nixos/sshd: fix sshd.conf validity check

When using e.g. `{ addr = "[::]"; port = 22; }` at `listenAddresses`,
the check fails because of an escaping issue[1] with

    last 1 log lines:
    > Invalid test mode specification -f
    For full logs, run 'nix log /nix/store/c6pbpw5hjkjgipmarwyic9zyqr1xaix5-check-sshd-config.drv'

Using `lib.escapeShellArg` appears to solve the problem.

[1] https://github.com/NixOS/nixpkgs/pull/256090#issuecomment-1738063528

2 files changed, 2 insertions, 2 deletions

diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix
index bf2f5230c73..327d19daca3 100644
--- a/nixos/modules/services/networking/ssh/sshd.nix
+++ b/nixos/modules/services/networking/ssh/sshd.nix
@@ -583,7 +583,7 @@ in
           (lport: "sshd -G -T -C lport=${toString lport} -f ${sshconf} > /dev/null")
           cfg.ports}
         ${concatMapStringsSep "\n"
-          (la: "sshd -G -T -C laddr=${la.addr},lport=${toString la.port} -f ${sshconf} > /dev/null")
+          (la: "sshd -G -T -C ${escapeShellArg "laddr=${la.addr},lport=${toString la.port}"} -f ${sshconf} > /dev/null")
           cfg.listenAddresses}
         touch $out
       '')
diff --git a/nixos/tests/openssh.nix b/nixos/tests/openssh.nix
index d771ffd3e0f..e88625678fe 100644
--- a/nixos/tests/openssh.nix
+++ b/nixos/tests/openssh.nix
@@ -57,7 +57,7 @@ in {
 
       {
         services.openssh = {
-          enable = true; listenAddresses = [ { addr = "127.0.0.1"; port = 22; } ];
+          enable = true; listenAddresses = [ { addr = "127.0.0.1"; port = 22; } { addr = "[::]"; port = 22; } ];
           extraConfig = ''
             # Combined test for two (predictable) Match criterias
             Match LocalAddress 127.0.0.1 LocalPort 22