tjh.dev
fork
Configure Feed
Select the types of activity you want to include in your feed.
nixpkgs mirror (for testing)
github.com/NixOS/nixpkgs
nix
fork
Configure Feed
Select the types of activity you want to include in your feed.
nixos/pam: avoid extra lines in pam files
authored by
Victor Engmark
and committed by
Victor Engmark
ef58bbf9
e2c7d2b8
+191
-137
+191
-137
nixos/modules/security/pam.nix
+191
-137
nixos/modules/security/pam.nix
···
410
410
# Samba stuff to the Samba module. This requires that the PAM
411
411
# module provides the right hooks.
412
412
text = mkDefault
413
-
(''
414
-
# Account management.
415
-
account required pam_unix.so
416
-
${optionalString use_ldap
417
-
"account sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
418
-
${optionalString (config.services.sssd.enable && cfg.sssdStrictAccess==false)
419
-
"account sufficient ${pkgs.sssd}/lib/security/pam_sss.so"}
420
-
${optionalString (config.services.sssd.enable && cfg.sssdStrictAccess)
421
-
"account [default=bad success=ok user_unknown=ignore] ${pkgs.sssd}/lib/security/pam_sss.so"}
422
-
${optionalString config.krb5.enable
423
-
"account sufficient ${pam_krb5}/lib/security/pam_krb5.so"}
424
-
${optionalString cfg.googleOsLoginAccountVerification ''
413
+
(
414
+
''
415
+
# Account management.
416
+
account required pam_unix.so
417
+
'' +
418
+
optionalString use_ldap ''
419
+
account sufficient ${pam_ldap}/lib/security/pam_ldap.so
420
+
'' +
421
+
optionalString (config.services.sssd.enable && cfg.sssdStrictAccess==false) ''
422
+
account sufficient ${pkgs.sssd}/lib/security/pam_sss.so
423
+
'' +
424
+
optionalString (config.services.sssd.enable && cfg.sssdStrictAccess) ''
425
+
account [default=bad success=ok user_unknown=ignore] ${pkgs.sssd}/lib/security/pam_sss.so
426
+
'' +
427
+
optionalString config.krb5.enable ''
428
+
account sufficient ${pam_krb5}/lib/security/pam_krb5.so
429
+
'' +
430
+
optionalString cfg.googleOsLoginAccountVerification ''
425
431
account [success=ok ignore=ignore default=die] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so
426
432
account [success=ok default=ignore] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_admin.so
427
-
''}
433
+
'' +
434
+
''
428
435
429
-
# Authentication management.
430
-
${optionalString cfg.googleOsLoginAuthentication
431
-
"auth [success=done perm_denied=bad default=ignore] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so"}
432
-
${optionalString cfg.rootOK
433
-
"auth sufficient pam_rootok.so"}
434
-
${optionalString cfg.requireWheel
435
-
"auth required pam_wheel.so use_uid"}
436
-
${optionalString cfg.logFailures
437
-
"auth required pam_faillock.so"}
438
-
${optionalString (config.security.pam.enableSSHAgentAuth && cfg.sshAgentAuth)
439
-
"auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=${lib.concatStringsSep ":" config.services.openssh.authorizedKeysFiles}"}
440
-
${let p11 = config.security.pam.p11; in optionalString cfg.p11Auth
441
-
"auth ${p11.control} ${pkgs.pam_p11}/lib/security/pam_p11.so ${pkgs.opensc}/lib/opensc-pkcs11.so"}
442
-
${let u2f = config.security.pam.u2f; in optionalString cfg.u2fAuth
443
-
"auth ${u2f.control} ${pkgs.pam_u2f}/lib/security/pam_u2f.so ${optionalString u2f.debug "debug"} ${optionalString (u2f.authFile != null) "authfile=${u2f.authFile}"} ${optionalString u2f.interactive "interactive"} ${optionalString u2f.cue "cue"} ${optionalString (u2f.appId != null) "appid=${u2f.appId}"}"}
444
-
${optionalString cfg.usbAuth
445
-
"auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so"}
446
-
${let oath = config.security.pam.oath; in optionalString cfg.oathAuth
447
-
"auth requisite ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}"}
448
-
${let yubi = config.security.pam.yubico; in optionalString cfg.yubicoAuth
449
-
"auth ${yubi.control} ${pkgs.yubico-pam}/lib/security/pam_yubico.so mode=${toString yubi.mode} ${optionalString (yubi.challengeResponsePath != null) "chalresp_path=${yubi.challengeResponsePath}"} ${optionalString (yubi.mode == "client") "id=${toString yubi.id}"} ${optionalString yubi.debug "debug"}"}
450
-
${optionalString cfg.fprintAuth
451
-
"auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so"}
452
-
'' +
436
+
# Authentication management.
437
+
'' +
438
+
optionalString cfg.googleOsLoginAuthentication ''
439
+
auth [success=done perm_denied=bad default=ignore] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so
440
+
'' +
441
+
optionalString cfg.rootOK ''
442
+
auth sufficient pam_rootok.so
443
+
'' +
444
+
optionalString cfg.requireWheel ''
445
+
auth required pam_wheel.so use_uid
446
+
'' +
447
+
optionalString cfg.logFailures ''
448
+
auth required pam_faillock.so
449
+
'' +
450
+
optionalString (config.security.pam.enableSSHAgentAuth && cfg.sshAgentAuth) ''
451
+
auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=${lib.concatStringsSep ":" config.services.openssh.authorizedKeysFiles}
452
+
'' +
453
+
(let p11 = config.security.pam.p11; in optionalString cfg.p11Auth ''
454
+
auth ${p11.control} ${pkgs.pam_p11}/lib/security/pam_p11.so ${pkgs.opensc}/lib/opensc-pkcs11.so
455
+
'') +
456
+
(let u2f = config.security.pam.u2f; in optionalString cfg.u2fAuth ''
457
+
auth ${u2f.control} ${pkgs.pam_u2f}/lib/security/pam_u2f.so ${optionalString u2f.debug "debug"} ${optionalString (u2f.authFile != null) "authfile=${u2f.authFile}"} ${optionalString u2f.interactive "interactive"} ${optionalString u2f.cue "cue"} ${optionalString (u2f.appId != null) "appid=${u2f.appId}"}
458
+
'') +
459
+
optionalString cfg.usbAuth ''
460
+
auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so
461
+
'' +
462
+
(let oath = config.security.pam.oath; in optionalString cfg.oathAuth ''
463
+
auth requisite ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}
464
+
'') +
465
+
(let yubi = config.security.pam.yubico; in optionalString cfg.yubicoAuth ''
466
+
auth ${yubi.control} ${pkgs.yubico-pam}/lib/security/pam_yubico.so mode=${toString yubi.mode} ${optionalString (yubi.challengeResponsePath != null) "chalresp_path=${yubi.challengeResponsePath}"} ${optionalString (yubi.mode == "client") "id=${toString yubi.id}"} ${optionalString yubi.debug "debug"}
467
+
'') +
468
+
optionalString cfg.fprintAuth ''
469
+
auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so
470
+
'' +
453
471
# Modules in this block require having the password set in PAM_AUTHTOK.
454
472
# pam_unix is marked as 'sufficient' on NixOS which means nothing will run
455
473
# after it succeeds. Certain modules need to run after pam_unix
···
475
457
# earlier point and it will run again with 'sufficient' further down.
476
458
# We use try_first_pass the second time to avoid prompting password twice
477
459
(optionalString (cfg.unixAuth &&
478
-
(config.security.pam.enableEcryptfs
479
-
|| cfg.pamMount
480
-
|| cfg.enableKwallet
481
-
|| cfg.enableGnomeKeyring
482
-
|| cfg.googleAuthenticator.enable
483
-
|| cfg.gnupg.enable
484
-
|| cfg.duoSecurity.enable)) ''
485
-
auth required pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth
486
-
${optionalString config.security.pam.enableEcryptfs
487
-
"auth optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"}
488
-
${optionalString cfg.pamMount
489
-
"auth optional ${pkgs.pam_mount}/lib/security/pam_mount.so disable_interactive"}
490
-
${optionalString cfg.enableKwallet
491
-
("auth optional ${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so" +
492
-
" kwalletd=${pkgs.plasma5Packages.kwallet.bin}/bin/kwalletd5")}
493
-
${optionalString cfg.enableGnomeKeyring
494
-
"auth optional ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so"}
495
-
${optionalString cfg.gnupg.enable
496
-
"auth optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so"
497
-
+ optionalString cfg.gnupg.storeOnly " store-only"
498
-
}
499
-
${optionalString cfg.googleAuthenticator.enable
500
-
"auth required ${pkgs.googleAuthenticator}/lib/security/pam_google_authenticator.so no_increment_hotp"}
501
-
${optionalString cfg.duoSecurity.enable
502
-
"auth required ${pkgs.duo-unix}/lib/security/pam_duo.so"}
503
-
'') + ''
504
-
${optionalString cfg.unixAuth
505
-
"auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth try_first_pass"}
506
-
${optionalString cfg.otpwAuth
507
-
"auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so"}
508
-
${optionalString use_ldap
509
-
"auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass"}
510
-
${optionalString config.services.sssd.enable
511
-
"auth sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_first_pass"}
512
-
${optionalString config.krb5.enable ''
460
+
(config.security.pam.enableEcryptfs
461
+
|| cfg.pamMount
462
+
|| cfg.enableKwallet
463
+
|| cfg.enableGnomeKeyring
464
+
|| cfg.googleAuthenticator.enable
465
+
|| cfg.gnupg.enable
466
+
|| cfg.duoSecurity.enable))
467
+
(
468
+
''
469
+
auth required pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth
470
+
'' +
471
+
optionalString config.security.pam.enableEcryptfs ''
472
+
auth optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap
473
+
'' +
474
+
optionalString cfg.pamMount ''
475
+
auth optional ${pkgs.pam_mount}/lib/security/pam_mount.so disable_interactive
476
+
'' +
477
+
optionalString cfg.enableKwallet ''
478
+
auth optional ${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so kwalletd=${pkgs.plasma5Packages.kwallet.bin}/bin/kwalletd5
479
+
'' +
480
+
optionalString cfg.enableGnomeKeyring ''
481
+
auth optional ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so
482
+
'' +
483
+
optionalString cfg.gnupg.enable ''
484
+
auth optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so ${optionalString cfg.gnupg.storeOnly " store-only"}
485
+
'' +
486
+
optionalString cfg.googleAuthenticator.enable ''
487
+
auth required ${pkgs.googleAuthenticator}/lib/security/pam_google_authenticator.so no_increment_hotp
488
+
'' +
489
+
optionalString cfg.duoSecurity.enable ''
490
+
auth required ${pkgs.duo-unix}/lib/security/pam_duo.so
491
+
''
492
+
)) +
493
+
optionalString cfg.unixAuth ''
494
+
auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth try_first_pass
495
+
'' +
496
+
optionalString cfg.otpwAuth ''
497
+
auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so
498
+
'' +
499
+
optionalString use_ldap ''
500
+
auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass
501
+
'' +
502
+
optionalString config.services.sssd.enable ''
503
+
auth sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_first_pass
504
+
'' +
505
+
optionalString config.krb5.enable ''
513
506
auth [default=ignore success=1 service_err=reset] ${pam_krb5}/lib/security/pam_krb5.so use_first_pass
514
507
auth [default=die success=done] ${pam_ccreds}/lib/security/pam_ccreds.so action=validate use_first_pass
515
508
auth sufficient ${pam_ccreds}/lib/security/pam_ccreds.so action=store use_first_pass
516
-
''}
517
-
auth required pam_deny.so
509
+
'' +
510
+
''
511
+
auth required pam_deny.so
518
512
519
-
# Password management.
520
-
password sufficient pam_unix.so nullok sha512
521
-
${optionalString config.security.pam.enableEcryptfs
522
-
"password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"}
523
-
${optionalString cfg.pamMount
524
-
"password optional ${pkgs.pam_mount}/lib/security/pam_mount.so"}
525
-
${optionalString use_ldap
526
-
"password sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
527
-
${optionalString config.services.sssd.enable
528
-
"password sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_authtok"}
529
-
${optionalString config.krb5.enable
530
-
"password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass"}
531
-
${optionalString cfg.enableGnomeKeyring
532
-
"password optional ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so use_authtok"}
513
+
# Password management.
514
+
password sufficient pam_unix.so nullok sha512
515
+
'' +
516
+
optionalString config.security.pam.enableEcryptfs ''
517
+
password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so
518
+
'' +
519
+
optionalString cfg.pamMount ''
520
+
password optional ${pkgs.pam_mount}/lib/security/pam_mount.so
521
+
'' +
522
+
optionalString use_ldap ''
523
+
password sufficient ${pam_ldap}/lib/security/pam_ldap.so
524
+
'' +
525
+
optionalString config.services.sssd.enable ''
526
+
password sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_authtok
527
+
'' +
528
+
optionalString config.krb5.enable ''
529
+
password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass
530
+
'' +
531
+
optionalString cfg.enableGnomeKeyring ''
532
+
password optional ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so use_authtok
533
+
'' +
534
+
''
533
535
534
-
# Session management.
535
-
${optionalString cfg.setEnvironment ''
536
+
# Session management.
537
+
'' +
538
+
optionalString cfg.setEnvironment ''
536
539
session required pam_env.so conffile=/etc/pam/environment readenv=0
537
-
''}
538
-
session required pam_unix.so
539
-
${optionalString cfg.setLoginUid
540
-
"session ${
541
-
if config.boot.isContainer then "optional" else "required"
542
-
} pam_loginuid.so"}
543
-
${optionalString cfg.ttyAudit.enable
544
-
"session required ${pkgs.pam}/lib/security/pam_tty_audit.so
540
+
'' +
541
+
''
542
+
session required pam_unix.so
543
+
'' +
544
+
optionalString cfg.setLoginUid ''
545
+
session ${if config.boot.isContainer then "optional" else "required"} pam_loginuid.so
546
+
'' +
547
+
optionalString cfg.ttyAudit.enable ''
548
+
session required ${pkgs.pam}/lib/security/pam_tty_audit.so
545
549
open_only=${toString cfg.ttyAudit.openOnly}
546
550
${optionalString (cfg.ttyAudit.enablePattern != null) "enable=${cfg.ttyAudit.enablePattern}"}
547
551
${optionalString (cfg.ttyAudit.disablePattern != null) "disable=${cfg.ttyAudit.disablePattern}"}
548
-
"}
549
-
${optionalString cfg.makeHomeDir
550
-
"session required ${pkgs.pam}/lib/security/pam_mkhomedir.so silent skel=${config.security.pam.makeHomeDir.skelDirectory} umask=0077"}
551
-
${optionalString cfg.updateWtmp
552
-
"session required ${pkgs.pam}/lib/security/pam_lastlog.so silent"}
553
-
${optionalString config.security.pam.enableEcryptfs
554
-
"session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"}
555
-
${optionalString cfg.pamMount
556
-
"session optional ${pkgs.pam_mount}/lib/security/pam_mount.so disable_interactive"}
557
-
${optionalString use_ldap
558
-
"session optional ${pam_ldap}/lib/security/pam_ldap.so"}
559
-
${optionalString config.services.sssd.enable
560
-
"session optional ${pkgs.sssd}/lib/security/pam_sss.so"}
561
-
${optionalString config.krb5.enable
562
-
"session optional ${pam_krb5}/lib/security/pam_krb5.so"}
563
-
${optionalString cfg.otpwAuth
564
-
"session optional ${pkgs.otpw}/lib/security/pam_otpw.so"}
565
-
${optionalString cfg.startSession
566
-
"session optional ${pkgs.systemd}/lib/security/pam_systemd.so"}
567
-
${optionalString cfg.forwardXAuth
568
-
"session optional pam_xauth.so xauthpath=${pkgs.xorg.xauth}/bin/xauth systemuser=99"}
569
-
${optionalString (cfg.limits != [])
570
-
"session required ${pkgs.pam}/lib/security/pam_limits.so conf=${makeLimitsConf cfg.limits}"}
571
-
${optionalString (cfg.showMotd && config.users.motd != null)
572
-
"session optional ${pkgs.pam}/lib/security/pam_motd.so motd=${motd}"}
573
-
${optionalString (cfg.enableAppArmor && config.security.apparmor.enable)
574
-
"session optional ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so order=user,group,default debug"}
575
-
${optionalString (cfg.enableKwallet)
576
-
("session optional ${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so" +
577
-
" kwalletd=${pkgs.plasma5Packages.kwallet.bin}/bin/kwalletd5")}
578
-
${optionalString (cfg.enableGnomeKeyring)
579
-
"session optional ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start"}
580
-
${optionalString cfg.gnupg.enable
581
-
"session optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so"
582
-
+ optionalString cfg.gnupg.noAutostart " no-autostart"
583
-
}
584
-
${optionalString (config.virtualisation.lxc.lxcfs.enable)
585
-
"session optional ${pkgs.lxc}/lib/security/pam_cgfs.so -c all"}
586
-
'');
552
+
'' +
553
+
optionalString cfg.makeHomeDir ''
554
+
session required ${pkgs.pam}/lib/security/pam_mkhomedir.so silent skel=${config.security.pam.makeHomeDir.skelDirectory} umask=0077
555
+
'' +
556
+
optionalString cfg.updateWtmp ''
557
+
session required ${pkgs.pam}/lib/security/pam_lastlog.so silent
558
+
'' +
559
+
optionalString config.security.pam.enableEcryptfs ''
560
+
session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so
561
+
'' +
562
+
optionalString cfg.pamMount ''
563
+
session optional ${pkgs.pam_mount}/lib/security/pam_mount.so disable_interactive
564
+
'' +
565
+
optionalString use_ldap ''
566
+
session optional ${pam_ldap}/lib/security/pam_ldap.so
567
+
'' +
568
+
optionalString config.services.sssd.enable ''
569
+
session optional ${pkgs.sssd}/lib/security/pam_sss.so
570
+
'' +
571
+
optionalString config.krb5.enable ''
572
+
session optional ${pam_krb5}/lib/security/pam_krb5.so
573
+
'' +
574
+
optionalString cfg.otpwAuth ''
575
+
session optional ${pkgs.otpw}/lib/security/pam_otpw.so
576
+
'' +
577
+
optionalString cfg.startSession ''
578
+
session optional ${pkgs.systemd}/lib/security/pam_systemd.so
579
+
'' +
580
+
optionalString cfg.forwardXAuth ''
581
+
session optional pam_xauth.so xauthpath=${pkgs.xorg.xauth}/bin/xauth systemuser=99
582
+
'' +
583
+
optionalString (cfg.limits != []) ''
584
+
session required ${pkgs.pam}/lib/security/pam_limits.so conf=${makeLimitsConf cfg.limits}
585
+
'' +
586
+
optionalString (cfg.showMotd && config.users.motd != null) ''
587
+
session optional ${pkgs.pam}/lib/security/pam_motd.so motd=${motd}
588
+
'' +
589
+
optionalString (cfg.enableAppArmor && config.security.apparmor.enable) ''
590
+
session optional ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so order=user,group,default debug
591
+
'' +
592
+
optionalString (cfg.enableKwallet) ''
593
+
session optional ${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so kwalletd=${pkgs.plasma5Packages.kwallet.bin}/bin/kwalletd5
594
+
'' +
595
+
optionalString (cfg.enableGnomeKeyring) ''
596
+
session optional ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start
597
+
'' +
598
+
optionalString cfg.gnupg.enable ''
599
+
session optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so ${optionalString cfg.gnupg.noAutostart " no-autostart"}
600
+
'' +
601
+
optionalString (config.virtualisation.lxc.lxcfs.enable) ''
602
+
session optional ${pkgs.lxc}/lib/security/pam_cgfs.so -c all
603
+
''
604
+
);
587
605
};
588
606
589
607
};