pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #184553 from danc86/krb-no-pam

authored by Franz Pletz and committed by GitHub 999d90d2 175ac7cf

+26 -6
unified split
+26 -6
nixos/modules/security/pam.nix
··· 453 453 optionalString (config.services.sssd.enable && cfg.sssdStrictAccess) '' 454 454 account [default=bad success=ok user_unknown=ignore] ${pkgs.sssd}/lib/security/pam_sss.so 455 455 '' + 456 - optionalString config.krb5.enable '' 456 + optionalString config.security.pam.krb5.enable '' 457 457 account sufficient ${pam_krb5}/lib/security/pam_krb5.so 458 458 '' + 459 459 optionalString cfg.googleOsLoginAccountVerification '' ··· 553 553 optionalString config.services.sssd.enable '' 554 554 auth sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_first_pass 555 555 '' + 556 - optionalString config.krb5.enable '' 556 + optionalString config.security.pam.krb5.enable '' 557 557 auth [default=ignore success=1 service_err=reset] ${pam_krb5}/lib/security/pam_krb5.so use_first_pass 558 558 auth [default=die success=done] ${pam_ccreds}/lib/security/pam_ccreds.so action=validate use_first_pass 559 559 auth sufficient ${pam_ccreds}/lib/security/pam_ccreds.so action=store use_first_pass ··· 576 576 optionalString config.services.sssd.enable '' 577 577 password sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_authtok 578 578 '' + 579 - optionalString config.krb5.enable '' 579 + optionalString config.security.pam.krb5.enable '' 580 580 password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass 581 581 '' + 582 582 optionalString cfg.enableGnomeKeyring '' ··· 619 619 optionalString config.services.sssd.enable '' 620 620 session optional ${pkgs.sssd}/lib/security/pam_sss.so 621 621 '' + 622 - optionalString config.krb5.enable '' 622 + optionalString config.security.pam.krb5.enable '' 623 623 session optional ${pam_krb5}/lib/security/pam_krb5.so 624 624 '' + 625 625 optionalString cfg.otpwAuth '' ··· 802 802 803 803 security.pam.enableOTPW = mkEnableOption "the OTPW (one-time password) PAM module"; 804 804 805 + security.pam.krb5 = { 806 + enable = mkOption { 807 + default = config.krb5.enable; 808 + defaultText = literalExpression "config.krb5.enable"; 809 + type = types.bool; 810 + description = '' 811 + Enables Kerberos PAM modules (<literal>pam-krb5</literal>, 812 + <literal>pam-ccreds</literal>). 813 + 814 + If set, users can authenticate with their Kerberos password. 815 + This requires a valid Kerberos configuration 816 + (<literal>config.krb5.enable</literal> should be set to 817 + <literal>true</literal>). 818 + 819 + Note that the Kerberos PAM modules are not necessary when using SSS 820 + to handle Kerberos authentication. 821 + ''; 822 + }; 823 + }; 824 + 805 825 security.pam.p11 = { 806 826 enable = mkOption { 807 827 default = false; ··· 1147 1167 [ pkgs.pam ] 1148 1168 ++ optional config.users.ldap.enable pam_ldap 1149 1169 ++ optional config.services.sssd.enable pkgs.sssd 1150 - ++ optionals config.krb5.enable [pam_krb5 pam_ccreds] 1170 + ++ optionals config.security.pam.krb5.enable [pam_krb5 pam_ccreds] 1151 1171 ++ optionals config.security.pam.enableOTPW [ pkgs.otpw ] 1152 1172 ++ optionals config.security.pam.oath.enable [ pkgs.oath-toolkit ] 1153 1173 ++ optionals config.security.pam.p11.enable [ pkgs.pam_p11 ] ··· 1211 1231 optionalString config.services.sssd.enable '' 1212 1232 mr ${pkgs.sssd}/lib/security/pam_sss.so, 1213 1233 '' + 1214 - optionalString config.krb5.enable '' 1234 + optionalString config.security.pam.krb5.enable '' 1215 1235 mr ${pam_krb5}/lib/security/pam_krb5.so, 1216 1236 mr ${pam_ccreds}/lib/security/pam_ccreds.so, 1217 1237 '' +