diff options
author | Jörg Thalheim <Mic92@users.noreply.github.com> | 2021-06-26 16:52:25 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-06-26 16:52:25 +0200 |
commit | 1e125a80022f2d90adc6a6e37c3c358c9976a77e (patch) | |
tree | d2bd0d220d96cc38c9046352b71e048d9d2f0a96 /nixos/modules/security/pam.nix | |
parent | a93194815b33380d7bcb9d7bed18b45c144a645f (diff) | |
parent | e0adda4113a1172f1ae575d1e97e66df3277b0bd (diff) | |
download | nixpkgs-1e125a80022f2d90adc6a6e37c3c358c9976a77e.tar nixpkgs-1e125a80022f2d90adc6a6e37c3c358c9976a77e.tar.gz nixpkgs-1e125a80022f2d90adc6a6e37c3c358c9976a77e.tar.bz2 nixpkgs-1e125a80022f2d90adc6a6e37c3c358c9976a77e.tar.lz nixpkgs-1e125a80022f2d90adc6a6e37c3c358c9976a77e.tar.xz nixpkgs-1e125a80022f2d90adc6a6e37c3c358c9976a77e.tar.zst nixpkgs-1e125a80022f2d90adc6a6e37c3c358c9976a77e.zip |
Merge pull request #122674 from wakira/pam-order
nixos/pam: prioritize safer auth methods over fingerprints
Diffstat (limited to 'nixos/modules/security/pam.nix')
-rw-r--r-- | nixos/modules/security/pam.nix | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 3cde7e95155..5699025601f 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -397,8 +397,6 @@ let "auth required pam_faillock.so"} ${optionalString (config.security.pam.enableSSHAgentAuth && cfg.sshAgentAuth) "auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=${lib.concatStringsSep ":" config.services.openssh.authorizedKeysFiles}"} - ${optionalString cfg.fprintAuth - "auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so"} ${let p11 = config.security.pam.p11; in optionalString cfg.p11Auth "auth ${p11.control} ${pkgs.pam_p11}/lib/security/pam_p11.so ${pkgs.opensc}/lib/opensc-pkcs11.so"} ${let u2f = config.security.pam.u2f; in optionalString cfg.u2fAuth @@ -409,6 +407,8 @@ let "auth requisite ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}"} ${let yubi = config.security.pam.yubico; in optionalString cfg.yubicoAuth "auth ${yubi.control} ${pkgs.yubico-pam}/lib/security/pam_yubico.so mode=${toString yubi.mode} ${optionalString (yubi.mode == "client") "id=${toString yubi.id}"} ${optionalString yubi.debug "debug"}"} + ${optionalString cfg.fprintAuth + "auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so"} '' + # Modules in this block require having the password set in PAM_AUTHTOK. # pam_unix is marked as 'sufficient' on NixOS which means nothing will run |