diff options
author | Luca Bruno <lethalman88@gmail.com> | 2014-05-14 17:53:58 +0200 |
---|---|---|
committer | Luca Bruno <lethalman88@gmail.com> | 2014-05-14 17:54:21 +0200 |
commit | 1d5d7fdee2e85460e44b9931f3259254c2092806 (patch) | |
tree | 0cecce6ad9e44c3a7c72c6b188ba8d8a16309579 /nixos | |
parent | 0138b81ed611af3eef82c7f6b52f3b9586c2e3cf (diff) | |
download | nixpkgs-1d5d7fdee2e85460e44b9931f3259254c2092806.tar nixpkgs-1d5d7fdee2e85460e44b9931f3259254c2092806.tar.gz nixpkgs-1d5d7fdee2e85460e44b9931f3259254c2092806.tar.bz2 nixpkgs-1d5d7fdee2e85460e44b9931f3259254c2092806.tar.lz nixpkgs-1d5d7fdee2e85460e44b9931f3259254c2092806.tar.xz nixpkgs-1d5d7fdee2e85460e44b9931f3259254c2092806.tar.zst nixpkgs-1d5d7fdee2e85460e44b9931f3259254c2092806.zip |
pam: Add logFailures option for adding pam_tally to su
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/programs/shadow.nix | 2 | ||||
-rw-r--r-- | nixos/modules/security/pam.nix | 8 |
2 files changed, 9 insertions, 1 deletions
diff --git a/nixos/modules/programs/shadow.nix b/nixos/modules/programs/shadow.nix index 27a18c726a3..9763332ed97 100644 --- a/nixos/modules/programs/shadow.nix +++ b/nixos/modules/programs/shadow.nix @@ -82,7 +82,7 @@ in security.pam.services = { chsh = { rootOK = true; }; chfn = { rootOK = true; }; - su = { rootOK = true; forwardXAuth = true; }; + su = { rootOK = true; forwardXAuth = true; logFailures = true; }; passwd = {}; # Note: useradd, groupadd etc. aren't setuid root, so it # doesn't really matter what the PAM config says as long as it diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 6a5eb4c720f..76fbd9b671f 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -132,6 +132,12 @@ let description = "Whether to update <filename>/var/log/wtmp</filename>."; }; + logFailures = mkOption { + default = false; + type = types.bool; + description = "Whether to log authentication failures in <filename>/var/log/faillog</filename>."; + }; + text = mkOption { type = types.nullOr types.lines; description = "Contents of the PAM service file."; @@ -159,6 +165,8 @@ let # Authentication management. ${optionalString cfg.rootOK "auth sufficient pam_rootok.so"} + ${optionalString cfg.logFailures + "auth required pam_tally.so"} ${optionalString (config.security.pam.enableSSHAgentAuth && cfg.sshAgentAuth) "auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=~/.ssh/authorized_keys:~/.ssh/authorized_keys2:/etc/ssh/authorized_keys.d/%u"} ${optionalString cfg.usbAuth |