BoomMicrophone/nixpkgs-suyu
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

nixos/pam: add settings option for common argument styles

Browse source 
Adds easily overrideable settings for the most common PAM argument
styles. These are:

- Flag (e.g. "use_first_pass"): rendered for true boolean values. false
  values are ignored.

- Key-value (e.g. "action=validate"): rendered for non-null, non-boolean
  values.

Most PAM arguments can be configured this way. Others can still be
configured with the 'args' option.
This commit is contained in:
Majiir Paktu 2023-09-24 19:55:54 -04:00
parent 6eea7fb194
commit 5b8439f966
2 changed files with 177 additions and 164 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

339
nixos/modules/security/pam.nix
View file

@ -12,7 +12,7 @@ let
description = lib.mdDoc '' description = lib.mdDoc ''
PAM `${type}` rules for this service. PAM `${type}` rules for this service.
''; '';
type = types.listOf (types.submodule { type = types.listOf (types.submodule ({ config, ... }: {
options = { options = {
name = mkOption { name = mkOption {
type = types.str; type = types.str;
@ -41,11 +41,21 @@ let
}; };
args = mkOption { args = mkOption {
type = types.listOf types.str; type = types.listOf types.str;
default = [];
description = lib.mdDoc '' description = lib.mdDoc ''
Tokens that can be used to modify the specific behavior of the given PAM. Such arguments will be documented for each individual module. See `module-arguments` in {manpage}`pam.conf(5)` for details. Tokens that can be used to modify the specific behavior of the given PAM. Such arguments will be documented for each individual module. See `module-arguments` in {manpage}`pam.conf(5)` for details.
Escaping rules for spaces and square brackets are automatically applied. Escaping rules for spaces and square brackets are automatically applied.
{option}`settings` are automatically added as {option}`args`. It's recommended to use the {option}`settings` option whenever possible so that arguments can be overridden.
'';
};
settings = mkOption {
type = with types; attrsOf (nullOr (oneOf [ bool str int pathInStore ]));
default = {};
description = lib.mdDoc ''
Settings to add as `module-arguments`.
Boolean values render just the key if true, and nothing if false. Null values are ignored. All other values are rendered as key-value pairs.
''; '';
}; };
text = mkOption { text = mkOption {
@ -55,7 +65,15 @@ let
''; '';
}; };
}; };
}); config = {
# Formats an attrset of settings as args for use as `module-arguments`.
args = concatLists (flip mapAttrsToList config.settings (name: value:
if isBool value
then optional value name
else optional (value != null) "${name}=${toString value}"
));
};
}));
}; };
parentConfig = config; parentConfig = config;
@ -580,13 +598,13 @@ let
account = [ account = [
{ name = "ldap"; enable = use_ldap; control = "sufficient"; modulePath = "${pam_ldap}/lib/security/pam_ldap.so"; text = '' { name = "ldap"; enable = use_ldap; control = "sufficient"; modulePath = "${pam_ldap}/lib/security/pam_ldap.so"; text = ''
''; } ''; }
{ name = "mysql"; enable = cfg.mysqlAuth; control = "sufficient"; modulePath = "${pkgs.pam_mysql}/lib/security/pam_mysql.so"; args = [ { name = "mysql"; enable = cfg.mysqlAuth; control = "sufficient"; modulePath = "${pkgs.pam_mysql}/lib/security/pam_mysql.so"; settings = {
"config_file=/etc/security/pam_mysql.conf" config_file = "/etc/security/pam_mysql.conf";
]; text = '' }; text = ''
''; } ''; }
{ name = "kanidm"; enable = config.services.kanidm.enablePam; control = "sufficient"; modulePath = "${pkgs.kanidm}/lib/pam_kanidm.so"; args = [ { name = "kanidm"; enable = config.services.kanidm.enablePam; control = "sufficient"; modulePath = "${pkgs.kanidm}/lib/pam_kanidm.so"; settings = {
"ignore_unknown_user" ignore_unknown_user = true;
]; text = '' }; text = ''
''; } ''; }
{ name = "sss"; enable = config.services.sssd.enable; control = if cfg.sssdStrictAccess then "[default=bad success=ok user_unknown=ignore]" else "sufficient"; modulePath = "${pkgs.sssd}/lib/security/pam_sss.so"; text = '' { name = "sss"; enable = config.services.sssd.enable; control = if cfg.sssdStrictAccess then "[default=bad success=ok user_unknown=ignore]" else "sufficient"; modulePath = "${pkgs.sssd}/lib/security/pam_sss.so"; text = ''
''; } ''; }
@ -610,54 +628,49 @@ let
''; } ''; }
{ name = "rootok"; enable = cfg.rootOK; control = "sufficient"; modulePath = "pam_rootok.so"; text = '' { name = "rootok"; enable = cfg.rootOK; control = "sufficient"; modulePath = "pam_rootok.so"; text = ''
''; } ''; }
{ name = "wheel"; enable = cfg.requireWheel; control = "required"; modulePath = "pam_wheel.so"; args = [ { name = "wheel"; enable = cfg.requireWheel; control = "required"; modulePath = "pam_wheel.so"; settings = {
"use_uid" use_uid = true;
]; text = '' }; text = ''
''; } ''; }
{ name = "faillock"; enable = cfg.logFailures; control = "required"; modulePath = "pam_faillock.so"; text = '' { name = "faillock"; enable = cfg.logFailures; control = "required"; modulePath = "pam_faillock.so"; text = ''
''; } ''; }
{ name = "mysql"; enable = cfg.mysqlAuth; control = "sufficient"; modulePath = "${pkgs.pam_mysql}/lib/security/pam_mysql.so"; args = [ { name = "mysql"; enable = cfg.mysqlAuth; control = "sufficient"; modulePath = "${pkgs.pam_mysql}/lib/security/pam_mysql.so"; settings = {
"config_file=/etc/security/pam_mysql.conf" config_file = "/etc/security/pam_mysql.conf";
]; text = '' }; text = ''
''; } ''; }
{ name = "ssh_agent_auth"; enable = config.security.pam.enableSSHAgentAuth && cfg.sshAgentAuth; control = "sufficient"; modulePath = "${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so"; args = [ { name = "ssh_agent_auth"; enable = config.security.pam.enableSSHAgentAuth && cfg.sshAgentAuth; control = "sufficient"; modulePath = "${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so"; settings = {
"file=${lib.concatStringsSep ":" config.services.openssh.authorizedKeysFiles}" file = lib.concatStringsSep ":" config.services.openssh.authorizedKeysFiles;
]; text = '' }; text = ''
''; } ''; }
(let p11 = config.security.pam.p11; in { name = "p11"; enable = cfg.p11Auth; control = p11.control; modulePath = "${pkgs.pam_p11}/lib/security/pam_p11.so"; args = [ (let p11 = config.security.pam.p11; in { name = "p11"; enable = cfg.p11Auth; control = p11.control; modulePath = "${pkgs.pam_p11}/lib/security/pam_p11.so"; args = [
"${pkgs.opensc}/lib/opensc-pkcs11.so" "${pkgs.opensc}/lib/opensc-pkcs11.so"
]; text = '' ]; text = ''
''; }) ''; })
(let u2f = config.security.pam.u2f; in { name = "u2f"; enable = cfg.u2fAuth; control = u2f.control; modulePath = "${pkgs.pam_u2f}/lib/security/pam_u2f.so"; args = concatLists [ (let u2f = config.security.pam.u2f; in { name = "u2f"; enable = cfg.u2fAuth; control = u2f.control; modulePath = "${pkgs.pam_u2f}/lib/security/pam_u2f.so"; settings = {
(optional u2f.debug "debug") inherit (u2f) debug interactive cue origin;
(optional (u2f.authFile != null) "authfile=${u2f.authFile}") authfile = u2f.authFile;
(optional u2f.interactive "interactive") appid = u2f.appId;
(optional u2f.cue "cue") }; text = (''
(optional (u2f.appId != null) "appid=${u2f.appId}") ''); })
(optional (u2f.origin != null) "origin=${u2f.origin}")
]; text = ''
''; })
{ name = "usb"; enable = cfg.usbAuth; control = "sufficient"; modulePath = "${pkgs.pam_usb}/lib/security/pam_usb.so"; text = '' { name = "usb"; enable = cfg.usbAuth; control = "sufficient"; modulePath = "${pkgs.pam_usb}/lib/security/pam_usb.so"; text = ''
''; } ''; }
(let ussh = config.security.pam.ussh; in { name = "ussh"; enable = config.security.pam.ussh.enable && cfg.usshAuth; control = ussh.control; modulePath = "${pkgs.pam_ussh}/lib/security/pam_ussh.so"; args = concatLists [ (let ussh = config.security.pam.ussh; in { name = "ussh"; enable = config.security.pam.ussh.enable && cfg.usshAuth; control = ussh.control; modulePath = "${pkgs.pam_ussh}/lib/security/pam_ussh.so"; settings = {
(optional (ussh.caFile != null) "ca_file=${ussh.caFile}") ca_file = ussh.caFile;
(optional (ussh.authorizedPrincipals != null) "authorized_principals=${ussh.authorizedPrincipals}") authorized_principals = ussh.authorizedPrincipals;
(optional (ussh.authorizedPrincipalsFile != null) "authorized_principals_file=${ussh.authorizedPrincipalsFile}") authorized_principals_file = ussh.authorizedPrincipalsFile;
(optional (ussh.group != null) "group=${ussh.group}") inherit (ussh) group;
]; text = '' }; text = ''
''; }) ''; })
(let oath = config.security.pam.oath; in { name = "oath"; enable = cfg.oathAuth; control = "requisite"; modulePath = "${pkgs.oath-toolkit}/lib/security/pam_oath.so"; args = [ (let oath = config.security.pam.oath; in { name = "oath"; enable = cfg.oathAuth; control = "requisite"; modulePath = "${pkgs.oath-toolkit}/lib/security/pam_oath.so"; settings = {
"window=${toString oath.window}" inherit (oath) window digits;
"usersfile=${toString oath.usersFile}" usersfile = oath.usersFile;
"digits=${toString oath.digits}" }; text = ''
]; text = ''
''; }) ''; })
(let yubi = config.security.pam.yubico; in { name = "yubico"; enable = cfg.yubicoAuth; control = yubi.control; modulePath = "${pkgs.yubico-pam}/lib/security/pam_yubico.so"; args = concatLists [ (let yubi = config.security.pam.yubico; in { name = "yubico"; enable = cfg.yubicoAuth; control = yubi.control; modulePath = "${pkgs.yubico-pam}/lib/security/pam_yubico.so"; settings = {
(singleton "mode=${toString yubi.mode}") inherit (yubi) mode debug;
(optional (yubi.challengeResponsePath != null) "chalresp_path=${yubi.challengeResponsePath}") chalresp_path = yubi.challengeResponsePath;
(optional (yubi.mode == "client") "id=${toString yubi.id}") id = mkIf (yubi.mode == "client") yubi.id;
(optional yubi.debug "debug") }; text = ''
]; text = ''
''; }) ''; })
(let dp9ik = config.security.pam.dp9ik; in { name = "p9"; enable = dp9ik.enable; control = dp9ik.control; modulePath = "${pkgs.pam_dp9ik}/lib/security/pam_p9.so"; args = [ (let dp9ik = config.security.pam.dp9ik; in { name = "p9"; enable = dp9ik.enable; control = dp9ik.control; modulePath = "${pkgs.pam_dp9ik}/lib/security/pam_p9.so"; args = [
dp9ik.authserver dp9ik.authserver
@ -688,84 +701,84 @@ let
[ [
{ name = "systemd_home-early"; enable = config.services.homed.enable; control = "optional"; modulePath = "${config.systemd.package}/lib/security/pam_systemd_home.so"; text = '' { name = "systemd_home-early"; enable = config.services.homed.enable; control = "optional"; modulePath = "${config.systemd.package}/lib/security/pam_systemd_home.so"; text = ''
''; } ''; }
{ name = "unix-early"; enable = cfg.unixAuth; control = "optional"; modulePath = "pam_unix.so"; args = concatLists [ { name = "unix-early"; enable = cfg.unixAuth; control = "optional"; modulePath = "pam_unix.so"; settings = {
(optional cfg.allowNullPassword "nullok") nullok = cfg.allowNullPassword;
(optional cfg.nodelay "nodelay") inherit (cfg) nodelay;
(singleton "likeauth") likeauth = true;
]; text = '' }; text = ''
''; } ''; }
{ name = "ecryptfs"; enable = config.security.pam.enableEcryptfs; control = "optional"; modulePath = "${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"; args = [ { name = "ecryptfs"; enable = config.security.pam.enableEcryptfs; control = "optional"; modulePath = "${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"; settings = {
"unwrap" unwrap = true;
]; text = '' }; text = ''
''; } ''; }
{ name = "fscrypt"; enable = config.security.pam.enableFscrypt; control = "optional"; modulePath = "${pkgs.fscrypt-experimental}/lib/security/pam_fscrypt.so"; text = '' { name = "fscrypt"; enable = config.security.pam.enableFscrypt; control = "optional"; modulePath = "${pkgs.fscrypt-experimental}/lib/security/pam_fscrypt.so"; text = ''
''; } ''; }
{ name = "zfs_key"; enable = cfg.zfs; control = "optional"; modulePath = "${config.boot.zfs.package}/lib/security/pam_zfs_key.so"; args = [ { name = "zfs_key"; enable = cfg.zfs; control = "optional"; modulePath = "${config.boot.zfs.package}/lib/security/pam_zfs_key.so"; settings = {
"homes=${config.security.pam.zfs.homes}" inherit (config.security.pam.zfs) homes;
]; text = '' }; text = ''
''; } ''; }
{ name = "mount"; enable = cfg.pamMount; control = "optional"; modulePath = "${pkgs.pam_mount}/lib/security/pam_mount.so"; args = [ { name = "mount"; enable = cfg.pamMount; control = "optional"; modulePath = "${pkgs.pam_mount}/lib/security/pam_mount.so"; settings = {
"disable_interactive" disable_interactive = true;
]; text = '' }; text = ''
''; } ''; }
{ name = "kwallet5"; enable = cfg.enableKwallet; control = "optional"; modulePath = "${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so"; args = [ { name = "kwallet5"; enable = cfg.enableKwallet; control = "optional"; modulePath = "${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so"; settings = {
"kwalletd=${pkgs.plasma5Packages.kwallet.bin}/bin/kwalletd5" kwalletd = "${pkgs.plasma5Packages.kwallet.bin}/bin/kwalletd5";
]; text = '' }; text = ''
''; } ''; }
{ name = "gnome_keyring"; enable = cfg.enableGnomeKeyring; control = "optional"; modulePath = "${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so"; text = '' { name = "gnome_keyring"; enable = cfg.enableGnomeKeyring; control = "optional"; modulePath = "${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so"; text = ''
''; } ''; }
{ name = "gnupg"; enable = cfg.gnupg.enable; control = "optional"; modulePath = "${pkgs.pam_gnupg}/lib/security/pam_gnupg.so"; args = concatLists [ { name = "gnupg"; enable = cfg.gnupg.enable; control = "optional"; modulePath = "${pkgs.pam_gnupg}/lib/security/pam_gnupg.so"; settings = {
(optional cfg.gnupg.storeOnly "store-only") store-only = cfg.gnupg.storeOnly;
]; text = '' }; text = ''
''; } ''; }
{ name = "faildelay"; enable = cfg.failDelay.enable; control = "optional"; modulePath = "${pkgs.pam}/lib/security/pam_faildelay.so"; args = [ { name = "faildelay"; enable = cfg.failDelay.enable; control = "optional"; modulePath = "${pkgs.pam}/lib/security/pam_faildelay.so"; settings = {
"delay=${toString cfg.failDelay.delay}" inherit (cfg.failDelay) delay;
]; text = '' }; text = ''
''; } ''; }
{ name = "google_authenticator"; enable = cfg.googleAuthenticator.enable; control = "required"; modulePath = "${pkgs.google-authenticator}/lib/security/pam_google_authenticator.so"; args = [ { name = "google_authenticator"; enable = cfg.googleAuthenticator.enable; control = "required"; modulePath = "${pkgs.google-authenticator}/lib/security/pam_google_authenticator.so"; settings = {
"no_increment_hotp" no_increment_hotp = true;
]; text = '' }; text = ''
''; } ''; }
{ name = "duo"; enable = cfg.duoSecurity.enable; control = "required"; modulePath = "${pkgs.duo-unix}/lib/security/pam_duo.so"; text = '' { name = "duo"; enable = cfg.duoSecurity.enable; control = "required"; modulePath = "${pkgs.duo-unix}/lib/security/pam_duo.so"; text = ''
''; } ''; }
]) ++ [ ]) ++ [
{ name = "systemd_home"; enable = config.services.homed.enable; control = "sufficient"; modulePath = "${config.systemd.package}/lib/security/pam_systemd_home.so"; text = '' { name = "systemd_home"; enable = config.services.homed.enable; control = "sufficient"; modulePath = "${config.systemd.package}/lib/security/pam_systemd_home.so"; text = ''
''; } ''; }
{ name = "unix"; enable = cfg.unixAuth; control = "sufficient"; modulePath = "pam_unix.so"; args = concatLists [ { name = "unix"; enable = cfg.unixAuth; control = "sufficient"; modulePath = "pam_unix.so"; settings = {
(optional cfg.allowNullPassword "nullok") nullok = cfg.allowNullPassword;
(optional cfg.nodelay "nodelay") inherit (cfg) nodelay;
(singleton "likeauth") likeauth = true;
(singleton "try_first_pass") try_first_pass = true;
]; text = '' }; text = ''
''; } ''; }
{ name = "otpw"; enable = cfg.otpwAuth; control = "sufficient"; modulePath = "${pkgs.otpw}/lib/security/pam_otpw.so"; text = '' { name = "otpw"; enable = cfg.otpwAuth; control = "sufficient"; modulePath = "${pkgs.otpw}/lib/security/pam_otpw.so"; text = ''
''; } ''; }
{ name = "ldap"; enable = use_ldap; control = "sufficient"; modulePath = "${pam_ldap}/lib/security/pam_ldap.so"; args = [ { name = "ldap"; enable = use_ldap; control = "sufficient"; modulePath = "${pam_ldap}/lib/security/pam_ldap.so"; settings = {
"use_first_pass" use_first_pass = true;
]; text = '' }; text = ''
''; } ''; }
{ name = "kanidm"; enable = config.services.kanidm.enablePam; control = "sufficient"; modulePath = "${pkgs.kanidm}/lib/pam_kanidm.so"; args = [ { name = "kanidm"; enable = config.services.kanidm.enablePam; control = "sufficient"; modulePath = "${pkgs.kanidm}/lib/pam_kanidm.so"; settings = {
"ignore_unknown_user" ignore_unknown_user = true;
"use_first_pass" use_first_pass = true;
]; text = '' }; text = ''
''; } ''; }
{ name = "sss"; enable = config.services.sssd.enable; control = "sufficient"; modulePath = "${pkgs.sssd}/lib/security/pam_sss.so"; args = [ { name = "sss"; enable = config.services.sssd.enable; control = "sufficient"; modulePath = "${pkgs.sssd}/lib/security/pam_sss.so"; settings = {
"use_first_pass" use_first_pass = true;
]; text = '' }; text = ''
''; } ''; }
{ name = "krb5"; enable = config.security.pam.krb5.enable; control = "[default=ignore success=1 service_err=reset]"; modulePath = "${pam_krb5}/lib/security/pam_krb5.so"; args = [ { name = "krb5"; enable = config.security.pam.krb5.enable; control = "[default=ignore success=1 service_err=reset]"; modulePath = "${pam_krb5}/lib/security/pam_krb5.so"; settings = {
"use_first_pass" use_first_pass = true;
]; text = '' }; text = ''
''; } ''; }
{ name = "ccreds-validate"; enable = config.security.pam.krb5.enable; control = "[default=die success=done]"; modulePath = "${pam_ccreds}/lib/security/pam_ccreds.so"; args = [ { name = "ccreds-validate"; enable = config.security.pam.krb5.enable; control = "[default=die success=done]"; modulePath = "${pam_ccreds}/lib/security/pam_ccreds.so"; settings = {
"action=validate" action = "validate";
"use_first_pass" use_first_pass = true;
]; text = '' }; text = ''
''; } ''; }
{ name = "ccreds-store"; enable = config.security.pam.krb5.enable; control = "sufficient"; modulePath = "${pam_ccreds}/lib/security/pam_ccreds.so"; args = [ { name = "ccreds-store"; enable = config.security.pam.krb5.enable; control = "sufficient"; modulePath = "${pam_ccreds}/lib/security/pam_ccreds.so"; settings = {
"action=store" action = "store";
"use_first_pass" use_first_pass = true;
]; text = '' }; text = ''
''; } ''; }
{ name = "deny"; control = "required"; modulePath = "pam_deny.so"; text = '' { name = "deny"; control = "required"; modulePath = "pam_deny.so"; text = ''
''; } ''; }
@ -774,68 +787,68 @@ let
password = [ password = [
{ name = "systemd_home"; enable = config.services.homed.enable; control = "sufficient"; modulePath = "${config.systemd.package}/lib/security/pam_systemd_home.so"; text = '' { name = "systemd_home"; enable = config.services.homed.enable; control = "sufficient"; modulePath = "${config.systemd.package}/lib/security/pam_systemd_home.so"; text = ''
''; } ''; }
{ name = "unix"; control = "sufficient"; modulePath = "pam_unix.so"; args = [ { name = "unix"; control = "sufficient"; modulePath = "pam_unix.so"; settings = {
"nullok" nullok = true;
"yescrypt" yescrypt = true;
]; text = '' }; text = ''
''; } ''; }
{ name = "ecryptfs"; enable = config.security.pam.enableEcryptfs; control = "optional"; modulePath = "${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"; text = '' { name = "ecryptfs"; enable = config.security.pam.enableEcryptfs; control = "optional"; modulePath = "${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"; text = ''
''; } ''; }
{ name = "fscrypt"; enable = config.security.pam.enableFscrypt; control = "optional"; modulePath = "${pkgs.fscrypt-experimental}/lib/security/pam_fscrypt.so"; text = '' { name = "fscrypt"; enable = config.security.pam.enableFscrypt; control = "optional"; modulePath = "${pkgs.fscrypt-experimental}/lib/security/pam_fscrypt.so"; text = ''
''; } ''; }
{ name = "zfs_key"; enable = cfg.zfs; control = "optional"; modulePath = "${config.boot.zfs.package}/lib/security/pam_zfs_key.so"; args = [ { name = "zfs_key"; enable = cfg.zfs; control = "optional"; modulePath = "${config.boot.zfs.package}/lib/security/pam_zfs_key.so"; settings = {
"homes=${config.security.pam.zfs.homes}" inherit (config.security.pam.zfs) homes;
]; text = '' }; text = ''
''; } ''; }
{ name = "mount"; enable = cfg.pamMount; control = "optional"; modulePath = "${pkgs.pam_mount}/lib/security/pam_mount.so"; text = '' { name = "mount"; enable = cfg.pamMount; control = "optional"; modulePath = "${pkgs.pam_mount}/lib/security/pam_mount.so"; text = ''
''; } ''; }
{ name = "ldap"; enable = use_ldap; control = "sufficient"; modulePath = "${pam_ldap}/lib/security/pam_ldap.so"; text = '' { name = "ldap"; enable = use_ldap; control = "sufficient"; modulePath = "${pam_ldap}/lib/security/pam_ldap.so"; text = ''
''; } ''; }
{ name = "mysql"; enable = cfg.mysqlAuth; control = "sufficient"; modulePath = "${pkgs.pam_mysql}/lib/security/pam_mysql.so"; args = [ { name = "mysql"; enable = cfg.mysqlAuth; control = "sufficient"; modulePath = "${pkgs.pam_mysql}/lib/security/pam_mysql.so"; settings = {
"config_file=/etc/security/pam_mysql.conf" config_file = "/etc/security/pam_mysql.conf";
]; text = '' }; text = ''
''; } ''; }
{ name = "kanidm"; enable = config.services.kanidm.enablePam; control = "sufficient"; modulePath = "${pkgs.kanidm}/lib/pam_kanidm.so"; text = '' { name = "kanidm"; enable = config.services.kanidm.enablePam; control = "sufficient"; modulePath = "${pkgs.kanidm}/lib/pam_kanidm.so"; text = ''
''; } ''; }
{ name = "sss"; enable = config.services.sssd.enable; control = "sufficient"; modulePath = "${pkgs.sssd}/lib/security/pam_sss.so"; text = '' { name = "sss"; enable = config.services.sssd.enable; control = "sufficient"; modulePath = "${pkgs.sssd}/lib/security/pam_sss.so"; text = ''
''; } ''; }
{ name = "krb5"; enable = config.security.pam.krb5.enable; control = "sufficient"; modulePath = "${pam_krb5}/lib/security/pam_krb5.so"; args = [ { name = "krb5"; enable = config.security.pam.krb5.enable; control = "sufficient"; modulePath = "${pam_krb5}/lib/security/pam_krb5.so"; settings = {
"use_first_pass" use_first_pass = true;
]; text = '' }; text = ''
''; } ''; }
{ name = "gnome_keyring"; enable = cfg.enableGnomeKeyring; control = "optional"; modulePath = "${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so"; args = [ { name = "gnome_keyring"; enable = cfg.enableGnomeKeyring; control = "optional"; modulePath = "${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so"; settings = {
"use_authtok" use_authtok = true;
]; text = '' }; text = ''
''; } ''; }
]; ];
session = [ session = [
{ name = "env"; enable = cfg.setEnvironment; control = "required"; modulePath = "pam_env.so"; args = [ { name = "env"; enable = cfg.setEnvironment; control = "required"; modulePath = "pam_env.so"; settings = {
"conffile=/etc/pam/environment" conffile = "/etc/pam/environment";
"readenv=0" readenv = 0;
]; text = '' }; text = ''
''; } ''; }
{ name = "unix"; control = "required"; modulePath = "pam_unix.so"; text = '' { name = "unix"; control = "required"; modulePath = "pam_unix.so"; text = ''
''; } ''; }
{ name = "loginuid"; enable = cfg.setLoginUid; control = if config.boot.isContainer then "optional" else "required"; modulePath = "pam_loginuid.so"; text = '' { name = "loginuid"; enable = cfg.setLoginUid; control = if config.boot.isContainer then "optional" else "required"; modulePath = "pam_loginuid.so"; text = ''
''; } ''; }
{ name = "tty_audit"; enable = cfg.ttyAudit.enable; control = "required"; modulePath = "${pkgs.pam}/lib/security/pam_tty_audit.so"; args = concatLists [ { name = "tty_audit"; enable = cfg.ttyAudit.enable; control = "required"; modulePath = "${pkgs.pam}/lib/security/pam_tty_audit.so"; settings = {
(optional cfg.ttyAudit.openOnly "open_only") open_only = cfg.ttyAudit.openOnly;
(optional (cfg.ttyAudit.enablePattern != null) "enable=${cfg.ttyAudit.enablePattern}") enable = cfg.ttyAudit.enablePattern;
(optional (cfg.ttyAudit.disablePattern != null) "disable=${cfg.ttyAudit.disablePattern}") disable = cfg.ttyAudit.disablePattern;
]; text = '' }; text = ''
''; } ''; }
{ name = "systemd_home"; enable = config.services.homed.enable; control = "required"; modulePath = "${config.systemd.package}/lib/security/pam_systemd_home.so"; text = '' { name = "systemd_home"; enable = config.services.homed.enable; control = "required"; modulePath = "${config.systemd.package}/lib/security/pam_systemd_home.so"; text = ''
''; } ''; }
{ name = "mkhomedir"; enable = cfg.makeHomeDir; control = "required"; modulePath = "${pkgs.pam}/lib/security/pam_mkhomedir.so"; args = [ { name = "mkhomedir"; enable = cfg.makeHomeDir; control = "required"; modulePath = "${pkgs.pam}/lib/security/pam_mkhomedir.so"; settings = {
"silent" silent = true;
"skel=${config.security.pam.makeHomeDir.skelDirectory}" skel = config.security.pam.makeHomeDir.skelDirectory;
"umask=${config.security.pam.makeHomeDir.umask}" inherit (config.security.pam.makeHomeDir) umask;
]; text = '' }; text = ''
''; } ''; }
{ name = "lastlog"; enable = cfg.updateWtmp; control = "required"; modulePath = "${pkgs.pam}/lib/security/pam_lastlog.so"; args = [ { name = "lastlog"; enable = cfg.updateWtmp; control = "required"; modulePath = "${pkgs.pam}/lib/security/pam_lastlog.so"; settings = {
"silent" silent = true;
]; text = '' }; text = ''
''; } ''; }
{ name = "ecryptfs"; enable = config.security.pam.enableEcryptfs; control = "optional"; modulePath = "${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"; text = '' { name = "ecryptfs"; enable = config.security.pam.enableEcryptfs; control = "optional"; modulePath = "${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"; text = ''
''; } ''; }
@ -853,20 +866,20 @@ let
"service" "=" "systemd-user" "service" "=" "systemd-user"
]; text = '' ]; text = ''
''; } ''; }
{ name = "zfs_key"; enable = cfg.zfs; control = "optional"; modulePath = "${config.boot.zfs.package}/lib/security/pam_zfs_key.so"; args = concatLists [ { name = "zfs_key"; enable = cfg.zfs; control = "optional"; modulePath = "${config.boot.zfs.package}/lib/security/pam_zfs_key.so"; settings = {
(singleton "homes=${config.security.pam.zfs.homes}") inherit (config.security.pam.zfs) homes;
(optional config.security.pam.zfs.noUnmount "nounmount") nounmount = config.security.pam.zfs.noUnmount;
]; text = '' }; text = ''
''; } ''; }
{ name = "mount"; enable = cfg.pamMount; control = "optional"; modulePath = "${pkgs.pam_mount}/lib/security/pam_mount.so"; args = [ { name = "mount"; enable = cfg.pamMount; control = "optional"; modulePath = "${pkgs.pam_mount}/lib/security/pam_mount.so"; settings = {
"disable_interactive" disable_interactive = true;
]; text = '' }; text = ''
''; } ''; }
{ name = "ldap"; enable = use_ldap; control = "optional"; modulePath = "${pam_ldap}/lib/security/pam_ldap.so"; text = '' { name = "ldap"; enable = use_ldap; control = "optional"; modulePath = "${pam_ldap}/lib/security/pam_ldap.so"; text = ''
''; } ''; }
{ name = "mysql"; enable = cfg.mysqlAuth; control = "optional"; modulePath = "${pkgs.pam_mysql}/lib/security/pam_mysql.so"; args = [ { name = "mysql"; enable = cfg.mysqlAuth; control = "optional"; modulePath = "${pkgs.pam_mysql}/lib/security/pam_mysql.so"; settings = {
"config_file=/etc/security/pam_mysql.conf" config_file = "/etc/security/pam_mysql.conf";
]; text = '' }; text = ''
''; } ''; }
{ name = "kanidm"; enable = config.services.kanidm.enablePam; control = "optional"; modulePath = "${pkgs.kanidm}/lib/pam_kanidm.so"; text = '' { name = "kanidm"; enable = config.services.kanidm.enablePam; control = "optional"; modulePath = "${pkgs.kanidm}/lib/pam_kanidm.so"; text = ''
''; } ''; }
@ -878,35 +891,35 @@ let
''; } ''; }
{ name = "systemd"; enable = cfg.startSession; control = "optional"; modulePath = "${config.systemd.package}/lib/security/pam_systemd.so"; text = '' { name = "systemd"; enable = cfg.startSession; control = "optional"; modulePath = "${config.systemd.package}/lib/security/pam_systemd.so"; text = ''
''; } ''; }
{ name = "xauth"; enable = cfg.forwardXAuth; control = "optional"; modulePath = "pam_xauth.so"; args = [ { name = "xauth"; enable = cfg.forwardXAuth; control = "optional"; modulePath = "pam_xauth.so"; settings = {
"xauthpath=${pkgs.xorg.xauth}/bin/xauth" xauthpath = "${pkgs.xorg.xauth}/bin/xauth";
"systemuser=99" systemuser = 99;
]; text = '' }; text = ''
''; } ''; }
{ name = "limits"; enable = cfg.limits != []; control = "required"; modulePath = "${pkgs.pam}/lib/security/pam_limits.so"; args = [ { name = "limits"; enable = cfg.limits != []; control = "required"; modulePath = "${pkgs.pam}/lib/security/pam_limits.so"; settings = {
"conf=${makeLimitsConf cfg.limits}" conf = "${makeLimitsConf cfg.limits}";
]; text = '' }; text = ''
''; } ''; }
{ name = "motd"; enable = cfg.showMotd && (config.users.motd != null || config.users.motdFile != null); control = "optional"; modulePath = "${pkgs.pam}/lib/security/pam_motd.so"; args = [ { name = "motd"; enable = cfg.showMotd && (config.users.motd != null || config.users.motdFile != null); control = "optional"; modulePath = "${pkgs.pam}/lib/security/pam_motd.so"; settings = {
"motd=${motd}" inherit motd;
]; text = '' }; text = ''
''; } ''; }
{ name = "apparmor"; enable = cfg.enableAppArmor && config.security.apparmor.enable; control = "optional"; modulePath = "${pkgs.apparmor-pam}/lib/security/pam_apparmor.so"; args = [ { name = "apparmor"; enable = cfg.enableAppArmor && config.security.apparmor.enable; control = "optional"; modulePath = "${pkgs.apparmor-pam}/lib/security/pam_apparmor.so"; settings = {
"order=user,group,default" order = "user,group,default";
"debug" debug = true;
]; text = '' }; text = ''
''; } ''; }
{ name = "kwallet5"; enable = cfg.enableKwallet; control = "optional"; modulePath = "${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so"; args = [ { name = "kwallet5"; enable = cfg.enableKwallet; control = "optional"; modulePath = "${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so"; settings = {
"kwalletd=${pkgs.plasma5Packages.kwallet.bin}/bin/kwalletd5" kwalletd = "${pkgs.plasma5Packages.kwallet.bin}/bin/kwalletd5";
]; text = '' }; text = ''
''; } ''; }
{ name = "gnome_keyring"; enable = cfg.enableGnomeKeyring; control = "optional"; modulePath = "${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so"; args = [ { name = "gnome_keyring"; enable = cfg.enableGnomeKeyring; control = "optional"; modulePath = "${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so"; settings = {
"auto_start" auto_start = true;
]; text = '' }; text = ''
''; } ''; }
{ name = "gnupg"; enable = cfg.gnupg.enable; control = "optional"; modulePath = "${pkgs.pam_gnupg}/lib/security/pam_gnupg.so"; args = concatLists [ { name = "gnupg"; enable = cfg.gnupg.enable; control = "optional"; modulePath = "${pkgs.pam_gnupg}/lib/security/pam_gnupg.so"; settings = {
(optional cfg.gnupg.noAutostart " no-autostart") no-autostart = cfg.gnupg.noAutostart;
]; text = '' }; text = ''
''; } ''; }
{ name = "cgfs"; enable = config.virtualisation.lxc.lxcfs.enable; control = "optional"; modulePath = "${pkgs.lxc}/lib/security/pam_cgfs.so"; args = [ { name = "cgfs"; enable = config.virtualisation.lxc.lxcfs.enable; control = "optional"; modulePath = "${pkgs.lxc}/lib/security/pam_cgfs.so"; args = [
"-c" "all" "-c" "all"

2
nixos/tests/pam/pam-u2f.nix
View file

@ -20,7 +20,7 @@ import ../make-test-python.nix ({ ... }:
'' ''
machine.wait_for_unit("multi-user.target") machine.wait_for_unit("multi-user.target")
machine.succeed( machine.succeed(
'egrep "auth required .*/lib/security/pam_u2f.so.*debug.*interactive.*cue.*origin=nixos-test" /etc/pam.d/ -R' 'egrep "auth required .*/lib/security/pam_u2f.so.*cue.*debug.*interactive.*origin=nixos-test" /etc/pam.d/ -R'
) )
''; '';
}) })