diff options
| author | Nicolas Pierron <nicolas.b.pierron@gmail.com> | 2010-01-03 11:59:08 +0000 |
|---|---|---|
| committer | Nicolas Pierron <nicolas.b.pierron@gmail.com> | 2010-01-03 11:59:08 +0000 |
| commit | d2901e979db48c6bba1b0847d319d0995af0692c (patch) | |
| tree | fd5e8421038310e50ab16ea3891be3558a7ff6ba /modules/security | |
| parent | 64c75274e13253c721d3b3e175f8ede6f804a305 (diff) | |
| download | nixpkgs-d2901e979db48c6bba1b0847d319d0995af0692c.tar nixpkgs-d2901e979db48c6bba1b0847d319d0995af0692c.tar.gz nixpkgs-d2901e979db48c6bba1b0847d319d0995af0692c.tar.bz2 nixpkgs-d2901e979db48c6bba1b0847d319d0995af0692c.tar.lz nixpkgs-d2901e979db48c6bba1b0847d319d0995af0692c.tar.xz nixpkgs-d2901e979db48c6bba1b0847d319d0995af0692c.tar.zst nixpkgs-d2901e979db48c6bba1b0847d319d0995af0692c.zip | |
* Add support for pam_usb.
svn path=/nixos/trunk/; revision=19185
Diffstat (limited to 'modules/security')
| -rw-r--r-- | modules/security/pam.nix | 7 | ||||
| -rw-r--r-- | modules/security/pam_usb.nix | 41 |
2 files changed, 47 insertions, 1 deletions
diff --git a/modules/security/pam.nix b/modules/security/pam.nix index 904cf438bff..d693255a55b 100644 --- a/modules/security/pam.nix +++ b/modules/security/pam.nix @@ -7,7 +7,7 @@ with pkgs.lib; let - inherit (pkgs) pam_unix2 pam_ldap; + inherit (pkgs) pam_unix2 pam_usb pam_ldap; otherService = pkgs.writeText "other.pam" '' @@ -26,6 +26,9 @@ let , # If set, root doesn't need to authenticate (e.g. for the "chsh" # service). rootOK ? false + , # If set, user listed in /etc/pamusb.conf are able to log in with + # the associated usb key. + usbAuth ? config.security.pam.usb.enable , # If set, use ConsoleKit's PAM connector module to claim # ownership of audio devices etc. ownDevices ? false @@ -55,6 +58,8 @@ let # Authentication management. ${optionalString rootOK "auth sufficient pam_rootok.so"} + ${optionalString usbAuth + "auth sufficient ${pam_usb}/lib/security/pam_usb.so"} ${optionalString config.users.ldap.enable "auth sufficient ${pam_ldap}/lib/security/pam_ldap.so"} auth sufficient ${pam_unix2}/lib/security/pam_unix2.so ${ diff --git a/modules/security/pam_usb.nix b/modules/security/pam_usb.nix new file mode 100644 index 00000000000..1c2a6a05f26 --- /dev/null +++ b/modules/security/pam_usb.nix @@ -0,0 +1,41 @@ +{config, pkgs, ...}: + +with pkgs.lib; + +let + + inherit (pkgs) pam_usb; + + cfg = config.security.pam.usb; + + anyUsbAuth = any (attrByPath ["usbAuth"] false) config.security.pam.services; + +in + +{ + options = { + + security.pam.usb = { + enable = mkOption { + default = false; + description = '' + Enable USB login for all login system unless the service disabled + it. For more information, visit <link + xlink:href="http://pamusb.org/doc/quickstart#setting_up" />. + ''; + }; + + }; + + }; + + config = mkIf (cfg.enable || anyUsbAuth) { + + # pmount need to have a set-uid bit to make pam_usb works in user + # environment. (like su, sudo) + + security.setuidPrograms = [ "pmount" "pumount" ]; + environment.systemPackages = [ pkgs.pmount ]; + + }; +} |