nixos/tests/openssh: Test configured auth keys.

So far the test only uses an authorized key that is copied over to the
target machine instead of being set by the target's configuration.

Now, we cover both cases.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>

nixos/tests/openssh.nix

@@ -1,4 +1,21 @@
-import ./make-test.nix ({ pkgs, ... }: {
+import ./make-test.nix ({ pkgs, ... }:
+
+let
+  snakeOilPrivateKey = pkgs.writeText "privkey.snakeoil" ''
+    -----BEGIN EC PRIVATE KEY-----
+    MHcCAQEEIHQf/khLvYrQ8IOika5yqtWvI0oquHlpRLTZiJy5dRJmoAoGCCqGSM49
+    AwEHoUQDQgAEKF0DYGbBwbj06tA3fd/+yP44cvmwmHBWXZCKbS+RQlAKvLXMWkpN
+    r1lwMyJZoSGgBHoUahoYjTh9/sJL7XLJtA==
+    -----END EC PRIVATE KEY-----
+  '';
+
+  snakeOilPublicKey = pkgs.lib.concatStrings [
+    "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHA"
+    "yNTYAAABBBChdA2BmwcG49OrQN33f/sj+OHL5sJhwVl2Qim0vkUJQCry1zFpKTa"
+    "9ZcDMiWaEhoAR6FGoaGI04ff7CS+1yybQ= sakeoil"
+  ];
+
+in {
 
   nodes = {
 
@@ -9,6 +26,9 @@ import ./make-test.nix ({ pkgs, ... }: {
         services.openssh.enable = true;
         security.pam.services.sshd.limits =
           [ { domain = "*"; item = "memlock"; type = "-"; value = 1024; } ];
+        users.extraUsers.root.openssh.authorizedKeys.keys = [
+          snakeOilPublicKey
+        ];
       };
 
     client =
@@ -23,15 +43,25 @@ import ./make-test.nix ({ pkgs, ... }: {
 
     $server->waitForUnit("sshd");
 
-    $server->succeed("mkdir -m 700 /root/.ssh");
-    $server->copyFileFromHost("key.pub", "/root/.ssh/authorized_keys");
+    subtest "manual-authkey", sub {
+      $server->succeed("mkdir -m 700 /root/.ssh");
+      $server->copyFileFromHost("key.pub", "/root/.ssh/authorized_keys");
 
-    $client->succeed("mkdir -m 700 /root/.ssh");
-    $client->copyFileFromHost("key", "/root/.ssh/id_dsa");
-    $client->succeed("chmod 600 /root/.ssh/id_dsa");
+      $client->succeed("mkdir -m 700 /root/.ssh");
+      $client->copyFileFromHost("key", "/root/.ssh/id_dsa");
+      $client->succeed("chmod 600 /root/.ssh/id_dsa");
 
-    $client->waitForUnit("network.target");
-    $client->succeed("ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'echo hello world' >&2");
-    $client->succeed("ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'ulimit -l' | grep 1024");
+      $client->waitForUnit("network.target");
+      $client->succeed("ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'echo hello world' >&2");
+      $client->succeed("ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'ulimit -l' | grep 1024");
+    };
+
+    subtest "configured-authkey", sub {
+      $client->succeed("cat ${snakeOilPrivateKey} > privkey.snakeoil");
+      $client->succeed("chmod 600 privkey.snakeoil");
+      $client->succeed("ssh -o UserKnownHostsFile=/dev/null" .
+                       " -o StrictHostKeyChecking=no -i privkey.snakeoil" .
+                       " server true");
+    };
   '';
 })