From 765ae4d58184fe52f391aae46a705ae8c16ece52 Mon Sep 17 00:00:00 2001 From: s1341 Date: Sun, 30 Apr 2023 08:17:29 +0300 Subject: [PATCH 1/6] nixos/pam: allow changing password using sssd --- nixos/modules/security/pam.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 6e8be412de83..c06faa8bce60 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -638,7 +638,7 @@ let password sufficient ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf '' + optionalString config.services.sssd.enable '' - password sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_authtok + password sufficient ${pkgs.sssd}/lib/security/pam_sss.so try_first_pass '' + optionalString config.security.pam.krb5.enable '' password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass From e2d538fead9227f1acf81cf9453fc18c2f437663 Mon Sep 17 00:00:00 2001 From: s1341 Date: Tue, 9 May 2023 13:45:15 +0300 Subject: [PATCH 2/6] pam: remove unused try_first_pass --- nixos/modules/security/pam.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index c06faa8bce60..d379265960bb 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -638,7 +638,7 @@ let password sufficient ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf '' + optionalString config.services.sssd.enable '' - password sufficient ${pkgs.sssd}/lib/security/pam_sss.so try_first_pass + password sufficient ${pkgs.sssd}/lib/security/pam_sss.so '' + optionalString config.security.pam.krb5.enable '' password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass From 20d707c8c4fc2e6c2d59ebd95fbaf9b1e164656d Mon Sep 17 00:00:00 2001 From: s1341 Date: Tue, 9 May 2023 13:46:17 +0300 Subject: [PATCH 3/6] nixos/test/sssd-ldap: make tests actually check login, password change --- nixos/tests/sssd-ldap.nix | 227 +++++++++++++++++++++++++------------- 1 file changed, 148 insertions(+), 79 deletions(-) diff --git a/nixos/tests/sssd-ldap.nix b/nixos/tests/sssd-ldap.nix index ff83e96068a9..0762545f5b7f 100644 --- a/nixos/tests/sssd-ldap.nix +++ b/nixos/tests/sssd-ldap.nix @@ -6,96 +6,165 @@ let ldapRootPassword = "foobar"; testUser = "alice"; -in import ./make-test-python.nix ({pkgs, ...}: { - name = "sssd-ldap"; + testPassword = "foobar"; + testNewPassword = "barfoo"; +in + import ./make-test-python.nix ({pkgs, ...}: { + name = "sssd-ldap"; - meta = with pkgs.lib.maintainers; { - maintainers = [ bbigras ]; - }; + meta = with pkgs.lib.maintainers; { + maintainers = [bbigras]; + }; - nodes.machine = { pkgs, ... }: { - services.openldap = { - enable = true; - settings = { - children = { - "cn=schema".includes = [ - "${pkgs.openldap}/etc/schema/core.ldif" - "${pkgs.openldap}/etc/schema/cosine.ldif" - "${pkgs.openldap}/etc/schema/inetorgperson.ldif" - "${pkgs.openldap}/etc/schema/nis.ldif" - ]; - "olcDatabase={1}mdb" = { - attrs = { - objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ]; - olcDatabase = "{1}mdb"; - olcDbDirectory = "/var/lib/openldap/db"; - olcSuffix = dbSuffix; - olcRootDN = "cn=${ldapRootUser},${dbSuffix}"; - olcRootPW = ldapRootPassword; + nodes.machine = {pkgs, ...}: { + security.pam.services.systemd-user.makeHomeDir = true; + environment.etc."cert.pem".text = builtins.readFile ./common/acme/server/acme.test.cert.pem; + environment.etc."key.pem".text = builtins.readFile ./common/acme/server/acme.test.key.pem; + services.openldap = { + enable = true; + urlList = [ "ldap:///" "ldaps:///" ]; + settings = { + attrs = { + olcLogLevel = "conns config"; + olcTLSCACertificateFile = "/etc/cert.pem"; + olcTLSCertificateFile = "/etc/cert.pem"; + olcTLSCertificateKeyFile = "/etc/key.pem"; + olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL"; + olcTLSCRLCheck = "none"; + olcTLSVerifyClient = "never"; + olcTLSProtocolMin = "3.1"; + }; + children = { + "cn=schema".includes = [ + "${pkgs.openldap}/etc/schema/core.ldif" + "${pkgs.openldap}/etc/schema/cosine.ldif" + "${pkgs.openldap}/etc/schema/inetorgperson.ldif" + "${pkgs.openldap}/etc/schema/nis.ldif" + ]; + "olcDatabase={1}mdb" = { + attrs = { + objectClass = ["olcDatabaseConfig" "olcMdbConfig"]; + olcDatabase = "{1}mdb"; + olcDbDirectory = "/var/lib/openldap/db"; + olcSuffix = dbSuffix; + olcRootDN = "cn=${ldapRootUser},${dbSuffix}"; + olcRootPW = ldapRootPassword; + olcAccess = [ + /* + custom access rules for userPassword attributes + */ + '' + {0}to attrs=userPassword + by self write + by anonymous auth + by * none'' + + /* + allow read on anything else + */ + '' + {1}to * + by * read'' + ]; + }; }; }; }; + declarativeContents = { + ${dbSuffix} = '' + dn: ${dbSuffix} + objectClass: top + objectClass: dcObject + objectClass: organization + o: ${dbDomain} + + dn: ou=posix,${dbSuffix} + objectClass: top + objectClass: organizationalUnit + + dn: ou=accounts,ou=posix,${dbSuffix} + objectClass: top + objectClass: organizationalUnit + + dn: uid=${testUser},ou=accounts,ou=posix,${dbSuffix} + objectClass: person + objectClass: posixAccount + userPassword: ${testPassword} + homeDirectory: /home/${testUser} + uidNumber: 1234 + gidNumber: 1234 + cn: "" + sn: "" + ''; + }; }; - declarativeContents = { - ${dbSuffix} = '' - dn: ${dbSuffix} - objectClass: top - objectClass: dcObject - objectClass: organization - o: ${dbDomain} - dn: ou=posix,${dbSuffix} - objectClass: top - objectClass: organizationalUnit + services.sssd = { + enable = true; + # just for testing purposes, don't put this into the Nix store in production! + environmentFile = "${pkgs.writeText "ldap-root" "LDAP_BIND_PW=${ldapRootPassword}"}"; + config = '' + [sssd] + config_file_version = 2 + services = nss, pam, sudo + domains = ${dbDomain} - dn: ou=accounts,ou=posix,${dbSuffix} - objectClass: top - objectClass: organizationalUnit - - dn: uid=${testUser},ou=accounts,ou=posix,${dbSuffix} - objectClass: person - objectClass: posixAccount - # userPassword: somePasswordHash - homeDirectory: /home/${testUser} - uidNumber: 1234 - gidNumber: 1234 - cn: "" - sn: "" + [domain/${dbDomain}] + auth_provider = ldap + id_provider = ldap + ldap_uri = ldaps://127.0.0.1:636 + ldap_tls_reqcert = allow + ldap_tls_cacert = /etc/cert.pem + ldap_search_base = ${dbSuffix} + ldap_default_bind_dn = cn=${ldapRootUser},${dbSuffix} + ldap_default_authtok_type = password + ldap_default_authtok = $LDAP_BIND_PW ''; }; }; - services.sssd = { - enable = true; - # just for testing purposes, don't put this into the Nix store in production! - environmentFile = "${pkgs.writeText "ldap-root" "LDAP_BIND_PW=${ldapRootPassword}"}"; - config = '' - [sssd] - config_file_version = 2 - services = nss, pam, sudo - domains = ${dbDomain} + testScript = '' + machine.start() + machine.wait_for_unit("openldap.service") + machine.wait_for_unit("sssd.service") + result = machine.execute("getent passwd ${testUser}") + if result[0] == 0: + assert "${testUser}" in result[1] + else: + machine.wait_for_console_text("Backend is online") + machine.succeed("getent passwd ${testUser}") - [domain/${dbDomain}] - auth_provider = ldap - id_provider = ldap - ldap_uri = ldap://127.0.0.1:389 - ldap_search_base = ${dbSuffix} - ldap_default_bind_dn = cn=${ldapRootUser},${dbSuffix} - ldap_default_authtok_type = password - ldap_default_authtok = $LDAP_BIND_PW - ''; - }; - }; + with subtest("Log in as ${testUser}"): + machine.wait_until_tty_matches("1", "login: ") + machine.send_chars("${testUser}\n") + machine.wait_until_tty_matches("1", "login: ${testUser}") + machine.wait_until_succeeds("pgrep login") + machine.wait_until_tty_matches("1", "Password: ") + machine.send_chars("${testPassword}\n") + machine.wait_until_succeeds("pgrep -u ${testUser} bash") + machine.send_chars("touch done\n") + machine.wait_for_file("/home/${testUser}/done") - testScript = '' - machine.start() - machine.wait_for_unit("openldap.service") - machine.wait_for_unit("sssd.service") - result = machine.execute("getent passwd ${testUser}") - if result[0] == 0: - assert "${testUser}" in result[1] - else: - machine.wait_for_console_text("Backend is online") - machine.succeed("getent passwd ${testUser}") - ''; -}) + with subtest("Change ${testUser}'s password"): + machine.send_chars("passwd\n") + machine.wait_until_tty_matches("1", "Current Password: ") + machine.send_chars("${testPassword}\n") + machine.wait_until_tty_matches("1", "New Password: ") + machine.send_chars("${testNewPassword}\n") + machine.wait_until_tty_matches("1", "Reenter new Password: ") + machine.send_chars("${testNewPassword}\n") + machine.wait_until_tty_matches("1", "passwd: password updated successfully") + machine.send_chars("exit\n") + + with subtest("Log in as ${testUser} with new password"): + machine.wait_until_tty_matches("1", "login: ") + machine.send_chars("${testUser}\n") + machine.wait_until_tty_matches("1", "login: ${testUser}") + machine.wait_until_succeeds("pgrep login") + machine.wait_until_tty_matches("1", "Password: ") + machine.send_chars("${testNewPassword}\n") + machine.wait_until_succeeds("pgrep -u ${testUser} bash") + machine.send_chars("touch done2\n") + machine.wait_for_file("/home/${testUser}/done2") + ''; + }) From 73811d22bb5c3a992813b66aa4bbbedf8f629ce6 Mon Sep 17 00:00:00 2001 From: s1341 Date: Tue, 9 May 2023 18:13:09 +0300 Subject: [PATCH 4/6] nixos/test/sssd-ldap: nixpkgs-fmt --- nixos/tests/sssd-ldap.nix | 278 +++++++++++++++++++------------------- 1 file changed, 139 insertions(+), 139 deletions(-) diff --git a/nixos/tests/sssd-ldap.nix b/nixos/tests/sssd-ldap.nix index 0762545f5b7f..e1e6b5140915 100644 --- a/nixos/tests/sssd-ldap.nix +++ b/nixos/tests/sssd-ldap.nix @@ -9,162 +9,162 @@ let testPassword = "foobar"; testNewPassword = "barfoo"; in - import ./make-test-python.nix ({pkgs, ...}: { - name = "sssd-ldap"; +import ./make-test-python.nix ({ pkgs, ... }: { + name = "sssd-ldap"; - meta = with pkgs.lib.maintainers; { - maintainers = [bbigras]; - }; + meta = with pkgs.lib.maintainers; { + maintainers = [ bbigras ]; + }; - nodes.machine = {pkgs, ...}: { - security.pam.services.systemd-user.makeHomeDir = true; - environment.etc."cert.pem".text = builtins.readFile ./common/acme/server/acme.test.cert.pem; - environment.etc."key.pem".text = builtins.readFile ./common/acme/server/acme.test.key.pem; - services.openldap = { - enable = true; - urlList = [ "ldap:///" "ldaps:///" ]; - settings = { - attrs = { - olcLogLevel = "conns config"; - olcTLSCACertificateFile = "/etc/cert.pem"; - olcTLSCertificateFile = "/etc/cert.pem"; - olcTLSCertificateKeyFile = "/etc/key.pem"; - olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL"; - olcTLSCRLCheck = "none"; - olcTLSVerifyClient = "never"; - olcTLSProtocolMin = "3.1"; - }; - children = { - "cn=schema".includes = [ - "${pkgs.openldap}/etc/schema/core.ldif" - "${pkgs.openldap}/etc/schema/cosine.ldif" - "${pkgs.openldap}/etc/schema/inetorgperson.ldif" - "${pkgs.openldap}/etc/schema/nis.ldif" - ]; - "olcDatabase={1}mdb" = { - attrs = { - objectClass = ["olcDatabaseConfig" "olcMdbConfig"]; - olcDatabase = "{1}mdb"; - olcDbDirectory = "/var/lib/openldap/db"; - olcSuffix = dbSuffix; - olcRootDN = "cn=${ldapRootUser},${dbSuffix}"; - olcRootPW = ldapRootPassword; - olcAccess = [ - /* + nodes.machine = { pkgs, ... }: { + security.pam.services.systemd-user.makeHomeDir = true; + environment.etc."cert.pem".text = builtins.readFile ./common/acme/server/acme.test.cert.pem; + environment.etc."key.pem".text = builtins.readFile ./common/acme/server/acme.test.key.pem; + services.openldap = { + enable = true; + urlList = [ "ldap:///" "ldaps:///" ]; + settings = { + attrs = { + olcLogLevel = "conns config"; + olcTLSCACertificateFile = "/etc/cert.pem"; + olcTLSCertificateFile = "/etc/cert.pem"; + olcTLSCertificateKeyFile = "/etc/key.pem"; + olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL"; + olcTLSCRLCheck = "none"; + olcTLSVerifyClient = "never"; + olcTLSProtocolMin = "3.1"; + }; + children = { + "cn=schema".includes = [ + "${pkgs.openldap}/etc/schema/core.ldif" + "${pkgs.openldap}/etc/schema/cosine.ldif" + "${pkgs.openldap}/etc/schema/inetorgperson.ldif" + "${pkgs.openldap}/etc/schema/nis.ldif" + ]; + "olcDatabase={1}mdb" = { + attrs = { + objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ]; + olcDatabase = "{1}mdb"; + olcDbDirectory = "/var/lib/openldap/db"; + olcSuffix = dbSuffix; + olcRootDN = "cn=${ldapRootUser},${dbSuffix}"; + olcRootPW = ldapRootPassword; + olcAccess = [ + /* custom access rules for userPassword attributes */ - '' - {0}to attrs=userPassword - by self write - by anonymous auth - by * none'' + '' + {0}to attrs=userPassword + by self write + by anonymous auth + by * none'' - /* + /* allow read on anything else */ - '' - {1}to * - by * read'' - ]; - }; + '' + {1}to * + by * read'' + ]; }; }; }; - declarativeContents = { - ${dbSuffix} = '' - dn: ${dbSuffix} - objectClass: top - objectClass: dcObject - objectClass: organization - o: ${dbDomain} - - dn: ou=posix,${dbSuffix} - objectClass: top - objectClass: organizationalUnit - - dn: ou=accounts,ou=posix,${dbSuffix} - objectClass: top - objectClass: organizationalUnit - - dn: uid=${testUser},ou=accounts,ou=posix,${dbSuffix} - objectClass: person - objectClass: posixAccount - userPassword: ${testPassword} - homeDirectory: /home/${testUser} - uidNumber: 1234 - gidNumber: 1234 - cn: "" - sn: "" - ''; - }; }; + declarativeContents = { + ${dbSuffix} = '' + dn: ${dbSuffix} + objectClass: top + objectClass: dcObject + objectClass: organization + o: ${dbDomain} - services.sssd = { - enable = true; - # just for testing purposes, don't put this into the Nix store in production! - environmentFile = "${pkgs.writeText "ldap-root" "LDAP_BIND_PW=${ldapRootPassword}"}"; - config = '' - [sssd] - config_file_version = 2 - services = nss, pam, sudo - domains = ${dbDomain} + dn: ou=posix,${dbSuffix} + objectClass: top + objectClass: organizationalUnit - [domain/${dbDomain}] - auth_provider = ldap - id_provider = ldap - ldap_uri = ldaps://127.0.0.1:636 - ldap_tls_reqcert = allow - ldap_tls_cacert = /etc/cert.pem - ldap_search_base = ${dbSuffix} - ldap_default_bind_dn = cn=${ldapRootUser},${dbSuffix} - ldap_default_authtok_type = password - ldap_default_authtok = $LDAP_BIND_PW + dn: ou=accounts,ou=posix,${dbSuffix} + objectClass: top + objectClass: organizationalUnit + + dn: uid=${testUser},ou=accounts,ou=posix,${dbSuffix} + objectClass: person + objectClass: posixAccount + userPassword: ${testPassword} + homeDirectory: /home/${testUser} + uidNumber: 1234 + gidNumber: 1234 + cn: "" + sn: "" ''; }; }; - testScript = '' - machine.start() - machine.wait_for_unit("openldap.service") - machine.wait_for_unit("sssd.service") - result = machine.execute("getent passwd ${testUser}") - if result[0] == 0: - assert "${testUser}" in result[1] - else: - machine.wait_for_console_text("Backend is online") - machine.succeed("getent passwd ${testUser}") + services.sssd = { + enable = true; + # just for testing purposes, don't put this into the Nix store in production! + environmentFile = "${pkgs.writeText "ldap-root" "LDAP_BIND_PW=${ldapRootPassword}"}"; + config = '' + [sssd] + config_file_version = 2 + services = nss, pam, sudo + domains = ${dbDomain} - with subtest("Log in as ${testUser}"): - machine.wait_until_tty_matches("1", "login: ") - machine.send_chars("${testUser}\n") - machine.wait_until_tty_matches("1", "login: ${testUser}") - machine.wait_until_succeeds("pgrep login") - machine.wait_until_tty_matches("1", "Password: ") - machine.send_chars("${testPassword}\n") - machine.wait_until_succeeds("pgrep -u ${testUser} bash") - machine.send_chars("touch done\n") - machine.wait_for_file("/home/${testUser}/done") + [domain/${dbDomain}] + auth_provider = ldap + id_provider = ldap + ldap_uri = ldaps://127.0.0.1:636 + ldap_tls_reqcert = allow + ldap_tls_cacert = /etc/cert.pem + ldap_search_base = ${dbSuffix} + ldap_default_bind_dn = cn=${ldapRootUser},${dbSuffix} + ldap_default_authtok_type = password + ldap_default_authtok = $LDAP_BIND_PW + ''; + }; + }; - with subtest("Change ${testUser}'s password"): - machine.send_chars("passwd\n") - machine.wait_until_tty_matches("1", "Current Password: ") - machine.send_chars("${testPassword}\n") - machine.wait_until_tty_matches("1", "New Password: ") - machine.send_chars("${testNewPassword}\n") - machine.wait_until_tty_matches("1", "Reenter new Password: ") - machine.send_chars("${testNewPassword}\n") - machine.wait_until_tty_matches("1", "passwd: password updated successfully") - machine.send_chars("exit\n") + testScript = '' + machine.start() + machine.wait_for_unit("openldap.service") + machine.wait_for_unit("sssd.service") + result = machine.execute("getent passwd ${testUser}") + if result[0] == 0: + assert "${testUser}" in result[1] + else: + machine.wait_for_console_text("Backend is online") + machine.succeed("getent passwd ${testUser}") - with subtest("Log in as ${testUser} with new password"): - machine.wait_until_tty_matches("1", "login: ") - machine.send_chars("${testUser}\n") - machine.wait_until_tty_matches("1", "login: ${testUser}") - machine.wait_until_succeeds("pgrep login") - machine.wait_until_tty_matches("1", "Password: ") - machine.send_chars("${testNewPassword}\n") - machine.wait_until_succeeds("pgrep -u ${testUser} bash") - machine.send_chars("touch done2\n") - machine.wait_for_file("/home/${testUser}/done2") - ''; - }) + with subtest("Log in as ${testUser}"): + machine.wait_until_tty_matches("1", "login: ") + machine.send_chars("${testUser}\n") + machine.wait_until_tty_matches("1", "login: ${testUser}") + machine.wait_until_succeeds("pgrep login") + machine.wait_until_tty_matches("1", "Password: ") + machine.send_chars("${testPassword}\n") + machine.wait_until_succeeds("pgrep -u ${testUser} bash") + machine.send_chars("touch done\n") + machine.wait_for_file("/home/${testUser}/done") + + with subtest("Change ${testUser}'s password"): + machine.send_chars("passwd\n") + machine.wait_until_tty_matches("1", "Current Password: ") + machine.send_chars("${testPassword}\n") + machine.wait_until_tty_matches("1", "New Password: ") + machine.send_chars("${testNewPassword}\n") + machine.wait_until_tty_matches("1", "Reenter new Password: ") + machine.send_chars("${testNewPassword}\n") + machine.wait_until_tty_matches("1", "passwd: password updated successfully") + machine.send_chars("exit\n") + + with subtest("Log in as ${testUser} with new password"): + machine.wait_until_tty_matches("1", "login: ") + machine.send_chars("${testUser}\n") + machine.wait_until_tty_matches("1", "login: ${testUser}") + machine.wait_until_succeeds("pgrep login") + machine.wait_until_tty_matches("1", "Password: ") + machine.send_chars("${testNewPassword}\n") + machine.wait_until_succeeds("pgrep -u ${testUser} bash") + machine.send_chars("touch done2\n") + machine.wait_for_file("/home/${testUser}/done2") + ''; +}) From f15f947cf5b9c16a3f89f77fa021013c5192d43c Mon Sep 17 00:00:00 2001 From: s1341 Date: Tue, 9 May 2023 18:13:45 +0300 Subject: [PATCH 5/6] pam: add sssd-ldap as a pam test --- pkgs/os-specific/linux/pam/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkgs/os-specific/linux/pam/default.nix b/pkgs/os-specific/linux/pam/default.nix index 8b068100f32a..b16bebbe3d60 100644 --- a/pkgs/os-specific/linux/pam/default.nix +++ b/pkgs/os-specific/linux/pam/default.nix @@ -44,7 +44,7 @@ stdenv.mkDerivation rec { doCheck = false; # fails passthru.tests = { - inherit (nixosTests) pam-oath-login pam-u2f shadow; + inherit (nixosTests) pam-oath-login pam-u2f shadow sssd-ldap; }; meta = with lib; { From d5fd4332082b8ebb0ca786bfbf9a391d9fda14e9 Mon Sep 17 00:00:00 2001 From: s1341 Date: Tue, 9 May 2023 18:51:47 +0300 Subject: [PATCH 6/6] nixos/test/sssd-ldap: do new login on a different VT --- nixos/tests/sssd-ldap.nix | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/nixos/tests/sssd-ldap.nix b/nixos/tests/sssd-ldap.nix index e1e6b5140915..60f3b1a415da 100644 --- a/nixos/tests/sssd-ldap.nix +++ b/nixos/tests/sssd-ldap.nix @@ -13,7 +13,7 @@ import ./make-test-python.nix ({ pkgs, ... }: { name = "sssd-ldap"; meta = with pkgs.lib.maintainers; { - maintainers = [ bbigras ]; + maintainers = [ bbigras s1341 ]; }; nodes.machine = { pkgs, ... }: { @@ -25,7 +25,6 @@ import ./make-test-python.nix ({ pkgs, ... }: { urlList = [ "ldap:///" "ldaps:///" ]; settings = { attrs = { - olcLogLevel = "conns config"; olcTLSCACertificateFile = "/etc/cert.pem"; olcTLSCertificateFile = "/etc/cert.pem"; olcTLSCertificateKeyFile = "/etc/key.pem"; @@ -154,14 +153,18 @@ import ./make-test-python.nix ({ pkgs, ... }: { machine.wait_until_tty_matches("1", "Reenter new Password: ") machine.send_chars("${testNewPassword}\n") machine.wait_until_tty_matches("1", "passwd: password updated successfully") - machine.send_chars("exit\n") - with subtest("Log in as ${testUser} with new password"): - machine.wait_until_tty_matches("1", "login: ") + with subtest("Log in as ${testUser} with new password in virtual console 2"): + machine.send_key("alt-f2") + machine.wait_until_succeeds("[ $(fgconsole) = 2 ]") + machine.wait_for_unit("getty@tty2.service") + machine.wait_until_succeeds("pgrep -f 'agetty.*tty2'") + + machine.wait_until_tty_matches("2", "login: ") machine.send_chars("${testUser}\n") - machine.wait_until_tty_matches("1", "login: ${testUser}") + machine.wait_until_tty_matches("2", "login: ${testUser}") machine.wait_until_succeeds("pgrep login") - machine.wait_until_tty_matches("1", "Password: ") + machine.wait_until_tty_matches("2", "Password: ") machine.send_chars("${testNewPassword}\n") machine.wait_until_succeeds("pgrep -u ${testUser} bash") machine.send_chars("touch done2\n")