diff options
| author | nicoo <nicoo@mur.at> | 2023-09-04 21:06:12 +0000 |
|---|---|---|
| committer | nicoo <nicoo@mur.at> | 2023-11-08 19:41:37 +0000 |
| commit | 19e1420e138b5a89f00eb3d7adbdf99f97ad4d57 (patch) | |
| tree | f432940a09ac632a58828792a3c9e58078ab913d | |
| parent | ad9295157901e218f9e27b0cb14a9cb791d139d4 (diff) | |
| download | nixpkgs-19e1420e138b5a89f00eb3d7adbdf99f97ad4d57.tar nixpkgs-19e1420e138b5a89f00eb3d7adbdf99f97ad4d57.tar.gz nixpkgs-19e1420e138b5a89f00eb3d7adbdf99f97ad4d57.tar.bz2 nixpkgs-19e1420e138b5a89f00eb3d7adbdf99f97ad4d57.tar.lz nixpkgs-19e1420e138b5a89f00eb3d7adbdf99f97ad4d57.tar.xz nixpkgs-19e1420e138b5a89f00eb3d7adbdf99f97ad4d57.tar.zst nixpkgs-19e1420e138b5a89f00eb3d7adbdf99f97ad4d57.zip | |
nixos/sudo: Move support for `pam_ssh_agent_auth(8)` to PAM's NixOS module
| -rw-r--r-- | nixos/modules/security/pam.nix | 6 | ||||
| -rw-r--r-- | nixos/modules/security/sudo.nix | 8 |
2 files changed, 9 insertions, 5 deletions
diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 709bb8b94a6..b7e1ea52653 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -1531,6 +1531,10 @@ in (map (module: "mr ${module},")) concatLines ]); - }; + security.sudo.extraConfig = optionalString config.security.pam.enableSSHAgentAuth '' + # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic. + Defaults env_keep+=SSH_AUTH_SOCK + ''; + }; } diff --git a/nixos/modules/security/sudo.nix b/nixos/modules/security/sudo.nix index 4728a697de8..75dc2b52a52 100644 --- a/nixos/modules/security/sudo.nix +++ b/nixos/modules/security/sudo.nix @@ -6,6 +6,8 @@ let cfg = config.security.sudo; + inherit (config.security.pam) enableSSHAgentAuth; + toUserString = user: if (isInt user) then "#${toString user}" else "${user}"; toGroupString = group: if (isInt group) then "%#${toString group}" else "%${group}"; @@ -207,10 +209,8 @@ in '' # Don't edit this file. Set the NixOS options ‘security.sudo.configFile’ # or ‘security.sudo.extraRules’ instead. - - # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic. - Defaults env_keep+=SSH_AUTH_SOCK - + '' + '' # "root" is allowed to do anything. root ALL=(ALL:ALL) SETENV: ALL '' |