diff options
author | Alexander Kahl <ak@sodosopa.io> | 2016-04-14 11:18:09 -0700 |
---|---|---|
committer | Nikolay Amiantov <ab@fmap.me> | 2017-01-04 03:07:20 +0300 |
commit | 61d125b8425da501f07765197186ed7351a55f48 (patch) | |
tree | b60774795ef94d8602539a089d9296e7e7183449 /nixos/modules/security | |
parent | 40a9c37ff3ad179b18aae2d0309523312525de5b (diff) | |
download | nixpkgs-61d125b8425da501f07765197186ed7351a55f48.tar nixpkgs-61d125b8425da501f07765197186ed7351a55f48.tar.gz nixpkgs-61d125b8425da501f07765197186ed7351a55f48.tar.bz2 nixpkgs-61d125b8425da501f07765197186ed7351a55f48.tar.lz nixpkgs-61d125b8425da501f07765197186ed7351a55f48.tar.xz nixpkgs-61d125b8425da501f07765197186ed7351a55f48.tar.zst nixpkgs-61d125b8425da501f07765197186ed7351a55f48.zip |
sssd: init at 1.14.2
perlPackages.TextWrapI18N: init at 0.06 perlPackages.Po4a: init at 0.47 jade: init at 1.2.1 ding-libs: init at 0.6.0 Switch nscd to no-caching mode if SSSD is enabled. abbradar: disable jade parallel building. Closes #21150
Diffstat (limited to 'nixos/modules/security')
-rw-r--r-- | nixos/modules/security/pam.nix | 21 |
1 files changed, 20 insertions, 1 deletions
diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index f9aa4136c8d..96e7c45d496 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -233,6 +233,8 @@ let account sufficient pam_unix.so ${optionalString use_ldap "account sufficient ${pam_ldap}/lib/security/pam_ldap.so"} + ${optionalString config.services.sssd.enable + "account sufficient ${pkgs.sssd}/lib/security/pam_sss.so"} ${optionalString config.krb5.enable "account sufficient ${pam_krb5}/lib/security/pam_krb5.so"} @@ -273,6 +275,8 @@ let "auth sufficient ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}"} ${optionalString use_ldap "auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass"} + ${optionalString config.services.sssd.enable + "auth sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_first_pass"} ${optionalString config.krb5.enable '' auth [default=ignore success=1 service_err=reset] ${pam_krb5}/lib/security/pam_krb5.so use_first_pass auth [default=die success=done] ${pam_ccreds}/lib/security/pam_ccreds.so action=validate use_first_pass @@ -288,6 +292,8 @@ let "password optional ${pkgs.pam_mount}/lib/security/pam_mount.so"} ${optionalString use_ldap "password sufficient ${pam_ldap}/lib/security/pam_ldap.so"} + ${optionalString config.services.sssd.enable + "password sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_authtok"} ${optionalString config.krb5.enable "password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass"} ${optionalString config.services.samba.syncPasswordsByPam @@ -303,13 +309,15 @@ let if config.boot.isContainer then "optional" else "required" } pam_loginuid.so"} ${optionalString cfg.makeHomeDir - "session required ${pkgs.pam}/lib/security/pam_mkhomedir.so silent skel=/etc/skel umask=0022"} + "session required ${pkgs.pam}/lib/security/pam_mkhomedir.so silent skel=${config.security.pam.makeHomeDir.skelDirectory} umask=0022"} ${optionalString cfg.updateWtmp "session required ${pkgs.pam}/lib/security/pam_lastlog.so silent"} ${optionalString config.security.pam.enableEcryptfs "session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"} ${optionalString use_ldap "session optional ${pam_ldap}/lib/security/pam_ldap.so"} + ${optionalString config.services.sssd.enable + "session optional ${pkgs.sssd}/lib/security/pam_sss.so"} ${optionalString config.krb5.enable "session optional ${pam_krb5}/lib/security/pam_krb5.so"} ${optionalString cfg.otpwAuth @@ -397,6 +405,16 @@ in ''; }; + security.pam.makeHomeDir.skelDirectory = mkOption { + type = types.str; + default = "/var/empty"; + example = "/etc/skel"; + description = '' + Path to skeleton directory whose contents are copied to home + directories newly created by <literal>pam_mkhomedir</literal>. + ''; + }; + security.pam.enableSSHAgentAuth = mkOption { default = false; description = @@ -447,6 +465,7 @@ in # Include the PAM modules in the system path mostly for the manpages. [ pkgs.pam ] ++ optional config.users.ldap.enable pam_ldap + ++ optional config.services.sssd.enable pkgs.sssd ++ optionals config.krb5.enable [pam_krb5 pam_ccreds] ++ optionals config.security.pam.enableOTPW [ pkgs.otpw ] ++ optionals config.security.pam.oath.enable [ pkgs.oathToolkit ] |