diff options
| author | Alexander Kahl <e-user@fsfe.org> | 2017-01-13 17:16:55 +0100 |
|---|---|---|
| committer | worldofpeace <worldofpeace@users.noreply.github.com> | 2019-04-14 09:49:01 -0400 |
| commit | 5b9895b1a077c5c431b08a88749a4958472cab3c (patch) | |
| tree | 63f3d432b011c2bfa1c9f7563ca6d4a605decd8b /nixos/modules/services/x11/display-managers/gdm.nix | |
| parent | 59c81160e7df5d5d1b143b1d2e46385debc6bfea (diff) | |
| download | nixpkgs-5b9895b1a077c5c431b08a88749a4958472cab3c.tar nixpkgs-5b9895b1a077c5c431b08a88749a4958472cab3c.tar.gz nixpkgs-5b9895b1a077c5c431b08a88749a4958472cab3c.tar.bz2 nixpkgs-5b9895b1a077c5c431b08a88749a4958472cab3c.tar.lz nixpkgs-5b9895b1a077c5c431b08a88749a4958472cab3c.tar.xz nixpkgs-5b9895b1a077c5c431b08a88749a4958472cab3c.tar.zst nixpkgs-5b9895b1a077c5c431b08a88749a4958472cab3c.zip | |
nixos/gdm: use provided PAM login configuration wherever possible
Fixes #21859
Diffstat (limited to 'nixos/modules/services/x11/display-managers/gdm.nix')
| -rw-r--r-- | nixos/modules/services/x11/display-managers/gdm.nix | 73 |
1 files changed, 11 insertions, 62 deletions
diff --git a/nixos/modules/services/x11/display-managers/gdm.nix b/nixos/modules/services/x11/display-managers/gdm.nix index 226fee7491c..3edf7c8d9ca 100644 --- a/nixos/modules/services/x11/display-managers/gdm.nix +++ b/nixos/modules/services/x11/display-managers/gdm.nix @@ -208,76 +208,25 @@ in session optional pam_permit.so ''; - gdm.text = '' - auth requisite pam_nologin.so - auth required pam_env.so envfile=${config.system.build.pamEnvironment} - - auth required pam_succeed_if.so uid >= 1000 quiet - auth optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so - auth ${if config.security.pam.enableEcryptfs then "required" else "sufficient"} pam_unix.so nullok likeauth - ${optionalString config.security.pam.enableEcryptfs - "auth required ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"} - - ${optionalString (! config.security.pam.enableEcryptfs) - "auth required pam_deny.so"} - - account sufficient pam_unix.so - - password requisite pam_unix.so nullok sha512 - ${optionalString config.security.pam.enableEcryptfs - "password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"} - - session required pam_env.so envfile=${config.system.build.pamEnvironment} - session required pam_unix.so - ${optionalString config.security.pam.enableEcryptfs - "session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"} - session required pam_loginuid.so - session optional ${pkgs.systemd}/lib/security/pam_systemd.so - session optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start - ''; - gdm-password.text = '' - auth requisite pam_nologin.so - auth required pam_env.so envfile=${config.system.build.pamEnvironment} - - auth required pam_succeed_if.so uid >= 1000 quiet - auth optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so - auth ${if config.security.pam.enableEcryptfs then "required" else "sufficient"} pam_unix.so nullok likeauth - ${optionalString config.security.pam.enableEcryptfs - "auth required ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"} - ${optionalString (! config.security.pam.enableEcryptfs) - "auth required pam_deny.so"} - - account sufficient pam_unix.so - - password requisite pam_unix.so nullok sha512 - ${optionalString config.security.pam.enableEcryptfs - "password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"} - - session required pam_env.so envfile=${config.system.build.pamEnvironment} - session required pam_unix.so - ${optionalString config.security.pam.enableEcryptfs - "session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"} - session required pam_loginuid.so - session optional ${pkgs.systemd}/lib/security/pam_systemd.so - session optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start + auth substack login + account include login + password substack login + session include login ''; gdm-autologin.text = '' - auth requisite pam_nologin.so + auth requisite pam_nologin.so - auth required pam_succeed_if.so uid >= 1000 quiet - auth required pam_permit.so + auth required pam_succeed_if.so uid >= 1000 quiet + auth required pam_permit.so - account sufficient pam_unix.so + account sufficient pam_unix.so - password requisite pam_unix.so nullok sha512 + password requisite pam_unix.so nullok sha512 - session optional pam_keyinit.so revoke - session required pam_env.so envfile=${config.system.build.pamEnvironment} - session required pam_unix.so - session required pam_loginuid.so - session optional ${pkgs.systemd}/lib/security/pam_systemd.so + session optional pam_keyinit.so revoke + session include login ''; }; |