Artturin ! | 07:05:48 |
| Artturin | l0b0: That tests looks like it could be added to nixpkgs | 07:45:32 |
| Artturin | and added to the package | 07:46:15 |
| Artturin | * and added to the package's passthru.tests | 07:46:22 |
| Artturin | hmm well there's your ssh-server.nix and ssh-client.nix | 07:47:28 |
| Artturin | well if you can think of a way im sure it would be useful | 07:47:48 |
| Artturin | Not exactly sure what it's testing | 07:48:10 |
| l0b0 | It's checking that my configuration conforms to best practices as recommended by ssh-audit. I'm no SSH/security expert, but at least some of the recommendations make sense. | 07:49:19 |
| l0b0 | It might be useful as a demo for what could be considered a secure configuration (at least by some segment of users) "right now", rather than just using the OpenSSH defaults like NixOS does. | 07:50:41 |
| l0b0 | Just waiting for a giant 23.05 upgrade (for some reason), will have a look afterwards. | 07:51:16 |
| l0b0 | * It's checking that my configuration conforms to best practices as recommended by ssh-audit. I'm no SSH/security expert, but at least some of the recommendations (like not allowing SHA-1 algos) make sense. | 07:51:46 |
| Artturin | In reply to @vengmark2:matrix.org
Just waiting for a giant 23.05 upgrade (for some reason), will have a look afterwards. staging-next-23.05 was merged a few days ago with security fixes (curl etc) | 07:53:54 |
| l0b0 | https://github.com/NixOS/nixpkgs/pull/261356 - a bit quick, but I gotta sleep. | 08:57:20 |
| 18 Oct 2023 |
|  Alex S changed their display name from ultra (NixOS integrated with PackageKit wen) to Alex S. | 10:00:58 |
| 23 Oct 2023 |
 raitobezarius | I'm adopting https://github.com/NixOS/nixpkgs/pull/157161/files | 12:48:35 |
| raitobezarius | to try to get it sync with the timeout PR | 12:48:43 |
| raitobezarius | so we can have super nice tests | 12:48:46 |
| raitobezarius | nikstur: help me | 12:51:07 |
| raitobezarius | and get blitz to help me too | 12:51:16 |
| 24 Oct 2023 |
| raitobezarius | Robert Hensing (roberth): I see that you recommended testBuildFailure but it relies on drv.overrideAttrs to perform the inversion of success internally | 01:00:50 |
