!jtzdZrQSXtEpeGtzAn:nixos.org

Testing with Nix

89 Members
23 Servers

Load older messages

SenderMessageTime
16 Oct 2023
@artturin:matrix.orgArtturin 
info = self.get_unit_info(unit, user)
if info["ExecMainStatus"] == "123":
05:53:14
@artturin:matrix.orgArtturin *

check the check_active in wait_for_unit

info = self.get_unit_info(unit, user)
if info["ExecMainStatus"] == "123":
05:53:43
@vengmark2:matrix.orgl0b0

I'm running into something odd while trying this:

server: must succeed: systemd-run --unit=ssh-audit.service --user /nix/store/cqsj9477bs0r92cnvdbnhxhgp3csmzkl-ssh-audit-2.9.0/bin/ssh-audit --client-audit --port=2222
server # Failed to connect to bus: No medium found

06:01:38
@artturin:matrix.orgArtturinThe environment is almost completely cleared06:04:27
@artturin:matrix.orgArtturin
In reply to @vengmark2:matrix.org

I'm running into something odd while trying this:

server: must succeed: systemd-run --unit=ssh-audit.service --user /nix/store/cqsj9477bs0r92cnvdbnhxhgp3csmzkl-ssh-audit-2.9.0/bin/ssh-audit --client-audit --port=2222
server # Failed to connect to bus: No medium found

Oh that's coming from systemd https://github.com/search?q=%2FFailed+to+connect+to+bus%3A+No+medium%2F&type=code 		06:06:52
@artturin:matrix.orgArtturin Try no --user 06:07:22
@artturin:matrix.orgArtturinNot a good error :/06:08:18
@vengmark2:matrix.orgl0b0 I really wish there was a wait_for_unit_state06:10:03
@artturin:matrix.orgArtturin Maybe a new arg to wait_for_unit 06:11:39
@artturin:matrix.orgArtturinfailState successState06:12:13
@vengmark2:matrix.orgl0b0

Weird. I just tried this:

    service_name = "ssh-audit.service"
    ${serverName}.succeed(f"systemd-run --unit={service_name} ${pkgs.ssh-audit}/bin/ssh-audit --client-audit --port=${toString sshAuditPort}")
    ${serverName}.wait_for_unit(service_name)
    ${clientName}.execute(
        f"ssh {ssh_options} -i privkey.snakeoil -p ${toString sshAuditPort} ${sshUsername}@server true",
        check_return=False,
        timeout=10
    )
    ${serverName}.succeed(f"exit $(systemctl show --property=ExecMainStatus --value {service_name})")

Couldn't get it to fail when the configuration was bad.

06:15:40
@artturin:matrix.orgArtturin

Btw it's possible to add env vars to the systemd-run env

dbus-update-activation-environment --systemd PATH this would add the PATH

06:17:55
@artturin:matrix.orgArtturin *

Btw it's possible to add env vars to the systemd-run env

dbus-update-activation-environment --systemd PATH this would add the PATH, the sway module has dbus-update-activation-environment --systemd DISPLAY WAYLAND_DISPLAY SWAYSOCK XDG_CURRENT_DESKTOP

06:18:27
@artturin:matrix.orgArtturin
In reply to @vengmark2:matrix.org

Weird. I just tried this:

    service_name = "ssh-audit.service"
    ${serverName}.succeed(f"systemd-run --unit={service_name} ${pkgs.ssh-audit}/bin/ssh-audit --client-audit --port=${toString sshAuditPort}")
    ${serverName}.wait_for_unit(service_name)
    ${clientName}.execute(
        f"ssh {ssh_options} -i privkey.snakeoil -p ${toString sshAuditPort} ${sshUsername}@server true",
        check_return=False,
        timeout=10
    )
    ${serverName}.succeed(f"exit $(systemctl show --property=ExecMainStatus --value {service_name})")

Couldn't get it to fail when the configuration was bad.

All the outputted thing should be in the output 		06:20:24
@artturin:matrix.orgArtturindid it print the expected output but just didn't fail06:20:34
@vengmark2:matrix.orgl0b0 OIC, ${serverName}.wait_for_unit(service_name) doesn't wait long enough, so the next line just never talks to ssh-audit. 06:22:36
@vengmark2:matrix.orgl0b0 I think I might still need the sleep(5) then. 06:23:00
@artturin:matrix.orgArtturinhm yeah it just waits for active06:23:19
@vengmark2:matrix.orgl0b0 Because there's just no way to check that the port is open without shutting down ssh-audit. 06:23:28
@vengmark2:matrix.orgl0b0 Yay, it worked! This is something I've been hoping to be able to do for years. Thank you, Artturin ! 07:05:48
@artturin:matrix.orgArtturin l0b0: That tests looks like it could be added to nixpkgs 07:45:32
@artturin:matrix.orgArtturinand added to the package07:46:15
@artturin:matrix.orgArtturin * and added to the package's passthru.tests07:46:22
@artturin:matrix.orgArtturinhmm well there's your ssh-server.nix and ssh-client.nix07:47:28
@artturin:matrix.orgArtturinwell if you can think of a way im sure it would be useful07:47:48
@artturin:matrix.orgArtturinNot exactly sure what it's testing07:48:10
@vengmark2:matrix.orgl0b0 It's checking that my configuration conforms to best practices as recommended by ssh-audit. I'm no SSH/security expert, but at least some of the recommendations make sense. 07:49:19
@vengmark2:matrix.orgl0b0It might be useful as a demo for what could be considered a secure configuration (at least by some segment of users) "right now", rather than just using the OpenSSH defaults like NixOS does.07:50:41
@vengmark2:matrix.orgl0b0Just waiting for a giant 23.05 upgrade (for some reason), will have a look afterwards.07:51:16
@vengmark2:matrix.orgl0b0 * It's checking that my configuration conforms to best practices as recommended by ssh-audit. I'm no SSH/security expert, but at least some of the recommendations (like not allowing SHA-1 algos) make sense. 07:51:46

Show newer messages

Back to Room ListRoom Version: 9