Previously, `pam_unix.so` was `required` to set PAM_AUTHTOK so that dependent pam modules (such as gnome keyering) could use the password (for example to unlock a keyring) upon login of the user. This however broke any additional auth providers (such as AD or LDAP): for any non-local user `pam_unix.so` will not yield success, thus eventually the auth would fail (even the following auth providers were actually executed, they could not overrule the already failed auth). This change replaces `required` by `optional`. Therefore, the `pam_unix.so` is executed and can set the PAM_AUTHTOK for the following optional modules, _even_ if the user is not a local user. Therefore, the gnome keyring for example is unlocked both for local and additional users upon login, and login is working for non-local users via LDAP/AD.
This commit is contained in:
parent
675f9f6e43
commit
305b633423
1 changed files with 2 additions and 2 deletions
|
@ -503,7 +503,7 @@ let
|
|||
# Modules in this block require having the password set in PAM_AUTHTOK.
|
||||
# pam_unix is marked as 'sufficient' on NixOS which means nothing will run
|
||||
# after it succeeds. Certain modules need to run after pam_unix
|
||||
# prompts the user for password so we run it once with 'required' at an
|
||||
# prompts the user for password so we run it once with 'optional' at an
|
||||
# earlier point and it will run again with 'sufficient' further down.
|
||||
# We use try_first_pass the second time to avoid prompting password twice
|
||||
(optionalString (cfg.unixAuth &&
|
||||
|
@ -516,7 +516,7 @@ let
|
|||
|| cfg.duoSecurity.enable))
|
||||
(
|
||||
''
|
||||
auth required pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth
|
||||
auth optional pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth
|
||||
'' +
|
||||
optionalString config.security.pam.enableEcryptfs ''
|
||||
auth optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap
|
||||
|
|
Loading…
Reference in a new issue