nixos/sudo: Move support for `pam_ssh_agent_auth(8)` to PAM's NixOS module

pyrox.dev / nixpkgs

fork atom

lol

fork atom

nicoo 2 years ago 19e1420e ad929515

+9 -5

2 changed files

expand all

nixos

modules

security

pam.nix

sudo.nix

+5 -1

nixos/modules/security/pam.nix

··· 1531 1531 (map (module: "mr ${module},")) 1532 1532 concatLines 1533 1533 ]); 1534 - }; 1535 1534 1535 + security.sudo.extraConfig = optionalString config.security.pam.enableSSHAgentAuth '' 1536 + # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic. 1537 + Defaults env_keep+=SSH_AUTH_SOCK 1538 + ''; 1539 + }; 1536 1540 }

+4 -4

nixos/modules/security/sudo.nix

··· 6 6 7 7 cfg = config.security.sudo; 8 8 9 + inherit (config.security.pam) enableSSHAgentAuth; 10 + 9 11 toUserString = user: if (isInt user) then "#${toString user}" else "${user}"; 10 12 toGroupString = group: if (isInt group) then "%#${toString group}" else "%${group}"; 11 13 ··· 207 209 '' 208 210 # Don't edit this file. Set the NixOS options ‘security.sudo.configFile’ 209 211 # or ‘security.sudo.extraRules’ instead. 210 - 211 - # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic. 212 - Defaults env_keep+=SSH_AUTH_SOCK 213 - 212 + '' 213 + '' 214 214 # "root" is allowed to do anything. 215 215 root ALL=(ALL:ALL) SETENV: ALL 216 216 ''