summary refs log tree commit diff
path: root/nixos/modules/security/sudo.nix
diff options
context:
space:
mode:
Diffstat (limited to 'nixos/modules/security/sudo.nix')
-rw-r--r--nixos/modules/security/sudo.nix8
1 files changed, 6 insertions, 2 deletions
diff --git a/nixos/modules/security/sudo.nix b/nixos/modules/security/sudo.nix
index ad7d43d2682..eeb2f0dda8b 100644
--- a/nixos/modules/security/sudo.nix
+++ b/nixos/modules/security/sudo.nix
@@ -6,6 +6,10 @@ let
 
   cfg = config.security.sudo;
 
+  enableSSHAgentAuth =
+    with config.security;
+    pam.enableSSHAgentAuth && pam.sudo.sshAgentAuth;
+
   inherit (pkgs) sudo;
 
   toUserString = user: if (isInt user) then "#${toString user}" else "${user}";
@@ -210,10 +214,10 @@ in
         # Don't edit this file. Set the NixOS options ‘security.sudo.configFile’
         # or ‘security.sudo.extraRules’ instead.
       ''
-      ''
+      (optionalString enableSSHAgentAuth ''
         # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.
         Defaults env_keep+=SSH_AUTH_SOCK
-      ''
+      '')
       ''
         # "root" is allowed to do anything.
         root        ALL=(ALL:ALL) SETENV: ALL
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-07-15 21:46:45 +0000