forked from lix-project/lix
Merge pull request #8018 from tweag/ssh-password-prompt
SSH: don't erase password prompt if it is displayed
This commit is contained in:
commit
e32ca3cf16
5 changed files with 129 additions and 6 deletions
|
@ -583,6 +583,8 @@
|
||||||
|
|
||||||
tests.nix-copy-closure = runNixOSTestFor "x86_64-linux" ./tests/nixos/nix-copy-closure.nix;
|
tests.nix-copy-closure = runNixOSTestFor "x86_64-linux" ./tests/nixos/nix-copy-closure.nix;
|
||||||
|
|
||||||
|
tests.nix-copy = runNixOSTestFor "x86_64-linux" ./tests/nixos/nix-copy.nix;
|
||||||
|
|
||||||
tests.nssPreload = runNixOSTestFor "x86_64-linux" ./tests/nixos/nss-preload.nix;
|
tests.nssPreload = runNixOSTestFor "x86_64-linux" ./tests/nixos/nss-preload.nix;
|
||||||
|
|
||||||
tests.githubFlakes = runNixOSTestFor "x86_64-linux" ./tests/nixos/github-flakes.nix;
|
tests.githubFlakes = runNixOSTestFor "x86_64-linux" ./tests/nixos/github-flakes.nix;
|
||||||
|
|
|
@ -72,6 +72,7 @@ private:
|
||||||
uint64_t corruptedPaths = 0, untrustedPaths = 0;
|
uint64_t corruptedPaths = 0, untrustedPaths = 0;
|
||||||
|
|
||||||
bool active = true;
|
bool active = true;
|
||||||
|
bool paused = false;
|
||||||
bool haveUpdate = true;
|
bool haveUpdate = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -120,6 +121,18 @@ public:
|
||||||
updateThread.join();
|
updateThread.join();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
void pause() override {
|
||||||
|
state_.lock()->paused = true;
|
||||||
|
writeToStderr("\r\e[K");
|
||||||
|
}
|
||||||
|
|
||||||
|
void resume() override {
|
||||||
|
state_.lock()->paused = false;
|
||||||
|
writeToStderr("\r\e[K");
|
||||||
|
state_.lock()->haveUpdate = true;
|
||||||
|
updateCV.notify_one();
|
||||||
|
}
|
||||||
|
|
||||||
bool isVerbose() override
|
bool isVerbose() override
|
||||||
{
|
{
|
||||||
return printBuildLogs;
|
return printBuildLogs;
|
||||||
|
@ -339,7 +352,7 @@ public:
|
||||||
auto nextWakeup = std::chrono::milliseconds::max();
|
auto nextWakeup = std::chrono::milliseconds::max();
|
||||||
|
|
||||||
state.haveUpdate = false;
|
state.haveUpdate = false;
|
||||||
if (!state.active) return nextWakeup;
|
if (state.paused || !state.active) return nextWakeup;
|
||||||
|
|
||||||
std::string line;
|
std::string line;
|
||||||
|
|
||||||
|
|
|
@ -1,4 +1,5 @@
|
||||||
#include "ssh.hh"
|
#include "ssh.hh"
|
||||||
|
#include "finally.hh"
|
||||||
|
|
||||||
namespace nix {
|
namespace nix {
|
||||||
|
|
||||||
|
@ -35,6 +36,9 @@ void SSHMaster::addCommonSSHOpts(Strings & args)
|
||||||
}
|
}
|
||||||
if (compress)
|
if (compress)
|
||||||
args.push_back("-C");
|
args.push_back("-C");
|
||||||
|
|
||||||
|
args.push_back("-oPermitLocalCommand=yes");
|
||||||
|
args.push_back("-oLocalCommand=echo started");
|
||||||
}
|
}
|
||||||
|
|
||||||
std::unique_ptr<SSHMaster::Connection> SSHMaster::startCommand(const std::string & command)
|
std::unique_ptr<SSHMaster::Connection> SSHMaster::startCommand(const std::string & command)
|
||||||
|
@ -49,6 +53,11 @@ std::unique_ptr<SSHMaster::Connection> SSHMaster::startCommand(const std::string
|
||||||
ProcessOptions options;
|
ProcessOptions options;
|
||||||
options.dieWithParent = false;
|
options.dieWithParent = false;
|
||||||
|
|
||||||
|
if (!fakeSSH && !useMaster) {
|
||||||
|
logger->pause();
|
||||||
|
}
|
||||||
|
Finally cleanup = [&]() { logger->resume(); };
|
||||||
|
|
||||||
conn->sshPid = startProcess([&]() {
|
conn->sshPid = startProcess([&]() {
|
||||||
restoreProcessContext();
|
restoreProcessContext();
|
||||||
|
|
||||||
|
@ -86,6 +95,18 @@ std::unique_ptr<SSHMaster::Connection> SSHMaster::startCommand(const std::string
|
||||||
in.readSide = -1;
|
in.readSide = -1;
|
||||||
out.writeSide = -1;
|
out.writeSide = -1;
|
||||||
|
|
||||||
|
// Wait for the SSH connection to be established,
|
||||||
|
// So that we don't overwrite the password prompt with our progress bar.
|
||||||
|
if (!fakeSSH && !useMaster) {
|
||||||
|
std::string reply;
|
||||||
|
try {
|
||||||
|
reply = readLine(out.readSide.get());
|
||||||
|
} catch (EndOfFile & e) { }
|
||||||
|
|
||||||
|
if (reply != "started")
|
||||||
|
throw Error("failed to start SSH connection to '%s'", host);
|
||||||
|
}
|
||||||
|
|
||||||
conn->out = std::move(out.readSide);
|
conn->out = std::move(out.readSide);
|
||||||
conn->in = std::move(in.writeSide);
|
conn->in = std::move(in.writeSide);
|
||||||
|
|
||||||
|
@ -109,6 +130,9 @@ Path SSHMaster::startMaster()
|
||||||
ProcessOptions options;
|
ProcessOptions options;
|
||||||
options.dieWithParent = false;
|
options.dieWithParent = false;
|
||||||
|
|
||||||
|
logger->pause();
|
||||||
|
Finally cleanup = [&]() { logger->resume(); };
|
||||||
|
|
||||||
state->sshMaster = startProcess([&]() {
|
state->sshMaster = startProcess([&]() {
|
||||||
restoreProcessContext();
|
restoreProcessContext();
|
||||||
|
|
||||||
|
@ -117,11 +141,7 @@ Path SSHMaster::startMaster()
|
||||||
if (dup2(out.writeSide.get(), STDOUT_FILENO) == -1)
|
if (dup2(out.writeSide.get(), STDOUT_FILENO) == -1)
|
||||||
throw SysError("duping over stdout");
|
throw SysError("duping over stdout");
|
||||||
|
|
||||||
Strings args =
|
Strings args = { "ssh", host.c_str(), "-M", "-N", "-S", state->socketPath };
|
||||||
{ "ssh", host.c_str(), "-M", "-N", "-S", state->socketPath
|
|
||||||
, "-o", "LocalCommand=echo started"
|
|
||||||
, "-o", "PermitLocalCommand=yes"
|
|
||||||
};
|
|
||||||
if (verbosity >= lvlChatty)
|
if (verbosity >= lvlChatty)
|
||||||
args.push_back("-v");
|
args.push_back("-v");
|
||||||
addCommonSSHOpts(args);
|
addCommonSSHOpts(args);
|
||||||
|
|
|
@ -72,6 +72,9 @@ public:
|
||||||
|
|
||||||
virtual void stop() { };
|
virtual void stop() { };
|
||||||
|
|
||||||
|
virtual void pause() { };
|
||||||
|
virtual void resume() { };
|
||||||
|
|
||||||
// Whether the logger prints the whole build log
|
// Whether the logger prints the whole build log
|
||||||
virtual bool isVerbose() { return false; }
|
virtual bool isVerbose() { return false; }
|
||||||
|
|
||||||
|
|
85
tests/nixos/nix-copy.nix
Normal file
85
tests/nixos/nix-copy.nix
Normal file
|
@ -0,0 +1,85 @@
|
||||||
|
# Test that ‘nix copy’ works over ssh.
|
||||||
|
|
||||||
|
{ lib, config, nixpkgs, hostPkgs, ... }:
|
||||||
|
|
||||||
|
let
|
||||||
|
pkgs = config.nodes.client.nixpkgs.pkgs;
|
||||||
|
|
||||||
|
pkgA = pkgs.cowsay;
|
||||||
|
pkgB = pkgs.wget;
|
||||||
|
pkgC = pkgs.hello;
|
||||||
|
pkgD = pkgs.tmux;
|
||||||
|
|
||||||
|
in {
|
||||||
|
name = "nix-copy";
|
||||||
|
|
||||||
|
enableOCR = true;
|
||||||
|
|
||||||
|
nodes =
|
||||||
|
{ client =
|
||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
{ virtualisation.writableStore = true;
|
||||||
|
virtualisation.additionalPaths = [ pkgA pkgD.drvPath ];
|
||||||
|
nix.settings.substituters = lib.mkForce [ ];
|
||||||
|
nix.settings.experimental-features = [ "nix-command" ];
|
||||||
|
services.getty.autologinUser = "root";
|
||||||
|
};
|
||||||
|
|
||||||
|
server =
|
||||||
|
{ config, pkgs, ... }:
|
||||||
|
{ services.openssh.enable = true;
|
||||||
|
services.openssh.permitRootLogin = "yes";
|
||||||
|
users.users.root.password = "foobar";
|
||||||
|
virtualisation.writableStore = true;
|
||||||
|
virtualisation.additionalPaths = [ pkgB pkgC ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
testScript = { nodes }: ''
|
||||||
|
# fmt: off
|
||||||
|
import subprocess
|
||||||
|
|
||||||
|
# Create an SSH key on the client.
|
||||||
|
subprocess.run([
|
||||||
|
"${pkgs.openssh}/bin/ssh-keygen", "-t", "ed25519", "-f", "key", "-N", ""
|
||||||
|
], capture_output=True, check=True)
|
||||||
|
|
||||||
|
start_all()
|
||||||
|
|
||||||
|
server.wait_for_unit("sshd")
|
||||||
|
client.wait_for_unit("network.target")
|
||||||
|
client.wait_for_unit("getty@tty1.service")
|
||||||
|
client.wait_for_text("]#")
|
||||||
|
|
||||||
|
# Copy the closure of package A from the client to the server using password authentication,
|
||||||
|
# and check that all prompts are visible
|
||||||
|
server.fail("nix-store --check-validity ${pkgA}")
|
||||||
|
client.send_chars("nix copy --to ssh://server ${pkgA} >&2; echo done\n")
|
||||||
|
client.wait_for_text("continue connecting")
|
||||||
|
client.send_chars("yes\n")
|
||||||
|
client.wait_for_text("Password:")
|
||||||
|
client.send_chars("foobar\n")
|
||||||
|
client.wait_for_text("done")
|
||||||
|
server.succeed("nix-store --check-validity ${pkgA}")
|
||||||
|
|
||||||
|
client.copy_from_host("key", "/root/.ssh/id_ed25519")
|
||||||
|
client.succeed("chmod 600 /root/.ssh/id_ed25519")
|
||||||
|
|
||||||
|
# Install the SSH key on the server.
|
||||||
|
server.copy_from_host("key.pub", "/root/.ssh/authorized_keys")
|
||||||
|
server.succeed("systemctl restart sshd")
|
||||||
|
client.succeed(f"ssh -o StrictHostKeyChecking=no {server.name} 'echo hello world'")
|
||||||
|
|
||||||
|
# Copy the closure of package B from the server to the client, using ssh-ng.
|
||||||
|
client.fail("nix-store --check-validity ${pkgB}")
|
||||||
|
# Shouldn't download untrusted paths by default
|
||||||
|
client.fail("nix copy --from ssh-ng://server ${pkgB} >&2")
|
||||||
|
client.succeed("nix copy --no-check-sigs --from ssh-ng://server ${pkgB} >&2")
|
||||||
|
client.succeed("nix-store --check-validity ${pkgB}")
|
||||||
|
|
||||||
|
# Copy the derivation of package D's derivation from the client to the server.
|
||||||
|
server.fail("nix-store --check-validity ${pkgD.drvPath}")
|
||||||
|
client.succeed("nix copy --derivation --to ssh://server ${pkgD.drvPath} >&2")
|
||||||
|
server.succeed("nix-store --check-validity ${pkgD.drvPath}")
|
||||||
|
'';
|
||||||
|
}
|
Loading…
Reference in a new issue