diff options
| author | Craig Jennings <c@cjennings.net> | 2026-06-25 01:24:33 -0400 |
|---|---|---|
| committer | Craig Jennings <c@cjennings.net> | 2026-06-25 01:24:33 -0400 |
| commit | f50fc1def85c1dbbb0ec781be4071b7ec9285785 (patch) | |
| tree | 256b852c91a0a9289d130fcd8e79f5146b73c6cf /scripts/testing/lib/testinfra.sh | |
| parent | 3cac3b3dfcd432395201a309920c2491ee9caf01 (diff) | |
| download | archsetup-f50fc1def85c1dbbb0ec781be4071b7ec9285785.tar.gz archsetup-f50fc1def85c1dbbb0ec781be4071b7ec9285785.zip | |
fix(testing): authorize a root key so make test survives sshd hardening
The VM test SSHes into the guest as root with a password for the whole run. archsetup hardens sshd to PermitRootLogin prohibit-password and reloads it partway through the install, so every SSH after that step failed with "Permission denied" and the run aborted before any validation — make test had been silently broken since the hardening landed.
inject_root_key authorizes a throwaway root key right after the first SSH (before archsetup runs) and the ssh/scp helpers now add -i <key> via SSH_KEY_OPT. prohibit-password still allows root key auth, so the harness survives the very hardening it validates. Password stays as the fallback, so the change is additive.
Diffstat (limited to 'scripts/testing/lib/testinfra.sh')
| -rw-r--r-- | scripts/testing/lib/testinfra.sh | 34 |
1 files changed, 20 insertions, 14 deletions
diff --git a/scripts/testing/lib/testinfra.sh b/scripts/testing/lib/testinfra.sh index 0db0ec9..bfcd43a 100644 --- a/scripts/testing/lib/testinfra.sh +++ b/scripts/testing/lib/testinfra.sh @@ -32,20 +32,26 @@ run_testinfra_validation() { step "Running Testinfra validation sweep (advisory)" - # Ephemeral keypair; authorize the pubkey in the VM over the existing channel. - rm -f "$key" "$key.pub" - if ! ssh-keygen -t ed25519 -N "" -q -f "$key"; then - warn "testinfra: ssh-keygen failed - skipping" - return 0 - fi - if ! copy_to_vm "$key.pub" "/tmp/testinfra_key.pub" "$ROOT_PASSWORD"; then - warn "testinfra: pubkey copy failed - skipping" - return 0 - fi - if ! vm_exec "$ROOT_PASSWORD" \ - "mkdir -p /root/.ssh && chmod 700 /root/.ssh && cat /tmp/testinfra_key.pub >> /root/.ssh/authorized_keys && chmod 600 /root/.ssh/authorized_keys"; then - warn "testinfra: authorizing key in VM failed - skipping" - return 0 + # Prefer the root key the harness already authorized (inject_root_key). It + # survives the sshd prohibit-password hardening, so reuse it rather than + # authorizing a second key. Fall back to minting our own for standalone use. + if [ -n "${ROOT_SSH_KEY:-}" ] && [ -f "${ROOT_SSH_KEY}" ]; then + key="$ROOT_SSH_KEY" + else + rm -f "$key" "$key.pub" + if ! ssh-keygen -t ed25519 -N "" -q -f "$key"; then + warn "testinfra: ssh-keygen failed - skipping" + return 0 + fi + if ! copy_to_vm "$key.pub" "/tmp/testinfra_key.pub" "$ROOT_PASSWORD"; then + warn "testinfra: pubkey copy failed - skipping" + return 0 + fi + if ! vm_exec "$ROOT_PASSWORD" \ + "mkdir -p /root/.ssh && chmod 700 /root/.ssh && cat /tmp/testinfra_key.pub >> /root/.ssh/authorized_keys && chmod 600 /root/.ssh/authorized_keys"; then + warn "testinfra: authorizing key in VM failed - skipping" + return 0 + fi fi # ssh-config so testinfra connects key-only, no host-key prompt. |