From 44910d6b3552d751c8ab3c32ab183be9ab9ed97d Mon Sep 17 00:00:00 2001
From: Jean-Paul Calderone <exarkun@twistedmatrix.com>
Date: Wed, 10 Jun 2020 15:36:03 -0400
Subject: [PATCH] Fix handling of root user ssh configuration

---
 nixos/modules/ssh.nix                   |  2 +-
 nixos/modules/tests/private-storage.nix | 11 +++++++----
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/nixos/modules/ssh.nix b/nixos/modules/ssh.nix
index ca9b3154..93c1be87 100644
--- a/nixos/modules/ssh.nix
+++ b/nixos/modules/ssh.nix
@@ -45,7 +45,7 @@
 
     users.users =
       let makeUserConfig = username: sshPublicKey: {
-        isNormalUser = true;
+        isNormalUser = username != "root";
         openssh.authorizedKeys.keys = [ sshPublicKey ];
       };
       in builtins.mapAttrs makeUserConfig cfg.sshUsers;
diff --git a/nixos/modules/tests/private-storage.nix b/nixos/modules/tests/private-storage.nix
index 2bdd25a8..47acfbf4 100644
--- a/nixos/modules/tests/private-storage.nix
+++ b/nixos/modules/tests/private-storage.nix
@@ -5,14 +5,15 @@ let
   sshPrivateKey = ./probeuser_ed25519;
   sshPublicKey = ./probeuser_ed25519.pub;
   sshUsers = {
+    root = (builtins.readFile sshPublicKey);
     probeuser = (builtins.readFile sshPublicKey);
   };
   # Generate a command which can be used with runOnNode to ssh to the given
   # host.
-  ssh = hostname: [
+  ssh = username: hostname: [
     "cp" sshPrivateKey "/tmp/ssh_key" ";"
     "chmod" "0400" "/tmp/ssh_key" ";"
-    "ssh" "-oStrictHostKeyChecking=no" "-i" "/tmp/ssh_key" "probeuser@${hostname}" ":"
+    "ssh" "-oStrictHostKeyChecking=no" "-i" "/tmp/ssh_key" "${username}@${hostname}" ":"
   ];
 
   # Separate helper programs so we can write as little perl inside a string
@@ -186,9 +187,11 @@ import <nixpkgs/nixos/tests/make-test.nix> {
       # doesn't prove it is so but if it fails it's a pretty good indication
       # it isn't so.
       $storage->waitForOpenPort(22);
-      ${runOnNode "issuer" (ssh "storage")}
+      ${runOnNode "issuer" (ssh "probeuser" "storage")}
+      ${runOnNode "issuer" (ssh "root" "storage")}
       $issuer->waitForOpenPort(22);
-      ${runOnNode "storage" (ssh "issuer")}
+      ${runOnNode "storage" (ssh "probeuser" "issuer")}
+      ${runOnNode "storage" (ssh "root" "issuer")}
 
       # Set up a Tahoe-LAFS introducer.
       $introducer->copyFileFromHost(
-- 
GitLab