commit ef58bbf9b7ce34f1f4fcace04484b9bbea0d3ed2 · tjh.dev/nixpkgs

tjh.dev / nixpkgs

Clone of https://github.com/NixOS/nixpkgs.git (to stress-test knotserver)

fork atom

nixos/pam: avoid extra lines in pam files

authored by Victor Engmark and committed by Victor Engmark 4 years ago ef58bbf9 e2c7d2b8

+191 -137

1 changed file

expand all

unified split

nixos

modules

security

pam.nix

+191 -137

nixos/modules/security/pam.nix

··· 410 410 # Samba stuff to the Samba module. This requires that the PAM 411 411 # module provides the right hooks. 412 412 text = mkDefault 413 - ('' 414 - # Account management. 415 - account required pam_unix.so 416 - ${optionalString use_ldap 417 - "account sufficient ${pam_ldap}/lib/security/pam_ldap.so"} 418 - ${optionalString (config.services.sssd.enable && cfg.sssdStrictAccess==false) 419 - "account sufficient ${pkgs.sssd}/lib/security/pam_sss.so"} 420 - ${optionalString (config.services.sssd.enable && cfg.sssdStrictAccess) 421 - "account [default=bad success=ok user_unknown=ignore] ${pkgs.sssd}/lib/security/pam_sss.so"} 422 - ${optionalString config.krb5.enable 423 - "account sufficient ${pam_krb5}/lib/security/pam_krb5.so"} 424 - ${optionalString cfg.googleOsLoginAccountVerification '' 413 + ( 414 + '' 415 + # Account management. 416 + account required pam_unix.so 417 + '' + 418 + optionalString use_ldap '' 419 + account sufficient ${pam_ldap}/lib/security/pam_ldap.so 420 + '' + 421 + optionalString (config.services.sssd.enable && cfg.sssdStrictAccess==false) '' 422 + account sufficient ${pkgs.sssd}/lib/security/pam_sss.so 423 + '' + 424 + optionalString (config.services.sssd.enable && cfg.sssdStrictAccess) '' 425 + account [default=bad success=ok user_unknown=ignore] ${pkgs.sssd}/lib/security/pam_sss.so 426 + '' + 427 + optionalString config.krb5.enable '' 428 + account sufficient ${pam_krb5}/lib/security/pam_krb5.so 429 + '' + 430 + optionalString cfg.googleOsLoginAccountVerification '' 425 431 account [success=ok ignore=ignore default=die] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so 426 432 account [success=ok default=ignore] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_admin.so 427 - ''} 433 + '' + 434 + '' 428 435 429 - # Authentication management. 430 - ${optionalString cfg.googleOsLoginAuthentication 431 - "auth [success=done perm_denied=bad default=ignore] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so"} 432 - ${optionalString cfg.rootOK 433 - "auth sufficient pam_rootok.so"} 434 - ${optionalString cfg.requireWheel 435 - "auth required pam_wheel.so use_uid"} 436 - ${optionalString cfg.logFailures 437 - "auth required pam_faillock.so"} 438 - ${optionalString (config.security.pam.enableSSHAgentAuth && cfg.sshAgentAuth) 439 - "auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=${lib.concatStringsSep ":" config.services.openssh.authorizedKeysFiles}"} 440 - ${let p11 = config.security.pam.p11; in optionalString cfg.p11Auth 441 - "auth ${p11.control} ${pkgs.pam_p11}/lib/security/pam_p11.so ${pkgs.opensc}/lib/opensc-pkcs11.so"} 442 - ${let u2f = config.security.pam.u2f; in optionalString cfg.u2fAuth 443 - "auth ${u2f.control} ${pkgs.pam_u2f}/lib/security/pam_u2f.so ${optionalString u2f.debug "debug"} ${optionalString (u2f.authFile != null) "authfile=${u2f.authFile}"} ${optionalString u2f.interactive "interactive"} ${optionalString u2f.cue "cue"} ${optionalString (u2f.appId != null) "appid=${u2f.appId}"}"} 444 - ${optionalString cfg.usbAuth 445 - "auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so"} 446 - ${let oath = config.security.pam.oath; in optionalString cfg.oathAuth 447 - "auth requisite ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}"} 448 - ${let yubi = config.security.pam.yubico; in optionalString cfg.yubicoAuth 449 - "auth ${yubi.control} ${pkgs.yubico-pam}/lib/security/pam_yubico.so mode=${toString yubi.mode} ${optionalString (yubi.challengeResponsePath != null) "chalresp_path=${yubi.challengeResponsePath}"} ${optionalString (yubi.mode == "client") "id=${toString yubi.id}"} ${optionalString yubi.debug "debug"}"} 450 - ${optionalString cfg.fprintAuth 451 - "auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so"} 452 - '' + 436 + # Authentication management. 437 + '' + 438 + optionalString cfg.googleOsLoginAuthentication '' 439 + auth [success=done perm_denied=bad default=ignore] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so 440 + '' + 441 + optionalString cfg.rootOK '' 442 + auth sufficient pam_rootok.so 443 + '' + 444 + optionalString cfg.requireWheel '' 445 + auth required pam_wheel.so use_uid 446 + '' + 447 + optionalString cfg.logFailures '' 448 + auth required pam_faillock.so 449 + '' + 450 + optionalString (config.security.pam.enableSSHAgentAuth && cfg.sshAgentAuth) '' 451 + auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=${lib.concatStringsSep ":" config.services.openssh.authorizedKeysFiles} 452 + '' + 453 + (let p11 = config.security.pam.p11; in optionalString cfg.p11Auth '' 454 + auth ${p11.control} ${pkgs.pam_p11}/lib/security/pam_p11.so ${pkgs.opensc}/lib/opensc-pkcs11.so 455 + '') + 456 + (let u2f = config.security.pam.u2f; in optionalString cfg.u2fAuth '' 457 + auth ${u2f.control} ${pkgs.pam_u2f}/lib/security/pam_u2f.so ${optionalString u2f.debug "debug"} ${optionalString (u2f.authFile != null) "authfile=${u2f.authFile}"} ${optionalString u2f.interactive "interactive"} ${optionalString u2f.cue "cue"} ${optionalString (u2f.appId != null) "appid=${u2f.appId}"} 458 + '') + 459 + optionalString cfg.usbAuth '' 460 + auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so 461 + '' + 462 + (let oath = config.security.pam.oath; in optionalString cfg.oathAuth '' 463 + auth requisite ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits} 464 + '') + 465 + (let yubi = config.security.pam.yubico; in optionalString cfg.yubicoAuth '' 466 + auth ${yubi.control} ${pkgs.yubico-pam}/lib/security/pam_yubico.so mode=${toString yubi.mode} ${optionalString (yubi.challengeResponsePath != null) "chalresp_path=${yubi.challengeResponsePath}"} ${optionalString (yubi.mode == "client") "id=${toString yubi.id}"} ${optionalString yubi.debug "debug"} 467 + '') + 468 + optionalString cfg.fprintAuth '' 469 + auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so 470 + '' + 453 471 # Modules in this block require having the password set in PAM_AUTHTOK. 454 472 # pam_unix is marked as 'sufficient' on NixOS which means nothing will run 455 473 # after it succeeds. Certain modules need to run after pam_unix ··· 457 475 # earlier point and it will run again with 'sufficient' further down. 458 476 # We use try_first_pass the second time to avoid prompting password twice 459 477 (optionalString (cfg.unixAuth && 460 - (config.security.pam.enableEcryptfs 461 - || cfg.pamMount 462 - || cfg.enableKwallet 463 - || cfg.enableGnomeKeyring 464 - || cfg.googleAuthenticator.enable 465 - || cfg.gnupg.enable 466 - || cfg.duoSecurity.enable)) '' 467 - auth required pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth 468 - ${optionalString config.security.pam.enableEcryptfs 469 - "auth optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"} 470 - ${optionalString cfg.pamMount 471 - "auth optional ${pkgs.pam_mount}/lib/security/pam_mount.so disable_interactive"} 472 - ${optionalString cfg.enableKwallet 473 - ("auth optional ${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so" + 474 - " kwalletd=${pkgs.plasma5Packages.kwallet.bin}/bin/kwalletd5")} 475 - ${optionalString cfg.enableGnomeKeyring 476 - "auth optional ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so"} 477 - ${optionalString cfg.gnupg.enable 478 - "auth optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so" 479 - + optionalString cfg.gnupg.storeOnly " store-only" 480 - } 481 - ${optionalString cfg.googleAuthenticator.enable 482 - "auth required ${pkgs.googleAuthenticator}/lib/security/pam_google_authenticator.so no_increment_hotp"} 483 - ${optionalString cfg.duoSecurity.enable 484 - "auth required ${pkgs.duo-unix}/lib/security/pam_duo.so"} 485 - '') + '' 486 - ${optionalString cfg.unixAuth 487 - "auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth try_first_pass"} 488 - ${optionalString cfg.otpwAuth 489 - "auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so"} 490 - ${optionalString use_ldap 491 - "auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass"} 492 - ${optionalString config.services.sssd.enable 493 - "auth sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_first_pass"} 494 - ${optionalString config.krb5.enable '' 478 + (config.security.pam.enableEcryptfs 479 + || cfg.pamMount 480 + || cfg.enableKwallet 481 + || cfg.enableGnomeKeyring 482 + || cfg.googleAuthenticator.enable 483 + || cfg.gnupg.enable 484 + || cfg.duoSecurity.enable)) 485 + ( 486 + '' 487 + auth required pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth 488 + '' + 489 + optionalString config.security.pam.enableEcryptfs '' 490 + auth optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap 491 + '' + 492 + optionalString cfg.pamMount '' 493 + auth optional ${pkgs.pam_mount}/lib/security/pam_mount.so disable_interactive 494 + '' + 495 + optionalString cfg.enableKwallet '' 496 + auth optional ${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so kwalletd=${pkgs.plasma5Packages.kwallet.bin}/bin/kwalletd5 497 + '' + 498 + optionalString cfg.enableGnomeKeyring '' 499 + auth optional ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so 500 + '' + 501 + optionalString cfg.gnupg.enable '' 502 + auth optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so ${optionalString cfg.gnupg.storeOnly " store-only"} 503 + '' + 504 + optionalString cfg.googleAuthenticator.enable '' 505 + auth required ${pkgs.googleAuthenticator}/lib/security/pam_google_authenticator.so no_increment_hotp 506 + '' + 507 + optionalString cfg.duoSecurity.enable '' 508 + auth required ${pkgs.duo-unix}/lib/security/pam_duo.so 509 + '' 510 + )) + 511 + optionalString cfg.unixAuth '' 512 + auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth try_first_pass 513 + '' + 514 + optionalString cfg.otpwAuth '' 515 + auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so 516 + '' + 517 + optionalString use_ldap '' 518 + auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass 519 + '' + 520 + optionalString config.services.sssd.enable '' 521 + auth sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_first_pass 522 + '' + 523 + optionalString config.krb5.enable '' 495 524 auth [default=ignore success=1 service_err=reset] ${pam_krb5}/lib/security/pam_krb5.so use_first_pass 496 525 auth [default=die success=done] ${pam_ccreds}/lib/security/pam_ccreds.so action=validate use_first_pass 497 526 auth sufficient ${pam_ccreds}/lib/security/pam_ccreds.so action=store use_first_pass 498 - ''} 499 - auth required pam_deny.so 527 + '' + 528 + '' 529 + auth required pam_deny.so 500 530 501 - # Password management. 502 - password sufficient pam_unix.so nullok sha512 503 - ${optionalString config.security.pam.enableEcryptfs 504 - "password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"} 505 - ${optionalString cfg.pamMount 506 - "password optional ${pkgs.pam_mount}/lib/security/pam_mount.so"} 507 - ${optionalString use_ldap 508 - "password sufficient ${pam_ldap}/lib/security/pam_ldap.so"} 509 - ${optionalString config.services.sssd.enable 510 - "password sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_authtok"} 511 - ${optionalString config.krb5.enable 512 - "password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass"} 513 - ${optionalString cfg.enableGnomeKeyring 514 - "password optional ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so use_authtok"} 531 + # Password management. 532 + password sufficient pam_unix.so nullok sha512 533 + '' + 534 + optionalString config.security.pam.enableEcryptfs '' 535 + password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so 536 + '' + 537 + optionalString cfg.pamMount '' 538 + password optional ${pkgs.pam_mount}/lib/security/pam_mount.so 539 + '' + 540 + optionalString use_ldap '' 541 + password sufficient ${pam_ldap}/lib/security/pam_ldap.so 542 + '' + 543 + optionalString config.services.sssd.enable '' 544 + password sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_authtok 545 + '' + 546 + optionalString config.krb5.enable '' 547 + password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass 548 + '' + 549 + optionalString cfg.enableGnomeKeyring '' 550 + password optional ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so use_authtok 551 + '' + 552 + '' 515 553 516 - # Session management. 517 - ${optionalString cfg.setEnvironment '' 554 + # Session management. 555 + '' + 556 + optionalString cfg.setEnvironment '' 518 557 session required pam_env.so conffile=/etc/pam/environment readenv=0 519 - ''} 520 - session required pam_unix.so 521 - ${optionalString cfg.setLoginUid 522 - "session ${ 523 - if config.boot.isContainer then "optional" else "required" 524 - } pam_loginuid.so"} 525 - ${optionalString cfg.ttyAudit.enable 526 - "session required ${pkgs.pam}/lib/security/pam_tty_audit.so 558 + '' + 559 + '' 560 + session required pam_unix.so 561 + '' + 562 + optionalString cfg.setLoginUid '' 563 + session ${if config.boot.isContainer then "optional" else "required"} pam_loginuid.so 564 + '' + 565 + optionalString cfg.ttyAudit.enable '' 566 + session required ${pkgs.pam}/lib/security/pam_tty_audit.so 527 567 open_only=${toString cfg.ttyAudit.openOnly} 528 568 ${optionalString (cfg.ttyAudit.enablePattern != null) "enable=${cfg.ttyAudit.enablePattern}"} 529 569 ${optionalString (cfg.ttyAudit.disablePattern != null) "disable=${cfg.ttyAudit.disablePattern}"} 530 - "} 531 - ${optionalString cfg.makeHomeDir 532 - "session required ${pkgs.pam}/lib/security/pam_mkhomedir.so silent skel=${config.security.pam.makeHomeDir.skelDirectory} umask=0077"} 533 - ${optionalString cfg.updateWtmp 534 - "session required ${pkgs.pam}/lib/security/pam_lastlog.so silent"} 535 - ${optionalString config.security.pam.enableEcryptfs 536 - "session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"} 537 - ${optionalString cfg.pamMount 538 - "session optional ${pkgs.pam_mount}/lib/security/pam_mount.so disable_interactive"} 539 - ${optionalString use_ldap 540 - "session optional ${pam_ldap}/lib/security/pam_ldap.so"} 541 - ${optionalString config.services.sssd.enable 542 - "session optional ${pkgs.sssd}/lib/security/pam_sss.so"} 543 - ${optionalString config.krb5.enable 544 - "session optional ${pam_krb5}/lib/security/pam_krb5.so"} 545 - ${optionalString cfg.otpwAuth 546 - "session optional ${pkgs.otpw}/lib/security/pam_otpw.so"} 547 - ${optionalString cfg.startSession 548 - "session optional ${pkgs.systemd}/lib/security/pam_systemd.so"} 549 - ${optionalString cfg.forwardXAuth 550 - "session optional pam_xauth.so xauthpath=${pkgs.xorg.xauth}/bin/xauth systemuser=99"} 551 - ${optionalString (cfg.limits != []) 552 - "session required ${pkgs.pam}/lib/security/pam_limits.so conf=${makeLimitsConf cfg.limits}"} 553 - ${optionalString (cfg.showMotd && config.users.motd != null) 554 - "session optional ${pkgs.pam}/lib/security/pam_motd.so motd=${motd}"} 555 - ${optionalString (cfg.enableAppArmor && config.security.apparmor.enable) 556 - "session optional ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so order=user,group,default debug"} 557 - ${optionalString (cfg.enableKwallet) 558 - ("session optional ${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so" + 559 - " kwalletd=${pkgs.plasma5Packages.kwallet.bin}/bin/kwalletd5")} 560 - ${optionalString (cfg.enableGnomeKeyring) 561 - "session optional ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start"} 562 - ${optionalString cfg.gnupg.enable 563 - "session optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so" 564 - + optionalString cfg.gnupg.noAutostart " no-autostart" 565 - } 566 - ${optionalString (config.virtualisation.lxc.lxcfs.enable) 567 - "session optional ${pkgs.lxc}/lib/security/pam_cgfs.so -c all"} 568 - ''); 570 + '' + 571 + optionalString cfg.makeHomeDir '' 572 + session required ${pkgs.pam}/lib/security/pam_mkhomedir.so silent skel=${config.security.pam.makeHomeDir.skelDirectory} umask=0077 573 + '' + 574 + optionalString cfg.updateWtmp '' 575 + session required ${pkgs.pam}/lib/security/pam_lastlog.so silent 576 + '' + 577 + optionalString config.security.pam.enableEcryptfs '' 578 + session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so 579 + '' + 580 + optionalString cfg.pamMount '' 581 + session optional ${pkgs.pam_mount}/lib/security/pam_mount.so disable_interactive 582 + '' + 583 + optionalString use_ldap '' 584 + session optional ${pam_ldap}/lib/security/pam_ldap.so 585 + '' + 586 + optionalString config.services.sssd.enable '' 587 + session optional ${pkgs.sssd}/lib/security/pam_sss.so 588 + '' + 589 + optionalString config.krb5.enable '' 590 + session optional ${pam_krb5}/lib/security/pam_krb5.so 591 + '' + 592 + optionalString cfg.otpwAuth '' 593 + session optional ${pkgs.otpw}/lib/security/pam_otpw.so 594 + '' + 595 + optionalString cfg.startSession '' 596 + session optional ${pkgs.systemd}/lib/security/pam_systemd.so 597 + '' + 598 + optionalString cfg.forwardXAuth '' 599 + session optional pam_xauth.so xauthpath=${pkgs.xorg.xauth}/bin/xauth systemuser=99 600 + '' + 601 + optionalString (cfg.limits != []) '' 602 + session required ${pkgs.pam}/lib/security/pam_limits.so conf=${makeLimitsConf cfg.limits} 603 + '' + 604 + optionalString (cfg.showMotd && config.users.motd != null) '' 605 + session optional ${pkgs.pam}/lib/security/pam_motd.so motd=${motd} 606 + '' + 607 + optionalString (cfg.enableAppArmor && config.security.apparmor.enable) '' 608 + session optional ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so order=user,group,default debug 609 + '' + 610 + optionalString (cfg.enableKwallet) '' 611 + session optional ${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so kwalletd=${pkgs.plasma5Packages.kwallet.bin}/bin/kwalletd5 612 + '' + 613 + optionalString (cfg.enableGnomeKeyring) '' 614 + session optional ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start 615 + '' + 616 + optionalString cfg.gnupg.enable '' 617 + session optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so ${optionalString cfg.gnupg.noAutostart " no-autostart"} 618 + '' + 619 + optionalString (config.virtualisation.lxc.lxcfs.enable) '' 620 + session optional ${pkgs.lxc}/lib/security/pam_cgfs.so -c all 621 + '' 622 + ); 569 623 }; 570 624 571 625 };