From 8349bbdfd829c80fc5eabaca6c9d0afed28d1b3f Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 28 Nov 2023 15:44:41 +0100
Subject: [PATCH] test: add test that ensures homed logins via SSH work

---
 test/TEST-46-HOMED/test.sh |  3 ++
 test/units/testsuite-46.sh | 83 ++++++++++++++++++++++++++++++++++++++
 2 files changed, 86 insertions(+)

diff --git a/test/TEST-46-HOMED/test.sh b/test/TEST-46-HOMED/test.sh
index 3bf3891380..923e00229e 100755
--- a/test/TEST-46-HOMED/test.sh
+++ b/test/TEST-46-HOMED/test.sh
@@ -21,6 +21,9 @@ test_append_files() {
         install_btrfs
         generate_module_dependencies
     fi
+    inst_binary ssh
+    inst_binary sshd
+    inst_binary ssh-keygen
 }
 
 do_test "$@"
diff --git a/test/units/testsuite-46.sh b/test/units/testsuite-46.sh
index a77683b479..26e71afecd 100755
--- a/test/units/testsuite-46.sh
+++ b/test/units/testsuite-46.sh
@@ -314,6 +314,89 @@ for opt in json multiplexer output synthesize with-dropin with-nss with-varlink;
     (! userdbctl "--$opt=foo" "--$opt=''" "--$opt=🐱")
 done
 
+# FIXME: sshd seems to crash inside asan currently, skip the actual ssh test hence
+if command -v ssh &> /dev/null && command -v sshd &> /dev/null && ! [[ -v ASAN_OPTIONS ]]; then
+
+    at_exit() {
+        systemctl stop mysshserver.socket
+        rm -f /tmp/homed.id_rsa /run/systemd/system/mysshserver.socket /run/systemd/system/mysshserver@.service
+        systemctl daemon-reload
+        homectl remove homedsshtest ||:
+        mv /etc/pam.d/sshd.save46 mv /etc/pam.d/sshd
+    }
+
+    trap at_exit EXIT
+
+    # Test that SSH logins work with delayed unlocking
+    ssh-keygen -N '' -C '' -t rsa -f /tmp/homed.id_rsa
+    NEWPASSWORD=hunter4711 homectl create \
+                       --disk-size=min \
+                       --luks-discard=yes \
+                       --luks-pbkdf-type=pbkdf2 \
+                       --luks-pbkdf-time-cost=1ms \
+                       --enforce-password-policy=no \
+                       --ssh-authorized-keys=@/tmp/homed.id_rsa.pub \
+                       --stop-delay=0 \
+                       homedsshtest
+
+    mkdir -p /etc/ssh
+    test -f /etc/ssh/ssh_host_rsa_key || ssh-keygen -t rsa -C '' -N '' -f /etc/ssh/ssh_host_rsa_key
+
+    # ssh wants this dir around, but distros cannot agree on a common name for it, let's just create all that are aware of distros use
+    mkdir -p /usr/share/empty.sshd /var/empty /var/empty/sshd
+
+    mv /etc/pam.d/sshd /etc/pam.d/sshd.save46
+
+    cat > /etc/pam.d/sshd <<EOF
+auth    sufficient pam_unix.so nullok
+auth    sufficient pam_systemd_home.so
+auth    required   pam_deny.so
+account sufficient pam_systemd_home.so
+account sufficient pam_unix.so
+account required   pam_permit.so
+session optional   pam_systemd_home.so
+session optional   pam_systemd.so
+session required   pam_unix.so
+EOF
+
+    cat >> /etc/ssh/sshd_config <<EOF
+AuthorizedKeysCommand /usr/bin/userdbctl ssh-authorized-keys %u
+AuthorizedKeysCommandUser root
+UsePAM yes
+AcceptEnv PASSWORD
+LogLevel DEBUG3
+EOF
+
+    cat > /run/systemd/system/mysshserver.socket <<EOF
+[Socket]
+ListenStream=4711
+Accept=yes
+EOF
+
+    cat > /run/systemd/system/mysshserver@.service <<EOF
+[Service]
+ExecStart=-/usr/sbin/sshd -i -d -e
+StandardInput=socket
+StandardOutput=socket
+StandardError=journal
+EOF
+
+    systemctl daemon-reload
+    systemctl start mysshserver.socket
+
+    userdbctl user -j homedsshtest
+
+    ssh -t -t -4 -p 4711 -i /tmp/homed.id_rsa -o "SetEnv PASSWORD=hunter4711" -o "StrictHostKeyChecking no" homedsshtest@localhost echo zzz | tail -n 1 | tr -d '\r' > /tmp/homedsshtest.out
+    cat /tmp/homedsshtest.out
+    test "$(cat /tmp/homedsshtest.out)" = "zzz"
+    rm /tmp/homedsshtest.out
+
+    ssh -t -t -4 -p 4711 -i /tmp/homed.id_rsa -o "SetEnv PASSWORD=hunter4711" -o "StrictHostKeyChecking no" homedsshtest@localhost env
+
+    wait_for_state homedsshtest inactive
+    homectl remove homedsshtest
+fi
+
 systemd-analyze log-level info
 
 touch /testok
-- 
2.25.1