diff --git a/nixos/modules/ssh.nix b/nixos/modules/ssh.nix
index ca9b31547c783a0ffae003c1b9e86f62046a4557..93c1be87def202869cb9cb2c6893232213ccbabe 100644
--- a/nixos/modules/ssh.nix
+++ b/nixos/modules/ssh.nix
@@ -45,7 +45,7 @@
users.users =
let makeUserConfig = username: sshPublicKey: {
- isNormalUser = true;
+ isNormalUser = username != "root";
openssh.authorizedKeys.keys = [ sshPublicKey ];
};
in builtins.mapAttrs makeUserConfig cfg.sshUsers;
diff --git a/nixos/modules/tests/private-storage.nix b/nixos/modules/tests/private-storage.nix
index 2bdd25a8b6e9eace82b2bbb980fe3ae1642a939e..47acfbf475a5d029b5f2800d4a11e2ff18eaa9d2 100644
--- a/nixos/modules/tests/private-storage.nix
+++ b/nixos/modules/tests/private-storage.nix
@@ -5,14 +5,15 @@ let
sshPrivateKey = ./probeuser_ed25519;
sshPublicKey = ./probeuser_ed25519.pub;
sshUsers = {
+ root = (builtins.readFile sshPublicKey);
probeuser = (builtins.readFile sshPublicKey);
};
# Generate a command which can be used with runOnNode to ssh to the given
# host.
- ssh = hostname: [
+ ssh = username: hostname: [
"cp" sshPrivateKey "/tmp/ssh_key" ";"
"chmod" "0400" "/tmp/ssh_key" ";"
- "ssh" "-oStrictHostKeyChecking=no" "-i" "/tmp/ssh_key" "probeuser@${hostname}" ":"
+ "ssh" "-oStrictHostKeyChecking=no" "-i" "/tmp/ssh_key" "${username}@${hostname}" ":"
];
# Separate helper programs so we can write as little perl inside a string
@@ -186,9 +187,11 @@ import <nixpkgs/nixos/tests/make-test.nix> {
# doesn't prove it is so but if it fails it's a pretty good indication
# it isn't so.
$storage->waitForOpenPort(22);
- ${runOnNode "issuer" (ssh "storage")}
+ ${runOnNode "issuer" (ssh "probeuser" "storage")}
+ ${runOnNode "issuer" (ssh "root" "storage")}
$issuer->waitForOpenPort(22);
- ${runOnNode "storage" (ssh "issuer")}
+ ${runOnNode "storage" (ssh "probeuser" "issuer")}
+ ${runOnNode "storage" (ssh "root" "issuer")}
# Set up a Tahoe-LAFS introducer.
$introducer->copyFileFromHost(