2020-03-04 12:35:06 +03:00
#!/usr/bin/env bash
2021-10-17 19:13:06 +03:00
# SPDX-License-Identifier: LGPL-2.1-or-later
2021-04-09 20:39:41 +03:00
set -eux
2019-07-07 18:30:15 +03:00
set -o pipefail
# Check if homectl is installed, and if it isn't bail out early instead of failing
if ! test -x /usr/bin/homectl ; then
2021-12-16 21:32:01 +03:00
echo "no homed" >/skipped
2024-04-02 21:37:30 +03:00
exit 77
2019-07-07 18:30:15 +03:00
fi
inspect( ) {
2021-04-08 11:34:53 +03:00
# As updating disk-size-related attributes can take some time on some
# filesystems, let's drop these fields before comparing the outputs to
# avoid unexpected fails. To see the full outputs of both homectl &
# userdbctl (for debugging purposes) drop the fields just before the
# comparison.
2022-05-04 09:24:06 +03:00
local USERNAME = " ${ 1 : ? } "
2021-04-09 20:49:32 +03:00
homectl inspect " $USERNAME " | tee /tmp/a
userdbctl user " $USERNAME " | tee /tmp/b
2021-04-08 11:34:53 +03:00
2021-11-18 19:19:03 +03:00
# diff uses the grep BREs for pattern matching
2024-05-09 10:40:16 +03:00
diff -I '^\s*Disk \(Size\|Free\|Floor\|Ceiling\|Usage\):' /tmp/{ a,b}
2021-04-08 11:34:53 +03:00
rm /tmp/{ a,b}
2021-11-25 12:48:52 +03:00
homectl inspect --json= pretty " $USERNAME "
2019-07-07 18:30:15 +03:00
}
2021-12-22 09:43:05 +03:00
wait_for_state( ) {
2023-04-07 11:17:15 +03:00
for i in { 1..10} ; do
( ( i > 1 ) ) && sleep 0.5
2021-12-22 09:43:05 +03:00
homectl inspect " $1 " | grep -qF " State: $2 " && break
done
}
2024-05-06 12:46:52 +03:00
FSTYPE = " $( stat --file-system --format "%T" /) "
2024-05-14 10:20:21 +03:00
systemctl start systemd-homed.service systemd-userdbd.socket
2019-07-07 18:30:15 +03:00
systemd-analyze log-level debug
2021-11-25 16:32:19 +03:00
systemctl service-log-level systemd-homed debug
2019-07-07 18:30:15 +03:00
2021-11-17 12:22:20 +03:00
# Create a tmpfs to use as backing store for the home dir. That way we can enforce a size limit nicely.
2021-11-25 12:48:52 +03:00
mkdir -p /home
mount -t tmpfs tmpfs /home -o size = 290M
2021-11-17 12:22:20 +03:00
2021-11-15 18:21:37 +03:00
# we enable --luks-discard= since we run our tests in a tight VM, hence don't
2021-11-17 12:22:20 +03:00
# needlessly pressure for storage. We also set the cheapest KDF, since we don't
2024-03-05 20:25:42 +03:00
# want to waste CI CPU cycles on it. We also effectively disable rate-limiting on
# the user by allowing 1000 logins per second
2021-11-17 12:22:20 +03:00
NEWPASSWORD = xEhErW0ndafV4s homectl create test-user \
2021-11-19 11:58:50 +03:00
--disk-size= min \
2021-11-17 12:22:20 +03:00
--luks-discard= yes \
2021-11-25 12:48:52 +03:00
--image-path= /home/test-user.home \
2021-11-17 12:22:20 +03:00
--luks-pbkdf-type= pbkdf2 \
2024-03-05 20:25:42 +03:00
--luks-pbkdf-time-cost= 1ms \
--rate-limit-interval= 1s \
--rate-limit-burst= 1000
2019-07-07 18:30:15 +03:00
inspect test-user
PASSWORD = xEhErW0ndafV4s homectl authenticate test-user
PASSWORD = xEhErW0ndafV4s homectl activate test-user
inspect test-user
PASSWORD = xEhErW0ndafV4s homectl update test-user --real-name= "Inline test"
inspect test-user
homectl deactivate test-user
inspect test-user
PASSWORD = xEhErW0ndafV4s NEWPASSWORD = yPN4N0fYNKUkOq homectl passwd test-user
inspect test-user
PASSWORD = yPN4N0fYNKUkOq homectl activate test-user
inspect test-user
SYSTEMD_LOG_LEVEL = debug PASSWORD = yPN4N0fYNKUkOq NEWPASSWORD = xEhErW0ndafV4s homectl passwd test-user
inspect test-user
homectl deactivate test-user
inspect test-user
2024-02-01 21:35:03 +03:00
homectl update test-user --real-name "Offline test" --offline
inspect test-user
2019-07-07 18:30:15 +03:00
PASSWORD = xEhErW0ndafV4s homectl activate test-user
inspect test-user
2024-02-01 21:35:03 +03:00
# Ensure that the offline changes were propagated in
grep "Offline test" /home/test-user/.identity
2021-11-25 12:58:50 +03:00
homectl deactivate test-user
2019-07-07 18:30:15 +03:00
inspect test-user
2024-02-01 21:35:03 +03:00
PASSWORD = xEhErW0ndafV4s homectl update test-user --real-name= "Inactive test"
2019-07-07 18:30:15 +03:00
inspect test-user
PASSWORD = xEhErW0ndafV4s homectl activate test-user
inspect test-user
2021-11-25 12:58:50 +03:00
homectl deactivate test-user
2019-07-07 18:30:15 +03:00
inspect test-user
2024-02-01 19:43:48 +03:00
# Do some keyring tests, but only on real kernels, since keyring access inside of containers will fail
# (See: https://github.com/systemd/systemd/issues/17606)
if ! systemd-detect-virt -cq ; then
PASSWORD = xEhErW0ndafV4s homectl activate test-user
inspect test-user
# Key should now be in the keyring
homectl update test-user --real-name "Keyring Test"
inspect test-user
# These commands shouldn't use the keyring
( ! timeout 5s homectl authenticate test-user )
( ! NEWPASSWORD = "foobar" timeout 5s homectl passwd test-user )
homectl lock test-user
inspect test-user
# Key should be gone from keyring
( ! timeout 5s homectl update test-user --real-name "Keyring Test 2" )
PASSWORD = xEhErW0ndafV4s homectl unlock test-user
inspect test-user
# Key should have been re-instantiated into the keyring
homectl update test-user --real-name "Keyring Test 3"
inspect test-user
homectl deactivate test-user
inspect test-user
fi
2024-05-06 12:46:52 +03:00
# Do some resize tests, but only if we run on real kernels and are on btrfs, as quota inside of containers
# will fail and minimizing while active only works on btrfs.
if ! systemd-detect-virt -cq && [ [ " $FSTYPE " = = "btrfs" ] ] ; then
2021-11-16 12:51:35 +03:00
# grow while inactive
PASSWORD = xEhErW0ndafV4s homectl resize test-user 300M
inspect test-user
# minimize while inactive
2021-10-29 15:34:24 +03:00
PASSWORD = xEhErW0ndafV4s homectl resize test-user min
2021-11-16 12:51:35 +03:00
inspect test-user
PASSWORD = xEhErW0ndafV4s homectl activate test-user
inspect test-user
# grow while active
2021-10-29 15:34:24 +03:00
PASSWORD = xEhErW0ndafV4s homectl resize test-user max
2021-11-16 12:51:35 +03:00
inspect test-user
# minimize while active
PASSWORD = xEhErW0ndafV4s homectl resize test-user 0
inspect test-user
# grow while active
PASSWORD = xEhErW0ndafV4s homectl resize test-user 300M
inspect test-user
# shrink to original size while active
PASSWORD = xEhErW0ndafV4s homectl resize test-user 256M
inspect test-user
2021-11-25 12:48:52 +03:00
# minimize again
PASSWORD = xEhErW0ndafV4s homectl resize test-user min
inspect test-user
# Increase space, so that we can reasonably rebalance free space between to home dirs
mount /home -o remount,size= 800M
# create second user
NEWPASSWORD = uuXoo8ei homectl create test-user2 \
--disk-size= min \
--luks-discard= yes \
--image-path= /home/test-user2.home \
--luks-pbkdf-type= pbkdf2 \
2024-03-05 20:25:42 +03:00
--luks-pbkdf-time-cost= 1ms \
--rate-limit-interval= 1s \
--rate-limit-burst= 1000
2021-11-25 12:48:52 +03:00
inspect test-user2
# activate second user
PASSWORD = uuXoo8ei homectl activate test-user2
inspect test-user2
# set second user's rebalance weight to 100
PASSWORD = uuXoo8ei homectl update test-user2 --rebalance-weight= 100
inspect test-user2
# set first user's rebalance weight to quarter of that of the second
PASSWORD = xEhErW0ndafV4s homectl update test-user --rebalance-weight= 25
inspect test-user
# synchronously rebalance
homectl rebalance
2021-11-16 12:51:35 +03:00
inspect test-user
2021-11-25 12:48:52 +03:00
inspect test-user2
2024-02-01 19:43:48 +03:00
wait_for_state test-user2 active
homectl deactivate test-user2
wait_for_state test-user2 inactive
homectl remove test-user2
2021-11-16 12:51:35 +03:00
fi
2021-04-08 11:34:28 +03:00
PASSWORD = xEhErW0ndafV4s homectl with test-user -- test ! -f /home/test-user/xyz
2023-04-05 16:50:42 +03:00
( ! PASSWORD = xEhErW0ndafV4s homectl with test-user -- test -f /home/test-user/xyz)
2019-07-07 18:30:15 +03:00
PASSWORD = xEhErW0ndafV4s homectl with test-user -- touch /home/test-user/xyz
PASSWORD = xEhErW0ndafV4s homectl with test-user -- test -f /home/test-user/xyz
2024-03-05 20:25:42 +03:00
PASSWORD = xEhErW0ndafV4s homectl with test-user -- rm /home/test-user/xyz
PASSWORD = xEhErW0ndafV4s homectl with test-user -- test ! -f /home/test-user/xyz
( ! PASSWORD = xEhErW0ndafV4s homectl with test-user -- test -f /home/test-user/xyz)
2019-07-07 18:30:15 +03:00
2024-03-22 02:28:38 +03:00
# Regression tests
wait_for_state test-user inactive
/usr/lib/systemd/tests/unit-tests/manual/test-homed-regression-31896 test-user
2021-12-22 09:43:05 +03:00
wait_for_state test-user inactive
2019-07-07 18:30:15 +03:00
homectl remove test-user
2024-01-12 02:23:47 +03:00
# blob directory tests
# See docs/USER_RECORD_BLOB_DIRS.md
checkblob( ) {
test -f " /var/cache/systemd/home/blob-user/ $1 "
stat -c "%u %#a" " /var/cache/systemd/home/blob-user/ $1 " | grep "^0 0644"
test -f " /home/blob-user/.identity-blob/ $1 "
stat -c "%u %#a" " /home/blob-user/.identity-blob/ $1 " | grep "^12345 0644"
diff " /var/cache/systemd/home/blob-user/ $1 " " $2 "
diff " /var/cache/systemd/home/blob-user/ $1 " " /home/blob-user/.identity-blob/ $1 "
}
mkdir /tmp/blob1 /tmp/blob2
2024-03-15 12:54:56 +03:00
echo data1 blob1 >/tmp/blob1/test1
echo data1 blob2 >/tmp/blob2/test1
echo data2 blob1 >/tmp/blob1/test2
echo data2 blob2 >/tmp/blob2/test2
echo invalid filename >/tmp/blob1/файл
echo data3 >/tmp/external-test3
echo avatardata >/tmp/external-avatar
2024-01-12 02:23:47 +03:00
ln -s /tmp/external-avatar /tmp/external-avatar-lnk
dd if = /dev/urandom of = /tmp/external-barely-fits bs = 1M count = 64
dd if = /dev/urandom of = /tmp/external-toobig bs = 1M count = 65
# create w/ prepopulated blob dir
NEWPASSWORD = EMJuc3zQaMibJo homectl create blob-user \
--disk-size= min --luks-discard= yes \
--luks-pbkdf-type= pbkdf2 --luks-pbkdf-time-cost= 1ms \
2024-03-05 20:25:42 +03:00
--rate-limit-interval= 1s --rate-limit-burst= 1000 \
2024-01-12 02:23:47 +03:00
--uid= 12345 \
--blob= /tmp/blob1
inspect blob-user
PASSWORD = EMJuc3zQaMibJo homectl activate blob-user
inspect blob-user
test -d /var/cache/systemd/home/blob-user
stat -c "%u %#a" /var/cache/systemd/home/blob-user | grep "^0 0755"
test -d /home/blob-user/.identity-blob
stat -c "%u %#a" /home/blob-user/.identity-blob | grep "^12345 0700"
checkblob test1 /tmp/blob1/test1
( ! checkblob test1 /tmp/blob2/test1 )
checkblob test2 /tmp/blob1/test2
( ! checkblob test2 /tmp/blob2/test2 )
( ! checkblob фаил /tmp/blob1/фаил )
( ! checkblob test3 /tmp/external-test3 )
( ! checkblob avatar /tmp/external-avatar )
# append files to existing blob, both well-known and other
PASSWORD = EMJuc3zQaMibJo homectl update blob-user \
-b test3 = /tmp/external-test3 --avatar= /tmp/external-avatar
inspect blob-user
checkblob test1 /tmp/blob1/test1
( ! checkblob test1 /tmp/blob2/test1 )
checkblob test2 /tmp/blob1/test2
( ! checkblob test2 /tmp/blob2/test2 )
( ! checkblob фаил /tmp/blob1/фаил )
checkblob test3 /tmp/external-test3
checkblob avatar /tmp/external-avatar
# delete files from existing blob, both well-known and other
PASSWORD = EMJuc3zQaMibJo homectl update blob-user \
-b test3 = --avatar=
inspect blob-user
checkblob test1 /tmp/blob1/test1
( ! checkblob test1 /tmp/blob2/test1 )
checkblob test2 /tmp/blob1/test2
( ! checkblob test2 /tmp/blob2/test2 )
( ! checkblob фаил /tmp/blob1/фаил )
( ! checkblob test3 /tmp/external-test3 )
( ! checkblob avatar /tmp/external-avatar )
# swap entire blob directory
PASSWORD = EMJuc3zQaMibJo homectl update blob-user \
-b /tmp/blob2
inspect blob-user
( ! checkblob test1 /tmp/blob1/test1 )
checkblob test1 /tmp/blob2/test1
( ! checkblob test2 /tmp/blob1/test2 )
checkblob test2 /tmp/blob2/test2
( ! checkblob фаил /tmp/blob1/фаил )
( ! checkblob test3 /tmp/external-test3 )
( ! checkblob avatar /tmp/external-avatar )
# create and delete files while swapping blob directory. Also symlinks.
PASSWORD = EMJuc3zQaMibJo homectl update blob-user \
-b /tmp/blob1 -b test2 = -b test3 = /tmp/external-test3 --avatar= /tmp/external-avatar-lnk
inspect blob-user
checkblob test1 /tmp/blob1/test1
( ! checkblob test1 /tmp/blob2/test1 )
( ! checkblob test2 /tmp/blob1/test2 )
( ! checkblob test2 /tmp/blob2/test2 )
( ! checkblob фаил /tmp/blob1/фаил )
checkblob test3 /tmp/external-test3
checkblob avatar /tmp/external-avatar # target of the link
# clear the blob directory
PASSWORD = EMJuc3zQaMibJo homectl update blob-user \
-b /tmp/blob2 -b test3 = /tmp/external-test3 --blob=
inspect blob-user
( ! checkblob test1 /tmp/blob1/test1 )
( ! checkblob test1 /tmp/blob2/test1 )
( ! checkblob test2 /tmp/blob1/test2 )
( ! checkblob test2 /tmp/blob2/test2 )
( ! checkblob фаил /tmp/blob1/фаил )
( ! checkblob test3 /tmp/external-test3 )
( ! checkblob avatar /tmp/external-avatar )
# file that's exactly 64M still fits
2024-05-06 12:47:34 +03:00
# FIXME: Figure out why this fails on ext4.
if [ [ " $FSTYPE " != "ext2/ext3" ] ] ; then
PASSWORD = EMJuc3zQaMibJo homectl update blob-user \
-b barely-fits= /tmp/external-barely-fits
( ! checkblob test1 /tmp/blob1/test1 )
( ! checkblob test1 /tmp/blob2/test1 )
( ! checkblob test2 /tmp/blob1/test2 )
( ! checkblob test2 /tmp/blob2/test2 )
( ! checkblob фаил /tmp/blob1/фаил )
( ! checkblob test3 /tmp/external-test3 )
( ! checkblob avatar /tmp/external-avatar )
checkblob barely-fits /tmp/external-barely-fits
fi
2024-01-12 02:23:47 +03:00
# error out if the file is too big
( ! PASSWORD = EMJuc3zQaMibJo homectl update blob-user -b huge = /tmp/external-toobig )
# error out if filenames are invalid
( ! PASSWORD = EMJuc3zQaMibJo homectl update blob-user -b .hidden= /tmp/external-test3 )
( ! PASSWORD = EMJuc3zQaMibJo homectl update blob-user -b "with spaces=/tmp/external-test3" )
( ! PASSWORD = EMJuc3zQaMibJo homectl update blob-user -b with = equals = /tmp/external-test3 )
( ! PASSWORD = EMJuc3zQaMibJo homectl update blob-user -b файл = /tmp/external-test3 )
( ! PASSWORD = EMJuc3zQaMibJo homectl update blob-user -b special@chars= /tmp/external-test3 )
2024-02-01 21:35:03 +03:00
# Make sure offline updates to blobs get propagated in
homectl deactivate blob-user
inspect blob-user
homectl update blob-user --offline -b barely-fits= -b propagated = /tmp/external-test3
inspect blob-user
PASSWORD = EMJuc3zQaMibJo homectl activate blob-user
inspect blob-user
( ! checkblob barely-fits /tmp/external-barely-fits )
checkblob propagated /tmp/external-test3
2024-01-12 02:23:47 +03:00
homectl deactivate blob-user
wait_for_state blob-user inactive
homectl remove blob-user
2023-03-24 19:26:48 +03:00
# userdbctl tests
export PAGER =
# Create a couple of user/group records to test io.systemd.DropIn
2024-02-23 11:48:47 +03:00
# See docs/USER_RECORD.md and docs/GROUP_RECORD.md
2023-03-24 19:26:48 +03:00
mkdir -p /run/userdb/
cat >"/run/userdb/dropingroup.group" <<\E OF
{
"groupName" : "dropingroup" ,
"gid" : 1000000
}
EOF
cat >"/run/userdb/dropinuser.user" <<\E OF
{
"userName" : "dropinuser" ,
"uid" : 2000000,
"realName" : "🐱" ,
"memberOf" : [
"dropingroup"
]
}
EOF
cat >"/run/userdb/dropinuser.user-privileged" <<\E OF
{
"privileged" : {
"hashedPassword" : [
" $6 $WHBKvAFFT9jKPA4k $OPY4D4TczKN /jOnJzy54DDuOOagCcvxxybrwMbe1SVdm.Bbr.zOmBdATp.QrwZmvqyr8/SafbbQu.QZ2rRvDs/ "
] ,
"sshAuthorizedKeys" : [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA//dxI2xLg4MgxIKKZv1nqwTEIlE/fdakii2Fb75pG+ foo@bar.tld" ,
"ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMlaqG2rTMje5CQnfjXJKmoSpEVJ2gWtx4jBvsQbmee2XbU/Qdq5+SRisssR9zVuxgg5NA5fv08MgjwJQMm+csc= hello@world.tld"
]
}
}
EOF
# Set permissions and create necessary symlinks as described in nss-systemd(8)
chmod 0600 "/run/userdb/dropinuser.user-privileged"
ln -svrf "/run/userdb/dropingroup.group" "/run/userdb/1000000.group"
ln -svrf "/run/userdb/dropinuser.user" "/run/userdb/2000000.user"
ln -svrf "/run/userdb/dropinuser.user-privileged" "/run/userdb/2000000.user-privileged"
userdbctl
userdbctl --version
userdbctl --help --no-pager
userdbctl --no-legend
userdbctl --output= classic
userdbctl --output= friendly
userdbctl --output= table
userdbctl --output= json | jq
userdbctl -j --json= pretty | jq
userdbctl -j --json= short | jq
userdbctl --with-varlink= no
userdbctl user
userdbctl user testuser
userdbctl user root
userdbctl user testuser root
userdbctl user -j testuser root | jq
# Check only UID for the nobody user, since the name is build-configurable
userdbctl user --with-nss= no --synthesize= yes
userdbctl user --with-nss= no --synthesize= yes 0 root 65534
userdbctl user dropinuser
userdbctl user 2000000
userdbctl user --with-nss= no --with-varlink= no --synthesize= no --multiplexer= no dropinuser
userdbctl user --with-nss= no 2000000
( ! userdbctl user '' )
( ! userdbctl user 🐱)
( ! userdbctl user 🐱 '' bar)
( ! userdbctl user i-do-not-exist)
( ! userdbctl user root i-do-not-exist testuser)
( ! userdbctl user --with-nss= no --synthesize= no 0 root 65534)
( ! userdbctl user -N root nobody)
( ! userdbctl user --with-dropin= no dropinuser)
( ! userdbctl user --with-dropin= no 2000000)
userdbctl group
userdbctl group testuser
userdbctl group root
userdbctl group testuser root
userdbctl group -j testuser root | jq
# Check only GID for the nobody group, since the name is build-configurable
userdbctl group --with-nss= no --synthesize= yes
userdbctl group --with-nss= no --synthesize= yes 0 root 65534
userdbctl group dropingroup
userdbctl group 1000000
userdbctl group --with-nss= no --with-varlink= no --synthesize= no --multiplexer= no dropingroup
userdbctl group --with-nss= no 1000000
( ! userdbctl group '' )
( ! userdbctl group 🐱)
( ! userdbctl group 🐱 '' bar)
( ! userdbctl group i-do-not-exist)
( ! userdbctl group root i-do-not-exist testuser)
( ! userdbctl group --with-nss= no --synthesize= no 0 root 65534)
( ! userdbctl group --with-dropin= no dropingroup)
( ! userdbctl group --with-dropin= no 1000000)
userdbctl users-in-group
userdbctl users-in-group testuser
userdbctl users-in-group testuser root
userdbctl users-in-group -j testuser root | jq
userdbctl users-in-group 🐱
( ! userdbctl users-in-group '' )
( ! userdbctl users-in-group foo '' bar)
userdbctl groups-of-user
userdbctl groups-of-user testuser
userdbctl groups-of-user testuser root
userdbctl groups-of-user -j testuser root | jq
userdbctl groups-of-user 🐱
( ! userdbctl groups-of-user '' )
( ! userdbctl groups-of-user foo '' bar)
userdbctl services
userdbctl services -j | jq
2023-09-26 12:44:28 +03:00
varlinkctl call /run/systemd/userdb/io.systemd.Multiplexer io.systemd.UserDatabase.GetUserRecord '{"userName":"testuser","service":"io.systemd.Multiplexer"}'
varlinkctl call /run/systemd/userdb/io.systemd.Multiplexer io.systemd.UserDatabase.GetUserRecord '{"userName":"root","service":"io.systemd.Multiplexer"}'
varlinkctl call /run/systemd/userdb/io.systemd.Multiplexer io.systemd.UserDatabase.GetUserRecord '{"userName":"dropinuser","service":"io.systemd.Multiplexer"}'
varlinkctl call /run/systemd/userdb/io.systemd.Multiplexer io.systemd.UserDatabase.GetUserRecord '{"uid":2000000,"service":"io.systemd.Multiplexer"}'
( ! varlinkctl call /run/systemd/userdb/io.systemd.Multiplexer io.systemd.UserDatabase.GetUserRecord '{"userName":"","service":"io.systemd.Multiplexer"}' )
( ! varlinkctl call /run/systemd/userdb/io.systemd.Multiplexer io.systemd.UserDatabase.GetUserRecord '{"userName":"🐱","service":"io.systemd.Multiplexer"}' )
( ! varlinkctl call /run/systemd/userdb/io.systemd.Multiplexer io.systemd.UserDatabase.GetUserRecord '{"userName":"i-do-not-exist","service":"io.systemd.Multiplexer"}' )
2023-03-24 19:26:48 +03:00
userdbctl ssh-authorized-keys dropinuser | tee /tmp/authorized-keys
grep "ssh-ed25519" /tmp/authorized-keys
grep "ecdsa-sha2-nistp256" /tmp/authorized-keys
echo "my-top-secret-key 🐱" >/tmp/my-top-secret-key
userdbctl ssh-authorized-keys dropinuser --chain /bin/cat /tmp/my-top-secret-key | tee /tmp/authorized-keys
grep "ssh-ed25519" /tmp/authorized-keys
grep "ecdsa-sha2-nistp256" /tmp/authorized-keys
grep "my-top-secret-key 🐱" /tmp/authorized-keys
( ! userdbctl ssh-authorized-keys 🐱)
( ! userdbctl ssh-authorized-keys dropin-user --chain)
( ! userdbctl ssh-authorized-keys dropin-user --chain '' )
( ! SYSTEMD_LOG_LEVEL = debug userdbctl ssh-authorized-keys dropin-user --chain /bin/false)
( ! userdbctl '' )
for opt in json multiplexer output synthesize with-dropin with-nss with-varlink; do
( ! userdbctl " -- $opt ='' " )
( ! userdbctl " -- $opt ='🐱' " )
( ! userdbctl " -- $opt =foo " )
( ! userdbctl " -- $opt =foo " " -- $opt ='' " " -- $opt =🐱 " )
done
2023-11-28 17:44:41 +03:00
# FIXME: sshd seems to crash inside asan currently, skip the actual ssh test hence
2024-02-29 13:37:29 +03:00
if command -v ssh & >/dev/null && command -v sshd & >/dev/null && ! [ [ -v ASAN_OPTIONS ] ] ; then
2023-11-28 17:44:41 +03:00
at_exit( ) {
2024-02-29 13:37:29 +03:00
set +e
systemctl is-active -q mysshserver.socket && systemctl stop mysshserver.socket
2024-02-29 13:43:57 +03:00
rm -f /tmp/homed.id_ecdsa /run/systemd/system/mysshserver{ @.service,.socket}
2023-11-28 17:44:41 +03:00
systemctl daemon-reload
2024-02-29 13:37:29 +03:00
homectl remove homedsshtest
2024-04-30 15:01:53 +03:00
for dir in /etc /usr/lib; do
if [ [ -f " $dir /pam.d/sshd.bak " ] ] ; then
mv " $dir /pam.d/sshd.bak " " $dir /pam.d/sshd "
fi
done
2023-11-28 17:44:41 +03:00
}
trap at_exit EXIT
# Test that SSH logins work with delayed unlocking
2024-02-29 13:43:57 +03:00
ssh-keygen -N '' -C '' -t ecdsa -f /tmp/homed.id_ecdsa
2023-11-28 17:44:41 +03:00
NEWPASSWORD = hunter4711 homectl create \
--disk-size= min \
--luks-discard= yes \
--luks-pbkdf-type= pbkdf2 \
--luks-pbkdf-time-cost= 1ms \
2024-03-05 20:25:42 +03:00
--rate-limit-interval= 1s \
--rate-limit-burst= 1000 \
2023-11-28 17:44:41 +03:00
--enforce-password-policy= no \
2024-02-29 13:43:57 +03:00
--ssh-authorized-keys= @/tmp/homed.id_ecdsa.pub \
2023-11-28 17:44:41 +03:00
--stop-delay= 0 \
homedsshtest
2024-02-29 13:37:29 +03:00
homectl inspect homedsshtest
2023-11-28 17:44:41 +03:00
mkdir -p /etc/ssh
2024-02-29 13:43:57 +03:00
test -f /etc/ssh/ssh_host_ecdsa_key || ssh-keygen -t ecdsa -C '' -N '' -f /etc/ssh/ssh_host_ecdsa_key
2023-11-28 17:44:41 +03:00
2024-02-29 15:06:28 +03:00
# ssh wants this dir around, but distros cannot agree on a common name for it, let's just create all that
# are aware of distros use
mkdir -p /usr/share/empty.sshd /var/empty /var/empty/sshd /run/sshd
2023-11-28 17:44:41 +03:00
2024-04-30 15:01:53 +03:00
for dir in /etc /usr/lib; do
if [ [ -f " $dir /pam.d/sshd " ] ] ; then
mv " $dir /pam.d/sshd " " $dir /pam.d/sshd.bak "
cat >" $dir /pam.d/sshd " <<EOF
2023-11-28 17:44:41 +03:00
auth sufficient pam_unix.so nullok
2024-02-29 23:47:46 +03:00
auth sufficient pam_systemd_home.so debug
2023-11-28 17:44:41 +03:00
auth required pam_deny.so
2024-02-29 23:47:46 +03:00
account sufficient pam_systemd_home.so debug
2023-11-28 17:44:41 +03:00
account sufficient pam_unix.so
account required pam_permit.so
2024-02-29 23:47:46 +03:00
session optional pam_systemd_home.so debug
2023-11-28 17:44:41 +03:00
session optional pam_systemd.so
session required pam_unix.so
EOF
2024-04-30 15:01:53 +03:00
break
fi
done
2023-11-28 17:44:41 +03:00
2024-02-29 13:37:29 +03:00
mkdir -p /etc/sshd/
cat >/etc/ssh/sshd_config <<EOF
2023-11-28 17:44:41 +03:00
AuthorizedKeysCommand /usr/bin/userdbctl ssh-authorized-keys %u
AuthorizedKeysCommandUser root
UsePAM yes
AcceptEnv PASSWORD
LogLevel DEBUG3
EOF
2024-02-29 13:37:29 +03:00
cat >/run/systemd/system/mysshserver.socket <<EOF
2023-11-28 17:44:41 +03:00
[ Socket]
ListenStream = 4711
Accept = yes
EOF
2024-02-29 13:37:29 +03:00
cat >/run/systemd/system/mysshserver@.service <<EOF
2023-11-28 17:44:41 +03:00
[ Service]
ExecStart = -/usr/sbin/sshd -i -d -e
StandardInput = socket
StandardOutput = socket
StandardError = journal
EOF
systemctl daemon-reload
systemctl start mysshserver.socket
userdbctl user -j homedsshtest
2024-02-29 13:43:57 +03:00
ssh -t -t -4 -p 4711 -i /tmp/homed.id_ecdsa \
2024-02-29 13:37:29 +03:00
-o "SetEnv PASSWORD=hunter4711" -o "StrictHostKeyChecking no" \
2024-02-29 13:57:04 +03:00
homedsshtest@localhost echo zzz | tr -d '\r' | tee /tmp/homedsshtest.out
grep -E " ^zzz $" /tmp/homedsshtest.out
2023-11-28 17:44:41 +03:00
rm /tmp/homedsshtest.out
2024-02-29 13:43:57 +03:00
ssh -t -t -4 -p 4711 -i /tmp/homed.id_ecdsa \
2024-02-29 13:37:29 +03:00
-o "SetEnv PASSWORD=hunter4711" -o "StrictHostKeyChecking no" \
homedsshtest@localhost env
2023-11-28 17:44:41 +03:00
wait_for_state homedsshtest inactive
fi
2019-07-07 18:30:15 +03:00
systemd-analyze log-level info
2023-07-12 16:49:55 +03:00
touch /testok