diff options
author | Johan Thomsen <jth@dbc.dk> | 2020-09-30 15:47:49 +0200 |
---|---|---|
committer | Johan Thomsen <jth@dbc.dk> | 2020-09-30 15:47:49 +0200 |
commit | 8f5949fd46c9ae3085e55cf3439cda2ee75b35d8 (patch) | |
tree | 7cc19a8776f1bbd0e17a9dbc573e5f1c55b50ec5 /nixos/modules/system/boot/initrd-ssh.nix | |
parent | a7474a225f13446b19557e1f8388a64fc2f92fe3 (diff) | |
download | nixpkgs-8f5949fd46c9ae3085e55cf3439cda2ee75b35d8.tar nixpkgs-8f5949fd46c9ae3085e55cf3439cda2ee75b35d8.tar.gz nixpkgs-8f5949fd46c9ae3085e55cf3439cda2ee75b35d8.tar.bz2 nixpkgs-8f5949fd46c9ae3085e55cf3439cda2ee75b35d8.tar.lz nixpkgs-8f5949fd46c9ae3085e55cf3439cda2ee75b35d8.tar.xz nixpkgs-8f5949fd46c9ae3085e55cf3439cda2ee75b35d8.tar.zst nixpkgs-8f5949fd46c9ae3085e55cf3439cda2ee75b35d8.zip |
nixos/initrd-ssh: set more defensive pemissions on sshd test key
It looks like the test sshd key can never be used, because of too open permissions. My guess is that the current test script works fine once the user defined ssh-key has been copied into initrd. At "nixos-install" however, the user specified host key is not present in initrd yet and validation fails. fixes #91486
Diffstat (limited to 'nixos/modules/system/boot/initrd-ssh.nix')
-rw-r--r-- | nixos/modules/system/boot/initrd-ssh.nix | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/nixos/modules/system/boot/initrd-ssh.nix b/nixos/modules/system/boot/initrd-ssh.nix index f7ef2610370..00ac83a1897 100644 --- a/nixos/modules/system/boot/initrd-ssh.nix +++ b/nixos/modules/system/boot/initrd-ssh.nix @@ -159,9 +159,14 @@ in boot.initrd.extraUtilsCommandsTest = '' # sshd requires a host key to check config, so we pass in the test's + tmpkey="$(mktemp initrd-ssh-testkey.XXXXXXXXXX)" + cp "${../../../tests/initrd-network-ssh/ssh_host_ed25519_key}" "$tmpkey" + # keys from Nix store are world-readable, which sshd doesn't like + chmod 600 "$tmpkey" echo -n ${escapeShellArg sshdConfig} | $out/bin/sshd -t -f /dev/stdin \ - -h ${../../../tests/initrd-network-ssh/ssh_host_ed25519_key} + -h "$tmpkey" + rm "$tmpkey" ''; boot.initrd.network.postCommands = '' |