diff options
| author | Majiir Paktu <majiir@nabaal.net> | 2023-09-16 13:32:55 -0400 |
|---|---|---|
| committer | Majiir Paktu <majiir@nabaal.net> | 2023-10-09 23:17:36 -0400 |
| commit | 25bc21f19a3f87d7512d7bd450ee7674370f14fb (patch) | |
| tree | 19c8539c41a665430ffd997641fa9d0dabf25082 /nixos/modules/security | |
| parent | 0563e0a379448e9195d5f9f470d3f693b3180ae6 (diff) | |
| download | nixpkgs-25bc21f19a3f87d7512d7bd450ee7674370f14fb.tar nixpkgs-25bc21f19a3f87d7512d7bd450ee7674370f14fb.tar.gz nixpkgs-25bc21f19a3f87d7512d7bd450ee7674370f14fb.tar.bz2 nixpkgs-25bc21f19a3f87d7512d7bd450ee7674370f14fb.tar.lz nixpkgs-25bc21f19a3f87d7512d7bd450ee7674370f14fb.tar.xz nixpkgs-25bc21f19a3f87d7512d7bd450ee7674370f14fb.tar.zst nixpkgs-25bc21f19a3f87d7512d7bd450ee7674370f14fb.zip | |
nixos/pam: extract control field
Diffstat (limited to 'nixos/modules/security')
| -rw-r--r-- | nixos/modules/security/pam.nix | 350 |
1 files changed, 178 insertions, 172 deletions
diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 569a1deb6b6..12a818a9680 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -27,10 +27,16 @@ let Whether this rule is added to the PAM service config file. ''; }; + control = mkOption { + type = types.str; + description = lib.mdDoc '' + Indicates the behavior of the PAM-API should the module fail to succeed in its authentication task. See `control` in {manpage}`pam.conf(5)` for details. + ''; + }; text = mkOption { type = types.str; description = lib.mdDoc '' - Text of the rule (without `service` or `type` fields). + Text of the rule (without `service`, `type` or `control` fields). ''; }; }; @@ -527,7 +533,7 @@ let formatRules = type: pipe cfg.rules.${type} [ (filter (rule: rule.enable)) (map (rule: concatStringsSep " " - [ type (removeSuffix "\n" rule.text) ] + [ type rule.control (removeSuffix "\n" rule.text) ] )) (concatStringsSep "\n") ]; @@ -550,80 +556,80 @@ let # module provides the right hooks. rules = { account = [ - { name = "ldap"; enable = use_ldap; text = '' - sufficient ${pam_ldap}/lib/security/pam_ldap.so + { name = "ldap"; enable = use_ldap; control = "sufficient"; text = '' + ${pam_ldap}/lib/security/pam_ldap.so ''; } - { name = "mysql"; enable = cfg.mysqlAuth; text = '' - sufficient ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf + { name = "mysql"; enable = cfg.mysqlAuth; control = "sufficient"; text = '' + ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf ''; } - { name = "kanidm"; enable = config.services.kanidm.enablePam; text = '' - sufficient ${pkgs.kanidm}/lib/pam_kanidm.so ignore_unknown_user + { name = "kanidm"; enable = config.services.kanidm.enablePam; control = "sufficient"; text = '' + ${pkgs.kanidm}/lib/pam_kanidm.so ignore_unknown_user ''; } - { name = "sss"; enable = config.services.sssd.enable; text = '' - ${if cfg.sssdStrictAccess then "[default=bad success=ok user_unknown=ignore]" else "sufficient"} ${pkgs.sssd}/lib/security/pam_sss.so + { name = "sss"; enable = config.services.sssd.enable; control = if cfg.sssdStrictAccess then "[default=bad success=ok user_unknown=ignore]" else "sufficient"; text = '' + ${pkgs.sssd}/lib/security/pam_sss.so ''; } - { name = "krb5"; enable = config.security.pam.krb5.enable; text = '' - sufficient ${pam_krb5}/lib/security/pam_krb5.so + { name = "krb5"; enable = config.security.pam.krb5.enable; control = "sufficient"; text = '' + ${pam_krb5}/lib/security/pam_krb5.so ''; } - { name = "oslogin_login"; enable = cfg.googleOsLoginAccountVerification; text = '' - [success=ok ignore=ignore default=die] ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so + { name = "oslogin_login"; enable = cfg.googleOsLoginAccountVerification; control = "[success=ok ignore=ignore default=die]"; text = '' + ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so ''; } - { name = "oslogin_admin"; enable = cfg.googleOsLoginAccountVerification; text = '' - [success=ok default=ignore] ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_admin.so + { name = "oslogin_admin"; enable = cfg.googleOsLoginAccountVerification; control = "[success=ok default=ignore]"; text = '' + ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_admin.so ''; } - { name = "systemd_home"; enable = config.services.homed.enable; text = '' - sufficient ${config.systemd.package}/lib/security/pam_systemd_home.so + { name = "systemd_home"; enable = config.services.homed.enable; control = "sufficient"; text = '' + ${config.systemd.package}/lib/security/pam_systemd_home.so ''; } # The required pam_unix.so module has to come after all the sufficient modules # because otherwise, the account lookup will fail if the user does not exist # locally, for example with MySQL- or LDAP-auth. - { name = "unix"; text = '' - required pam_unix.so + { name = "unix"; control = "required"; text = '' + pam_unix.so ''; } ]; auth = [ - { name = "oslogin_login"; enable = cfg.googleOsLoginAuthentication; text = '' - [success=done perm_denied=die default=ignore] ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so + { name = "oslogin_login"; enable = cfg.googleOsLoginAuthentication; control = "[success=done perm_denied=die default=ignore]"; text = '' + ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so ''; } - { name = "rootok"; enable = cfg.rootOK; text = '' - sufficient pam_rootok.so + { name = "rootok"; enable = cfg.rootOK; control = "sufficient"; text = '' + pam_rootok.so ''; } - { name = "wheel"; enable = cfg.requireWheel; text = '' - required pam_wheel.so use_uid + { name = "wheel"; enable = cfg.requireWheel; control = "required"; text = '' + pam_wheel.so use_uid ''; } - { name = "faillock"; enable = cfg.logFailures; text = '' - required pam_faillock.so + { name = "faillock"; enable = cfg.logFailures; control = "required"; text = '' + pam_faillock.so ''; } - { name = "mysql"; enable = cfg.mysqlAuth; text = '' - sufficient ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf + { name = "mysql"; enable = cfg.mysqlAuth; control = "sufficient"; text = '' + ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf ''; } - { name = "ssh_agent_auth"; enable = config.security.pam.enableSSHAgentAuth && cfg.sshAgentAuth; text = '' - sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=${lib.concatStringsSep ":" config.services.openssh.authorizedKeysFiles} + { name = "ssh_agent_auth"; enable = config.security.pam.enableSSHAgentAuth && cfg.sshAgentAuth; control = "sufficient"; text = '' + ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=${lib.concatStringsSep ":" config.services.openssh.authorizedKeysFiles} ''; } - (let p11 = config.security.pam.p11; in { name = "p11"; enable = cfg.p11Auth; text = '' - ${p11.control} ${pkgs.pam_p11}/lib/security/pam_p11.so ${pkgs.opensc}/lib/opensc-pkcs11.so + (let p11 = config.security.pam.p11; in { name = "p11"; enable = cfg.p11Auth; control = p11.control; text = '' + ${pkgs.pam_p11}/lib/security/pam_p11.so ${pkgs.opensc}/lib/opensc-pkcs11.so ''; }) - (let u2f = config.security.pam.u2f; in { name = "u2f"; enable = cfg.u2fAuth; text = '' - ${u2f.control} ${pkgs.pam_u2f}/lib/security/pam_u2f.so ${optionalString u2f.debug "debug"} ${optionalString (u2f.authFile != null) "authfile=${u2f.authFile}"} ${optionalString u2f.interactive "interactive"} ${optionalString u2f.cue "cue"} ${optionalString (u2f.appId != null) "appid=${u2f.appId}"} ${optionalString (u2f.origin != null) "origin=${u2f.origin}"} + (let u2f = config.security.pam.u2f; in { name = "u2f"; enable = cfg.u2fAuth; control = u2f.control; text = '' + ${pkgs.pam_u2f}/lib/security/pam_u2f.so ${optionalString u2f.debug "debug"} ${optionalString (u2f.authFile != null) "authfile=${u2f.authFile}"} ${optionalString u2f.interactive "interactive"} ${optionalString u2f.cue "cue"} ${optionalString (u2f.appId != null) "appid=${u2f.appId}"} ${optionalString (u2f.origin != null) "origin=${u2f.origin}"} ''; }) - { name = "usb"; enable = cfg.usbAuth; text = '' - sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so + { name = "usb"; enable = cfg.usbAuth; control = "sufficient"; text = '' + ${pkgs.pam_usb}/lib/security/pam_usb.so ''; } - (let ussh = config.security.pam.ussh; in { name = "ussh"; enable = config.security.pam.ussh.enable && cfg.usshAuth; text = '' - ${ussh.control} ${pkgs.pam_ussh}/lib/security/pam_ussh.so ${optionalString (ussh.caFile != null) "ca_file=${ussh.caFile}"} ${optionalString (ussh.authorizedPrincipals != null) "authorized_principals=${ussh.authorizedPrincipals}"} ${optionalString (ussh.authorizedPrincipalsFile != null) "authorized_principals_file=${ussh.authorizedPrincipalsFile}"} ${optionalString (ussh.group != null) "group=${ussh.group}"} + (let ussh = config.security.pam.ussh; in { name = "ussh"; enable = config.security.pam.ussh.enable && cfg.usshAuth; control = ussh.control; text = '' + ${pkgs.pam_ussh}/lib/security/pam_ussh.so ${optionalString (ussh.caFile != null) "ca_file=${ussh.caFile}"} ${optionalString (ussh.authorizedPrincipals != null) "authorized_principals=${ussh.authorizedPrincipals}"} ${optionalString (ussh.authorizedPrincipalsFile != null) "authorized_principals_file=${ussh.authorizedPrincipalsFile}"} ${optionalString (ussh.group != null) "group=${ussh.group}"} ''; }) - (let oath = config.security.pam.oath; in { name = "oath"; enable = cfg.oathAuth; text = '' - requisite ${pkgs.oath-toolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits} + (let oath = config.security.pam.oath; in { name = "oath"; enable = cfg.oathAuth; control = "requisite"; text = '' + ${pkgs.oath-toolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits} ''; }) - (let yubi = config.security.pam.yubico; in { name = "yubico"; enable = cfg.yubicoAuth; text = '' - ${yubi.control} ${pkgs.yubico-pam}/lib/security/pam_yubico.so mode=${toString yubi.mode} ${optionalString (yubi.challengeResponsePath != null) "chalresp_path=${yubi.challengeResponsePath}"} ${optionalString (yubi.mode == "client") "id=${toString yubi.id}"} ${optionalString yubi.debug "debug"} + (let yubi = config.security.pam.yubico; in { name = "yubico"; enable = cfg.yubicoAuth; control = yubi.control; text = '' + ${pkgs.yubico-pam}/lib/security/pam_yubico.so mode=${toString yubi.mode} ${optionalString (yubi.challengeResponsePath != null) "chalresp_path=${yubi.challengeResponsePath}"} ${optionalString (yubi.mode == "client") "id=${toString yubi.id}"} ${optionalString yubi.debug "debug"} ''; }) - (let dp9ik = config.security.pam.dp9ik; in { name = "p9"; enable = dp9ik.enable; text = '' - ${dp9ik.control} ${pkgs.pam_dp9ik}/lib/security/pam_p9.so ${dp9ik.authserver} + (let dp9ik = config.security.pam.dp9ik; in { name = "p9"; enable = dp9ik.enable; control = dp9ik.control; text = '' + ${pkgs.pam_dp9ik}/lib/security/pam_p9.so ${dp9ik.authserver} ''; }) - { name = "fprintd"; enable = cfg.fprintAuth; text = '' - sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so + { name = "fprintd"; enable = cfg.fprintAuth; control = "sufficient"; text = '' + ${pkgs.fprintd}/lib/security/pam_fprintd.so ''; } ] ++ # Modules in this block require having the password set in PAM_AUTHTOK. @@ -646,202 +652,202 @@ let || cfg.duoSecurity.enable || cfg.zfs)) [ - { name = "systemd_home-early"; enable = config.services.homed.enable; text = '' - optional ${config.systemd.package}/lib/security/pam_systemd_home.so + { name = "systemd_home-early"; enable = config.services.homed.enable; control = "optional"; text = '' + ${config.systemd.package}/lib/security/pam_systemd_home.so ''; } - { name = "unix-early"; enable = cfg.unixAuth; text = '' - optional pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth + { name = "unix-early"; enable = cfg.unixAuth; control = "optional"; text = '' + pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth ''; } - { name = "ecryptfs"; enable = config.security.pam.enableEcryptfs; text = '' - optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap + { name = "ecryptfs"; enable = config.security.pam.enableEcryptfs; control = "optional"; text = '' + ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap ''; } - { name = "fscrypt"; enable = config.security.pam.enableFscrypt; text = '' - optional ${pkgs.fscrypt-experimental}/lib/security/pam_fscrypt.so + { name = "fscrypt"; enable = config.security.pam.enableFscrypt; control = "optional"; text = '' + ${pkgs.fscrypt-experimental}/lib/security/pam_fscrypt.so ''; } - { name = "zfs_key"; enable = cfg.zfs; text = '' - optional ${config.boot.zfs.package}/lib/security/pam_zfs_key.so homes=${config.security.pam.zfs.homes} + { name = "zfs_key"; enable = cfg.zfs; control = "optional"; text = '' + ${config.boot.zfs.package}/lib/security/pam_zfs_key.so homes=${config.security.pam.zfs.homes} ''; } - { name = "mount"; enable = cfg.pamMount; text = '' - optional ${pkgs.pam_mount}/lib/security/pam_mount.so disable_interactive + { name = "mount"; enable = cfg.pamMount; control = "optional"; text = '' + ${pkgs.pam_mount}/lib/security/pam_mount.so disable_interactive ''; } - { name = "kwallet5"; enable = cfg.enableKwallet; text = '' - optional ${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so kwalletd=${pkgs.plasma5Packages.kwallet.bin}/bin/kwalletd5 + { name = "kwallet5"; enable = cfg.enableKwallet; control = "optional"; text = '' + ${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so kwalletd=${pkgs.plasma5Packages.kwallet.bin}/bin/kwalletd5 ''; } - { name = "gnome_keyring"; enable = cfg.enableGnomeKeyring; text = '' - optional ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so + { name = "gnome_keyring"; enable = cfg.enableGnomeKeyring; control = "optional"; text = '' + ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so ''; } - { name = "gnupg"; enable = cfg.gnupg.enable; text = '' - optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so ${optionalString cfg.gnupg.storeOnly "store-only"} + { name = "gnupg"; enable = cfg.gnupg.enable; control = "optional"; text = '' + ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so ${optionalString cfg.gnupg.storeOnly "store-only"} ''; } - { name = "faildelay"; enable = cfg.failDelay.enable; text = '' - optional ${pkgs.pam}/lib/security/pam_faildelay.so delay=${toString cfg.failDelay.delay} + { name = "faildelay"; enable = cfg.failDelay.enable; control = "optional"; text = '' + ${pkgs.pam}/lib/security/pam_faildelay.so delay=${toString cfg.failDelay.delay} ''; } - { name = "google_authenticator"; enable = cfg.googleAuthenticator.enable; text = '' - required ${pkgs.google-authenticator}/lib/security/pam_google_authenticator.so no_increment_hotp + { name = "google_authenticator"; enable = cfg.googleAuthenticator.enable; control = "required"; text = '' + ${pkgs.google-authenticator}/lib/security/pam_google_authenticator.so no_increment_hotp ''; } - { name = "duo"; enable = cfg.duoSecurity.enable; text = '' - required ${pkgs.duo-unix}/lib/security/pam_duo.so + { name = "duo"; enable = cfg.duoSecurity.enable; control = "required"; text = '' + ${pkgs.duo-unix}/lib/security/pam_duo.so ''; } ]) ++ [ - { name = "systemd_home"; enable = config.services.homed.enable; text = '' - sufficient ${config.systemd.package}/lib/security/pam_systemd_home.so + { name = "systemd_home"; enable = config.services.homed.enable; control = "sufficient"; text = '' + ${config.systemd.package}/lib/security/pam_systemd_home.so ''; } - { name = "unix"; enable = cfg.unixAuth; text = '' - sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth try_first_pass + { name = "unix"; enable = cfg.unixAuth; control = "sufficient"; text = '' + pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth try_first_pass ''; } - { name = "otpw"; enable = cfg.otpwAuth; text = '' - sufficient ${pkgs.otpw}/lib/security/pam_otpw.so + { name = "otpw"; enable = cfg.otpwAuth; control = "sufficient"; text = '' + ${pkgs.otpw}/lib/security/pam_otpw.so ''; } - { name = "ldap"; enable = use_ldap; text = '' - sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass + { name = "ldap"; enable = use_ldap; control = "sufficient"; text = '' + ${pam_ldap}/lib/security/pam_ldap.so use_first_pass ''; } - { name = "kanidm"; enable = config.services.kanidm.enablePam; text = '' - sufficient ${pkgs.kanidm}/lib/pam_kanidm.so ignore_unknown_user use_first_pass + { name = "kanidm"; enable = config.services.kanidm.enablePam; control = "sufficient"; text = '' + ${pkgs.kanidm}/lib/pam_kanidm.so ignore_unknown_user use_first_pass ''; } - { name = "sss"; enable = config.services.sssd.enable; text = '' - sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_first_pass + { name = "sss"; enable = config.services.sssd.enable; control = "sufficient"; text = '' + ${pkgs.sssd}/lib/security/pam_sss.so use_first_pass ''; } - { name = "krb5"; enable = config.security.pam.krb5.enable; text = '' - [default=ignore success=1 service_err=reset] ${pam_krb5}/lib/security/pam_krb5.so use_first_pass + { name = "krb5"; enable = config.security.pam.krb5.enable; control = "[default=ignore success=1 service_err=reset]"; text = '' + ${pam_krb5}/lib/security/pam_krb5.so use_first_pass ''; } - { name = "ccreds-validate"; enable = config.security.pam.krb5.enable; text = '' - [default=die success=done] ${pam_ccreds}/lib/security/pam_ccreds.so action=validate use_first_pass + { name = "ccreds-validate"; enable = config.security.pam.krb5.enable; control = "[default=die success=done]"; text = '' + ${pam_ccreds}/lib/security/pam_ccreds.so action=validate use_first_pass ''; } - { name = "ccreds-store"; enable = config.security.pam.krb5.enable; text = '' - sufficient ${pam_ccreds}/lib/security/pam_ccreds.so action=store use_first_pass + { name = "ccreds-store"; enable = config.security.pam.krb5.enable; control = "sufficient"; text = '' + ${pam_ccreds}/lib/security/pam_ccreds.so action=store use_first_pass ''; } - { name = "deny"; text = '' - required pam_deny.so + { name = "deny"; control = "required"; text = '' + pam_deny.so ''; } ]; password = [ - { name = "systemd_home"; enable = config.services.homed.enable; text = '' - sufficient ${config.systemd.package}/lib/security/pam_systemd_home.so + { name = "systemd_home"; enable = config.services.homed.enable; control = "sufficient"; text = '' + ${config.systemd.package}/lib/security/pam_systemd_home.so ''; } - { name = "unix"; text = '' - sufficient pam_unix.so nullok yescrypt + { name = "unix"; control = "sufficient"; text = '' + pam_unix.so nullok yescrypt ''; } - { name = "ecryptfs"; enable = config.security.pam.enableEcryptfs; text = '' - optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so + { name = "ecryptfs"; enable = config.security.pam.enableEcryptfs; control = "optional"; text = '' + ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so ''; } - { name = "fscrypt"; enable = config.security.pam.enableFscrypt; text = '' - optional ${pkgs.fscrypt-experimental}/lib/security/pam_fscrypt.so + { name = "fscrypt"; enable = config.security.pam.enableFscrypt; control = "optional"; text = '' + ${pkgs.fscrypt-experimental}/lib/security/pam_fscrypt.so ''; } - { name = "zfs_key"; enable = cfg.zfs; text = '' - optional ${config.boot.zfs.package}/lib/security/pam_zfs_key.so homes=${config.security.pam.zfs.homes} + { name = "zfs_key"; enable = cfg.zfs; control = "optional"; text = '' + ${config.boot.zfs.package}/lib/security/pam_zfs_key.so homes=${config.security.pam.zfs.homes} ''; } - { name = "mount"; enable = cfg.pamMount; text = '' - optional ${pkgs.pam_mount}/lib/security/pam_mount.so + { name = "mount"; enable = cfg.pamMount; control = "optional"; text = '' + ${pkgs.pam_mount}/lib/security/pam_mount.so ''; } - { name = "ldap"; enable = use_ldap; text = '' - sufficient ${pam_ldap}/lib/security/pam_ldap.so + { name = "ldap"; enable = use_ldap; control = "sufficient"; text = '' + ${pam_ldap}/lib/security/pam_ldap.so ''; } - { name = "mysql"; enable = cfg.mysqlAuth; text = '' - sufficient ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf + { name = "mysql"; enable = cfg.mysqlAuth; control = "sufficient"; text = '' + ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf ''; } - { name = "kanidm"; enable = config.services.kanidm.enablePam; text = '' - sufficient ${pkgs.kanidm}/lib/pam_kanidm.so + { name = "kanidm"; enable = config.services.kanidm.enablePam; control = "sufficient"; text = '' + ${pkgs.kanidm}/lib/pam_kanidm.so ''; } - { name = "sss"; enable = config.services.sssd.enable; text = '' - sufficient ${pkgs.sssd}/lib/security/pam_sss.so + { name = "sss"; enable = config.services.sssd.enable; control = "sufficient"; text = '' + ${pkgs.sssd}/lib/security/pam_sss.so ''; } - { name = "krb5"; enable = config.security.pam.krb5.enable; text = '' - sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass + { name = "krb5"; enable = config.security.pam.krb5.enable; control = "sufficient"; text = '' + ${pam_krb5}/lib/security/pam_krb5.so use_first_pass ''; } - { name = "gnome_keyring"; enable = cfg.enableGnomeKeyring; text = '' - optional ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so use_authtok + { name = "gnome_keyring"; enable = cfg.enableGnomeKeyring; control = "optional"; text = '' + ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so use_authtok ''; } ]; session = [ - { name = "env"; enable = cfg.setEnvironment; text = '' - required pam_env.so conffile=/etc/pam/environment readenv=0 + { name = "env"; enable = cfg.setEnvironment; control = "required"; text = '' + pam_env.so conffile=/etc/pam/environment readenv=0 ''; } - { name = "unix"; text = '' - required pam_unix.so + { name = "unix"; control = "required"; text = '' + pam_unix.so ''; } - { name = "loginuid"; enable = cfg.setLoginUid; text = '' - ${if config.boot.isContainer then "optional" else "required"} pam_loginuid.so + { name = "loginuid"; enable = cfg.setLoginUid; control = if config.boot.isContainer then "optional" else "required"; text = '' + pam_loginuid.so ''; } - { name = "tty_audit"; enable = cfg.ttyAudit.enable; text = '' - required ${pkgs.pam}/lib/security/pam_tty_audit.so ${optionalString cfg.ttyAudit.openOnly "open_only"} ${optionalString (cfg.ttyAudit.enablePattern != null) "enable=${cfg.ttyAudit.enablePattern}"} ${optionalString (cfg.ttyAudit.disablePattern != null) "disable=${cfg.ttyAudit.disablePattern}"} + { name = "tty_audit"; enable = cfg.ttyAudit.enable; control = "required"; text = '' + ${pkgs.pam}/lib/security/pam_tty_audit.so ${optionalString cfg.ttyAudit.openOnly "open_only"} ${optionalString (cfg.ttyAudit.enablePattern != null) "enable=${cfg.ttyAudit.enablePattern}"} ${optionalString (cfg.ttyAudit.disablePattern != null) "disable=${cfg.ttyAudit.disablePattern}"} ''; } - { name = "systemd_home"; enable = config.services.homed.enable; text = '' - required ${config.systemd.package}/lib/security/pam_systemd_home.so + { name = "systemd_home"; enable = config.services.homed.enable; control = "required"; text = '' + ${config.systemd.package}/lib/security/pam_systemd_home.so ''; } - { name = "mkhomedir"; enable = cfg.makeHomeDir; text = '' - required ${pkgs.pam}/lib/security/pam_mkhomedir.so silent skel=${config.security.pam.makeHomeDir.skelDirectory} umask=${config.security.pam.makeHomeDir.umask} + { name = "mkhomedir"; enable = cfg.makeHomeDir; control = "required"; text = '' + ${pkgs.pam}/lib/security/pam_mkhomedir.so silent skel=${config.security.pam.makeHomeDir.skelDirectory} umask=${config.security.pam.makeHomeDir.umask} ''; } - { name = "lastlog"; enable = cfg.updateWtmp; text = '' - required ${pkgs.pam}/lib/security/pam_lastlog.so silent + { name = "lastlog"; enable = cfg.updateWtmp; control = "required"; text = '' + ${pkgs.pam}/lib/security/pam_lastlog.so silent ''; } - { name = "ecryptfs"; enable = config.security.pam.enableEcryptfs; text = '' - optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so + { name = "ecryptfs"; enable = config.security.pam.enableEcryptfs; control = "optional"; text = '' + ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so ''; } # Work around https://github.com/systemd/systemd/issues/8598 # Skips the pam_fscrypt module for systemd-user sessions which do not have a password # anyways. # See also https://github.com/google/fscrypt/issues/95 - { name = "fscrypt-skip-systemd"; enable = config.security.pam.enableFscrypt; text = '' - [success=1 default=ignore] pam_succeed_if.so service = systemd-user + { name = "fscrypt-skip-systemd"; enable = config.security.pam.enableFscrypt; control = "[success=1 default=ignore]"; text = '' + pam_succeed_if.so service = systemd-user ''; } - { name = "fscrypt"; enable = config.security.pam.enableFscrypt; text = '' - optional ${pkgs.fscrypt-experimental}/lib/security/pam_fscrypt.so + { name = "fscrypt"; enable = config.security.pam.enableFscrypt; control = "optional"; text = '' + ${pkgs.fscrypt-experimental}/lib/security/pam_fscrypt.so ''; } - { name = "zfs_key-skip-systemd"; enable = cfg.zfs; text = '' - [success=1 default=ignore] pam_succeed_if.so service = systemd-user + { name = "zfs_key-skip-systemd"; enable = cfg.zfs; control = "[success=1 default=ignore]"; text = '' + pam_succeed_if.so service = systemd-user ''; } - { name = "zfs_key"; enable = cfg.zfs; text = '' - optional ${config.boot.zfs.package}/lib/security/pam_zfs_key.so homes=${config.security.pam.zfs.homes} ${optionalString config.security.pam.zfs.noUnmount "nounmount"} + { name = "zfs_key"; enable = cfg.zfs; control = "optional"; text = '' + ${config.boot.zfs.package}/lib/security/pam_zfs_key.so homes=${config.security.pam.zfs.homes} ${optionalString config.security.pam.zfs.noUnmount "nounmount"} ''; } - { name = "mount"; enable = cfg.pamMount; text = '' - optional ${pkgs.pam_mount}/lib/security/pam_mount.so disable_interactive + { name = "mount"; enable = cfg.pamMount; control = "optional"; text = '' + ${pkgs.pam_mount}/lib/security/pam_mount.so disable_interactive ''; } - { name = "ldap"; enable = use_ldap; text = '' - optional ${pam_ldap}/lib/security/pam_ldap.so + { name = "ldap"; enable = use_ldap; control = "optional"; text = '' + ${pam_ldap}/lib/security/pam_ldap.so ''; } - { name = "mysql"; enable = cfg.mysqlAuth; text = '' - optional ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf + { name = "mysql"; enable = cfg.mysqlAuth; control = "optional"; text = '' + ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf ''; } - { name = "kanidm"; enable = config.services.kanidm.enablePam; text = '' - optional ${pkgs.kanidm}/lib/pam_kanidm.so + { name = "kanidm"; enable = config.services.kanidm.enablePam; control = "optional"; text = '' + ${pkgs.kanidm}/lib/pam_kanidm.so ''; } - { name = "sss"; enable = config.services.sssd.enable; text = '' - optional ${pkgs.sssd}/lib/security/pam_sss.so + { name = "sss"; enable = config.services.sssd.enable; control = "optional"; text = '' + ${pkgs.sssd}/lib/security/pam_sss.so ''; } - { name = "krb5"; enable = config.security.pam.krb5.enable; text = '' - optional ${pam_krb5}/lib/security/pam_krb5.so + { name = "krb5"; enable = config.security.pam.krb5.enable; control = "optional"; text = '' + ${pam_krb5}/lib/security/pam_krb5.so ''; } - { name = "otpw"; enable = cfg.otpwAuth; text = '' - optional ${pkgs.otpw}/lib/security/pam_otpw.so + { name = "otpw"; enable = cfg.otpwAuth; control = "optional"; text = '' + ${pkgs.otpw}/lib/security/pam_otpw.so ''; } - { name = "systemd"; enable = cfg.startSession; text = '' - optional ${config.systemd.package}/lib/security/pam_systemd.so + { name = "systemd"; enable = cfg.startSession; control = "optional"; text = '' + ${config.systemd.package}/lib/security/pam_systemd.so ''; } - { name = "xauth"; enable = cfg.forwardXAuth; text = '' - optional pam_xauth.so xauthpath=${pkgs.xorg.xauth}/bin/xauth systemuser=99 + { name = "xauth"; enable = cfg.forwardXAuth; control = "optional"; text = '' + pam_xauth.so xauthpath=${pkgs.xorg.xauth}/bin/xauth systemuser=99 ''; } - { name = "limits"; enable = cfg.limits != []; text = '' - required ${pkgs.pam}/lib/security/pam_limits.so conf=${makeLimitsConf cfg.limits} + { name = "limits"; enable = cfg.limits != []; control = "required"; text = '' + ${pkgs.pam}/lib/security/pam_limits.so conf=${makeLimitsConf cfg.limits} ''; } - { name = "motd"; enable = cfg.showMotd && (config.users.motd != null || config.users.motdFile != null); text = '' - optional ${pkgs.pam}/lib/security/pam_motd.so motd=${motd} + { name = "motd"; enable = cfg.showMotd && (config.users.motd != null || config.users.motdFile != null); control = "optional"; text = '' + ${pkgs.pam}/lib/security/pam_motd.so motd=${motd} ''; } - { name = "apparmor"; enable = cfg.enableAppArmor && config.security.apparmor.enable; text = '' - optional ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so order=user,group,default debug + { name = "apparmor"; enable = cfg.enableAppArmor && config.security.apparmor.enable; control = "optional"; text = '' + ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so order=user,group,default debug ''; } - { name = "kwallet5"; enable = cfg.enableKwallet; text = '' - optional ${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so kwalletd=${pkgs.plasma5Packages.kwallet.bin}/bin/kwalletd5 + { name = "kwallet5"; enable = cfg.enableKwallet; control = "optional"; text = '' + ${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so kwalletd=${pkgs.plasma5Packages.kwallet.bin}/bin/kwalletd5 ''; } - { name = "gnome_keyring"; enable = cfg.enableGnomeKeyring; text = '' - optional ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start + { name = "gnome_keyring"; enable = cfg.enableGnomeKeyring; control = "optional"; text = '' + ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start ''; } - { name = "gnupg"; enable = cfg.gnupg.enable; text = '' - optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so ${optionalString cfg.gnupg.noAutostart " no-autostart"} + { name = "gnupg"; enable = cfg.gnupg.enable; control = "optional"; text = '' + ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so ${optionalString cfg.gnupg.noAutostart " no-autostart"} ''; } - { name = "cgfs"; enable = config.virtualisation.lxc.lxcfs.enable; text = '' - optional ${pkgs.lxc}/lib/security/pam_cgfs.so -c all + { name = "cgfs"; enable = config.virtualisation.lxc.lxcfs.enable; control = "optional"; text = '' + ${pkgs.lxc}/lib/security/pam_cgfs.so -c all ''; } ]; }; |