commit 999d90d2e717e9f6f4926b3bb1cd1de07e41dfcb · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

fork atom

Merge pull request #184553 from danc86/krb-no-pam

authored by Franz Pletz and committed by GitHub 3 years ago 999d90d2 175ac7cf

+26 -6

1 changed file

expand all

unified split

nixos

modules

security

pam.nix

+26 -6

nixos/modules/security/pam.nix

··· 453 optionalString (config.services.sssd.enable && cfg.sssdStrictAccess) '' 454 account [default=bad success=ok user_unknown=ignore] ${pkgs.sssd}/lib/security/pam_sss.so 455 '' + 456 - optionalString config.krb5.enable '' 457 account sufficient ${pam_krb5}/lib/security/pam_krb5.so 458 '' + 459 optionalString cfg.googleOsLoginAccountVerification '' ··· 553 optionalString config.services.sssd.enable '' 554 auth sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_first_pass 555 '' + 556 - optionalString config.krb5.enable '' 557 auth [default=ignore success=1 service_err=reset] ${pam_krb5}/lib/security/pam_krb5.so use_first_pass 558 auth [default=die success=done] ${pam_ccreds}/lib/security/pam_ccreds.so action=validate use_first_pass 559 auth sufficient ${pam_ccreds}/lib/security/pam_ccreds.so action=store use_first_pass ··· 576 optionalString config.services.sssd.enable '' 577 password sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_authtok 578 '' + 579 - optionalString config.krb5.enable '' 580 password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass 581 '' + 582 optionalString cfg.enableGnomeKeyring '' ··· 619 optionalString config.services.sssd.enable '' 620 session optional ${pkgs.sssd}/lib/security/pam_sss.so 621 '' + 622 - optionalString config.krb5.enable '' 623 session optional ${pam_krb5}/lib/security/pam_krb5.so 624 '' + 625 optionalString cfg.otpwAuth '' ··· 802 803 security.pam.enableOTPW = mkEnableOption "the OTPW (one-time password) PAM module"; 804 805 security.pam.p11 = { 806 enable = mkOption { 807 default = false; ··· 1147 [ pkgs.pam ] 1148 ++ optional config.users.ldap.enable pam_ldap 1149 ++ optional config.services.sssd.enable pkgs.sssd 1150 - ++ optionals config.krb5.enable [pam_krb5 pam_ccreds] 1151 ++ optionals config.security.pam.enableOTPW [ pkgs.otpw ] 1152 ++ optionals config.security.pam.oath.enable [ pkgs.oath-toolkit ] 1153 ++ optionals config.security.pam.p11.enable [ pkgs.pam_p11 ] ··· 1211 optionalString config.services.sssd.enable '' 1212 mr ${pkgs.sssd}/lib/security/pam_sss.so, 1213 '' + 1214 - optionalString config.krb5.enable '' 1215 mr ${pam_krb5}/lib/security/pam_krb5.so, 1216 mr ${pam_ccreds}/lib/security/pam_ccreds.so, 1217 '' +

··· 453 optionalString (config.services.sssd.enable && cfg.sssdStrictAccess) '' 454 account [default=bad success=ok user_unknown=ignore] ${pkgs.sssd}/lib/security/pam_sss.so 455 '' + 456 + optionalString config.security.pam.krb5.enable '' 457 account sufficient ${pam_krb5}/lib/security/pam_krb5.so 458 '' + 459 optionalString cfg.googleOsLoginAccountVerification '' ··· 553 optionalString config.services.sssd.enable '' 554 auth sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_first_pass 555 '' + 556 + optionalString config.security.pam.krb5.enable '' 557 auth [default=ignore success=1 service_err=reset] ${pam_krb5}/lib/security/pam_krb5.so use_first_pass 558 auth [default=die success=done] ${pam_ccreds}/lib/security/pam_ccreds.so action=validate use_first_pass 559 auth sufficient ${pam_ccreds}/lib/security/pam_ccreds.so action=store use_first_pass ··· 576 optionalString config.services.sssd.enable '' 577 password sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_authtok 578 '' + 579 + optionalString config.security.pam.krb5.enable '' 580 password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass 581 '' + 582 optionalString cfg.enableGnomeKeyring '' ··· 619 optionalString config.services.sssd.enable '' 620 session optional ${pkgs.sssd}/lib/security/pam_sss.so 621 '' + 622 + optionalString config.security.pam.krb5.enable '' 623 session optional ${pam_krb5}/lib/security/pam_krb5.so 624 '' + 625 optionalString cfg.otpwAuth '' ··· 802 803 security.pam.enableOTPW = mkEnableOption "the OTPW (one-time password) PAM module"; 804 805 + security.pam.krb5 = { 806 + enable = mkOption { 807 + default = config.krb5.enable; 808 + defaultText = literalExpression "config.krb5.enable"; 809 + type = types.bool; 810 + description = '' 811 + Enables Kerberos PAM modules (<literal>pam-krb5</literal>, 812 + <literal>pam-ccreds</literal>). 813 + 814 + If set, users can authenticate with their Kerberos password. 815 + This requires a valid Kerberos configuration 816 + (<literal>config.krb5.enable</literal> should be set to 817 + <literal>true</literal>). 818 + 819 + Note that the Kerberos PAM modules are not necessary when using SSS 820 + to handle Kerberos authentication. 821 + ''; 822 + }; 823 + }; 824 + 825 security.pam.p11 = { 826 enable = mkOption { 827 default = false; ··· 1167 [ pkgs.pam ] 1168 ++ optional config.users.ldap.enable pam_ldap 1169 ++ optional config.services.sssd.enable pkgs.sssd 1170 + ++ optionals config.security.pam.krb5.enable [pam_krb5 pam_ccreds] 1171 ++ optionals config.security.pam.enableOTPW [ pkgs.otpw ] 1172 ++ optionals config.security.pam.oath.enable [ pkgs.oath-toolkit ] 1173 ++ optionals config.security.pam.p11.enable [ pkgs.pam_p11 ] ··· 1231 optionalString config.services.sssd.enable '' 1232 mr ${pkgs.sssd}/lib/security/pam_sss.so, 1233 '' + 1234 + optionalString config.security.pam.krb5.enable '' 1235 mr ${pam_krb5}/lib/security/pam_krb5.so, 1236 mr ${pam_ccreds}/lib/security/pam_ccreds.so, 1237 '' +