nixos/pam: extract args field
Module arguments have common escaping rules for all PAMs.
This commit is contained in:
Majiir Paktu
parent
12a488e89c
commit
6eea7fb194
2 changed files with 191 additions and 98 deletions
|
|
@ -39,10 +39,19 @@ let
|
|||
Either the full filename of the PAM to be used by the application (it begins with a '/'), or a relative pathname from the default module location. See `module-path` in {manpage}`pam.conf(5)` for details.
|
||||
'';
|
||||
};
|
||||
args = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [];
|
||||
description = lib.mdDoc ''
|
||||
Tokens that can be used to modify the specific behavior of the given PAM. Such arguments will be documented for each individual module. See `module-arguments` in {manpage}`pam.conf(5)` for details.
|
||||
|
||||
Escaping rules for spaces and square brackets are automatically applied.
|
||||
'';
|
||||
};
|
||||
text = mkOption {
|
||||
type = types.str;
|
||||
description = lib.mdDoc ''
|
||||
Text of the rule (without `service`, `type`, `control` or `module-path` fields).
|
||||
(Obsolete.)
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
|
@ -536,10 +545,16 @@ let
|
|||
limits = mkDefault config.security.pam.loginLimits;
|
||||
|
||||
text = let
|
||||
# Formats a string for use in `module-arguments`. See `man pam.conf`.
|
||||
formatModuleArgument = token:
|
||||
if hasInfix " " token
|
||||
then "[${replaceStrings ["]"] ["\\]"] token}]"
|
||||
else token;
|
||||
formatRules = type: pipe cfg.rules.${type} [
|
||||
(filter (rule: rule.enable))
|
||||
(map (rule: concatStringsSep " " (
|
||||
[ type rule.control rule.modulePath ]
|
||||
++ map formatModuleArgument rule.args
|
||||
++ optional (rule.text != "") (removeSuffix "\n" rule.text)
|
||||
)))
|
||||
(concatStringsSep "\n")
|
||||
|
|
@ -565,11 +580,13 @@ let
|
|||
account = [
|
||||
{ name = "ldap"; enable = use_ldap; control = "sufficient"; modulePath = "${pam_ldap}/lib/security/pam_ldap.so"; text = ''
|
||||
''; }
|
||||
{ name = "mysql"; enable = cfg.mysqlAuth; control = "sufficient"; modulePath = "${pkgs.pam_mysql}/lib/security/pam_mysql.so"; text = ''
|
||||
config_file=/etc/security/pam_mysql.conf
|
||||
{ name = "mysql"; enable = cfg.mysqlAuth; control = "sufficient"; modulePath = "${pkgs.pam_mysql}/lib/security/pam_mysql.so"; args = [
|
||||
"config_file=/etc/security/pam_mysql.conf"
|
||||
]; text = ''
|
||||
''; }
|
||||
{ name = "kanidm"; enable = config.services.kanidm.enablePam; control = "sufficient"; modulePath = "${pkgs.kanidm}/lib/pam_kanidm.so"; text = ''
|
||||
ignore_unknown_user
|
||||
{ name = "kanidm"; enable = config.services.kanidm.enablePam; control = "sufficient"; modulePath = "${pkgs.kanidm}/lib/pam_kanidm.so"; args = [
|
||||
"ignore_unknown_user"
|
||||
]; text = ''
|
||||
''; }
|
||||
{ name = "sss"; enable = config.services.sssd.enable; control = if cfg.sssdStrictAccess then "[default=bad success=ok user_unknown=ignore]" else "sufficient"; modulePath = "${pkgs.sssd}/lib/security/pam_sss.so"; text = ''
|
||||
''; }
|
||||
|
|
@ -593,36 +610,58 @@ let
|
|||
''; }
|
||||
{ name = "rootok"; enable = cfg.rootOK; control = "sufficient"; modulePath = "pam_rootok.so"; text = ''
|
||||
''; }
|
||||
{ name = "wheel"; enable = cfg.requireWheel; control = "required"; modulePath = "pam_wheel.so"; text = ''
|
||||
use_uid
|
||||
{ name = "wheel"; enable = cfg.requireWheel; control = "required"; modulePath = "pam_wheel.so"; args = [
|
||||
"use_uid"
|
||||
]; text = ''
|
||||
''; }
|
||||
{ name = "faillock"; enable = cfg.logFailures; control = "required"; modulePath = "pam_faillock.so"; text = ''
|
||||
''; }
|
||||
{ name = "mysql"; enable = cfg.mysqlAuth; control = "sufficient"; modulePath = "${pkgs.pam_mysql}/lib/security/pam_mysql.so"; text = ''
|
||||
config_file=/etc/security/pam_mysql.conf
|
||||
{ name = "mysql"; enable = cfg.mysqlAuth; control = "sufficient"; modulePath = "${pkgs.pam_mysql}/lib/security/pam_mysql.so"; args = [
|
||||
"config_file=/etc/security/pam_mysql.conf"
|
||||
]; text = ''
|
||||
''; }
|
||||
{ name = "ssh_agent_auth"; enable = config.security.pam.enableSSHAgentAuth && cfg.sshAgentAuth; control = "sufficient"; modulePath = "${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so"; text = ''
|
||||
file=${lib.concatStringsSep ":" config.services.openssh.authorizedKeysFiles}
|
||||
{ name = "ssh_agent_auth"; enable = config.security.pam.enableSSHAgentAuth && cfg.sshAgentAuth; control = "sufficient"; modulePath = "${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so"; args = [
|
||||
"file=${lib.concatStringsSep ":" config.services.openssh.authorizedKeysFiles}"
|
||||
]; text = ''
|
||||
''; }
|
||||
(let p11 = config.security.pam.p11; in { name = "p11"; enable = cfg.p11Auth; control = p11.control; modulePath = "${pkgs.pam_p11}/lib/security/pam_p11.so"; text = ''
|
||||
${pkgs.opensc}/lib/opensc-pkcs11.so
|
||||
(let p11 = config.security.pam.p11; in { name = "p11"; enable = cfg.p11Auth; control = p11.control; modulePath = "${pkgs.pam_p11}/lib/security/pam_p11.so"; args = [
|
||||
"${pkgs.opensc}/lib/opensc-pkcs11.so"
|
||||
]; text = ''
|
||||
''; })
|
||||
(let u2f = config.security.pam.u2f; in { name = "u2f"; enable = cfg.u2fAuth; control = u2f.control; modulePath = "${pkgs.pam_u2f}/lib/security/pam_u2f.so"; text = ''
|
||||
${optionalString u2f.debug "debug"} ${optionalString (u2f.authFile != null) "authfile=${u2f.authFile}"} ${optionalString u2f.interactive "interactive"} ${optionalString u2f.cue "cue"} ${optionalString (u2f.appId != null) "appid=${u2f.appId}"} ${optionalString (u2f.origin != null) "origin=${u2f.origin}"}
|
||||
(let u2f = config.security.pam.u2f; in { name = "u2f"; enable = cfg.u2fAuth; control = u2f.control; modulePath = "${pkgs.pam_u2f}/lib/security/pam_u2f.so"; args = concatLists [
|
||||
(optional u2f.debug "debug")
|
||||
(optional (u2f.authFile != null) "authfile=${u2f.authFile}")
|
||||
(optional u2f.interactive "interactive")
|
||||
(optional u2f.cue "cue")
|
||||
(optional (u2f.appId != null) "appid=${u2f.appId}")
|
||||
(optional (u2f.origin != null) "origin=${u2f.origin}")
|
||||
]; text = ''
|
||||
''; })
|
||||
{ name = "usb"; enable = cfg.usbAuth; control = "sufficient"; modulePath = "${pkgs.pam_usb}/lib/security/pam_usb.so"; text = ''
|
||||
''; }
|
||||
(let ussh = config.security.pam.ussh; in { name = "ussh"; enable = config.security.pam.ussh.enable && cfg.usshAuth; control = ussh.control; modulePath = "${pkgs.pam_ussh}/lib/security/pam_ussh.so"; text = ''
|
||||
${optionalString (ussh.caFile != null) "ca_file=${ussh.caFile}"} ${optionalString (ussh.authorizedPrincipals != null) "authorized_principals=${ussh.authorizedPrincipals}"} ${optionalString (ussh.authorizedPrincipalsFile != null) "authorized_principals_file=${ussh.authorizedPrincipalsFile}"} ${optionalString (ussh.group != null) "group=${ussh.group}"}
|
||||
(let ussh = config.security.pam.ussh; in { name = "ussh"; enable = config.security.pam.ussh.enable && cfg.usshAuth; control = ussh.control; modulePath = "${pkgs.pam_ussh}/lib/security/pam_ussh.so"; args = concatLists [
|
||||
(optional (ussh.caFile != null) "ca_file=${ussh.caFile}")
|
||||
(optional (ussh.authorizedPrincipals != null) "authorized_principals=${ussh.authorizedPrincipals}")
|
||||
(optional (ussh.authorizedPrincipalsFile != null) "authorized_principals_file=${ussh.authorizedPrincipalsFile}")
|
||||
(optional (ussh.group != null) "group=${ussh.group}")
|
||||
]; text = ''
|
||||
''; })
|
||||
(let oath = config.security.pam.oath; in { name = "oath"; enable = cfg.oathAuth; control = "requisite"; modulePath = "${pkgs.oath-toolkit}/lib/security/pam_oath.so"; text = ''
|
||||
window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}
|
||||
(let oath = config.security.pam.oath; in { name = "oath"; enable = cfg.oathAuth; control = "requisite"; modulePath = "${pkgs.oath-toolkit}/lib/security/pam_oath.so"; args = [
|
||||
"window=${toString oath.window}"
|
||||
"usersfile=${toString oath.usersFile}"
|
||||
"digits=${toString oath.digits}"
|
||||
]; text = ''
|
||||
''; })
|
||||
(let yubi = config.security.pam.yubico; in { name = "yubico"; enable = cfg.yubicoAuth; control = yubi.control; modulePath = "${pkgs.yubico-pam}/lib/security/pam_yubico.so"; text = ''
|
||||
mode=${toString yubi.mode} ${optionalString (yubi.challengeResponsePath != null) "chalresp_path=${yubi.challengeResponsePath}"} ${optionalString (yubi.mode == "client") "id=${toString yubi.id}"} ${optionalString yubi.debug "debug"}
|
||||
(let yubi = config.security.pam.yubico; in { name = "yubico"; enable = cfg.yubicoAuth; control = yubi.control; modulePath = "${pkgs.yubico-pam}/lib/security/pam_yubico.so"; args = concatLists [
|
||||
(singleton "mode=${toString yubi.mode}")
|
||||
(optional (yubi.challengeResponsePath != null) "chalresp_path=${yubi.challengeResponsePath}")
|
||||
(optional (yubi.mode == "client") "id=${toString yubi.id}")
|
||||
(optional yubi.debug "debug")
|
||||
]; text = ''
|
||||
''; })
|
||||
(let dp9ik = config.security.pam.dp9ik; in { name = "p9"; enable = dp9ik.enable; control = dp9ik.control; modulePath = "${pkgs.pam_dp9ik}/lib/security/pam_p9.so"; text = ''
|
||||
${dp9ik.authserver}
|
||||
(let dp9ik = config.security.pam.dp9ik; in { name = "p9"; enable = dp9ik.enable; control = dp9ik.control; modulePath = "${pkgs.pam_dp9ik}/lib/security/pam_p9.so"; args = [
|
||||
dp9ik.authserver
|
||||
]; text = ''
|
||||
''; })
|
||||
{ name = "fprintd"; enable = cfg.fprintAuth; control = "sufficient"; modulePath = "${pkgs.fprintd}/lib/security/pam_fprintd.so"; text = ''
|
||||
''; }
|
||||
|
|
@ -649,61 +688,84 @@ let
|
|||
[
|
||||
{ name = "systemd_home-early"; enable = config.services.homed.enable; control = "optional"; modulePath = "${config.systemd.package}/lib/security/pam_systemd_home.so"; text = ''
|
||||
''; }
|
||||
{ name = "unix-early"; enable = cfg.unixAuth; control = "optional"; modulePath = "pam_unix.so"; text = ''
|
||||
${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth
|
||||
{ name = "unix-early"; enable = cfg.unixAuth; control = "optional"; modulePath = "pam_unix.so"; args = concatLists [
|
||||
(optional cfg.allowNullPassword "nullok")
|
||||
(optional cfg.nodelay "nodelay")
|
||||
(singleton "likeauth")
|
||||
]; text = ''
|
||||
''; }
|
||||
{ name = "ecryptfs"; enable = config.security.pam.enableEcryptfs; control = "optional"; modulePath = "${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"; text = ''
|
||||
unwrap
|
||||
{ name = "ecryptfs"; enable = config.security.pam.enableEcryptfs; control = "optional"; modulePath = "${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"; args = [
|
||||
"unwrap"
|
||||
]; text = ''
|
||||
''; }
|
||||
{ name = "fscrypt"; enable = config.security.pam.enableFscrypt; control = "optional"; modulePath = "${pkgs.fscrypt-experimental}/lib/security/pam_fscrypt.so"; text = ''
|
||||
''; }
|
||||
{ name = "zfs_key"; enable = cfg.zfs; control = "optional"; modulePath = "${config.boot.zfs.package}/lib/security/pam_zfs_key.so"; text = ''
|
||||
homes=${config.security.pam.zfs.homes}
|
||||
{ name = "zfs_key"; enable = cfg.zfs; control = "optional"; modulePath = "${config.boot.zfs.package}/lib/security/pam_zfs_key.so"; args = [
|
||||
"homes=${config.security.pam.zfs.homes}"
|
||||
]; text = ''
|
||||
''; }
|
||||
{ name = "mount"; enable = cfg.pamMount; control = "optional"; modulePath = "${pkgs.pam_mount}/lib/security/pam_mount.so"; text = ''
|
||||
disable_interactive
|
||||
{ name = "mount"; enable = cfg.pamMount; control = "optional"; modulePath = "${pkgs.pam_mount}/lib/security/pam_mount.so"; args = [
|
||||
"disable_interactive"
|
||||
]; text = ''
|
||||
''; }
|
||||
{ name = "kwallet5"; enable = cfg.enableKwallet; control = "optional"; modulePath = "${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so"; text = ''
|
||||
kwalletd=${pkgs.plasma5Packages.kwallet.bin}/bin/kwalletd5
|
||||
{ name = "kwallet5"; enable = cfg.enableKwallet; control = "optional"; modulePath = "${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so"; args = [
|
||||
"kwalletd=${pkgs.plasma5Packages.kwallet.bin}/bin/kwalletd5"
|
||||
]; text = ''
|
||||
''; }
|
||||
{ name = "gnome_keyring"; enable = cfg.enableGnomeKeyring; control = "optional"; modulePath = "${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so"; text = ''
|
||||
''; }
|
||||
{ name = "gnupg"; enable = cfg.gnupg.enable; control = "optional"; modulePath = "${pkgs.pam_gnupg}/lib/security/pam_gnupg.so"; text = ''
|
||||
${optionalString cfg.gnupg.storeOnly "store-only"}
|
||||
{ name = "gnupg"; enable = cfg.gnupg.enable; control = "optional"; modulePath = "${pkgs.pam_gnupg}/lib/security/pam_gnupg.so"; args = concatLists [
|
||||
(optional cfg.gnupg.storeOnly "store-only")
|
||||
]; text = ''
|
||||
''; }
|
||||
{ name = "faildelay"; enable = cfg.failDelay.enable; control = "optional"; modulePath = "${pkgs.pam}/lib/security/pam_faildelay.so"; text = ''
|
||||
delay=${toString cfg.failDelay.delay}
|
||||
{ name = "faildelay"; enable = cfg.failDelay.enable; control = "optional"; modulePath = "${pkgs.pam}/lib/security/pam_faildelay.so"; args = [
|
||||
"delay=${toString cfg.failDelay.delay}"
|
||||
]; text = ''
|
||||
''; }
|
||||
{ name = "google_authenticator"; enable = cfg.googleAuthenticator.enable; control = "required"; modulePath = "${pkgs.google-authenticator}/lib/security/pam_google_authenticator.so"; text = ''
|
||||
no_increment_hotp
|
||||
{ name = "google_authenticator"; enable = cfg.googleAuthenticator.enable; control = "required"; modulePath = "${pkgs.google-authenticator}/lib/security/pam_google_authenticator.so"; args = [
|
||||
"no_increment_hotp"
|
||||
]; text = ''
|
||||
''; }
|
||||
{ name = "duo"; enable = cfg.duoSecurity.enable; control = "required"; modulePath = "${pkgs.duo-unix}/lib/security/pam_duo.so"; text = ''
|
||||
''; }
|
||||
]) ++ [
|
||||
{ name = "systemd_home"; enable = config.services.homed.enable; control = "sufficient"; modulePath = "${config.systemd.package}/lib/security/pam_systemd_home.so"; text = ''
|
||||
''; }
|
||||
{ name = "unix"; enable = cfg.unixAuth; control = "sufficient"; modulePath = "pam_unix.so"; text = ''
|
||||
${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth try_first_pass
|
||||
{ name = "unix"; enable = cfg.unixAuth; control = "sufficient"; modulePath = "pam_unix.so"; args = concatLists [
|
||||
(optional cfg.allowNullPassword "nullok")
|
||||
(optional cfg.nodelay "nodelay")
|
||||
(singleton "likeauth")
|
||||
(singleton "try_first_pass")
|
||||
]; text = ''
|
||||
''; }
|
||||
{ name = "otpw"; enable = cfg.otpwAuth; control = "sufficient"; modulePath = "${pkgs.otpw}/lib/security/pam_otpw.so"; text = ''
|
||||
''; }
|
||||
{ name = "ldap"; enable = use_ldap; control = "sufficient"; modulePath = "${pam_ldap}/lib/security/pam_ldap.so"; text = ''
|
||||
use_first_pass
|
||||
{ name = "ldap"; enable = use_ldap; control = "sufficient"; modulePath = "${pam_ldap}/lib/security/pam_ldap.so"; args = [
|
||||
"use_first_pass"
|
||||
]; text = ''
|
||||
''; }
|
||||
{ name = "kanidm"; enable = config.services.kanidm.enablePam; control = "sufficient"; modulePath = "${pkgs.kanidm}/lib/pam_kanidm.so"; text = ''
|
||||
ignore_unknown_user use_first_pass
|
||||
{ name = "kanidm"; enable = config.services.kanidm.enablePam; control = "sufficient"; modulePath = "${pkgs.kanidm}/lib/pam_kanidm.so"; args = [
|
||||
"ignore_unknown_user"
|
||||
"use_first_pass"
|
||||
]; text = ''
|
||||
''; }
|
||||
{ name = "sss"; enable = config.services.sssd.enable; control = "sufficient"; modulePath = "${pkgs.sssd}/lib/security/pam_sss.so"; text = ''
|
||||
use_first_pass
|
||||
{ name = "sss"; enable = config.services.sssd.enable; control = "sufficient"; modulePath = "${pkgs.sssd}/lib/security/pam_sss.so"; args = [
|
||||
"use_first_pass"
|
||||
]; text = ''
|
||||
''; }
|
||||
{ name = "krb5"; enable = config.security.pam.krb5.enable; control = "[default=ignore success=1 service_err=reset]"; modulePath = "${pam_krb5}/lib/security/pam_krb5.so"; text = ''
|
||||
use_first_pass
|
||||
{ name = "krb5"; enable = config.security.pam.krb5.enable; control = "[default=ignore success=1 service_err=reset]"; modulePath = "${pam_krb5}/lib/security/pam_krb5.so"; args = [
|
||||
"use_first_pass"
|
||||
]; text = ''
|
||||
''; }
|
||||
{ name = "ccreds-validate"; enable = config.security.pam.krb5.enable; control = "[default=die success=done]"; modulePath = "${pam_ccreds}/lib/security/pam_ccreds.so"; text = ''
|
||||
action=validate use_first_pass
|
||||
{ name = "ccreds-validate"; enable = config.security.pam.krb5.enable; control = "[default=die success=done]"; modulePath = "${pam_ccreds}/lib/security/pam_ccreds.so"; args = [
|
||||
"action=validate"
|
||||
"use_first_pass"
|
||||
]; text = ''
|
||||
''; }
|
||||
{ name = "ccreds-store"; enable = config.security.pam.krb5.enable; control = "sufficient"; modulePath = "${pam_ccreds}/lib/security/pam_ccreds.so"; text = ''
|
||||
action=store use_first_pass
|
||||
{ name = "ccreds-store"; enable = config.security.pam.krb5.enable; control = "sufficient"; modulePath = "${pam_ccreds}/lib/security/pam_ccreds.so"; args = [
|
||||
"action=store"
|
||||
"use_first_pass"
|
||||
]; text = ''
|
||||
''; }
|
||||
{ name = "deny"; control = "required"; modulePath = "pam_deny.so"; text = ''
|
||||
''; }
|
||||
|
|
@ -712,53 +774,68 @@ let
|
|||
password = [
|
||||
{ name = "systemd_home"; enable = config.services.homed.enable; control = "sufficient"; modulePath = "${config.systemd.package}/lib/security/pam_systemd_home.so"; text = ''
|
||||
''; }
|
||||
{ name = "unix"; control = "sufficient"; modulePath = "pam_unix.so"; text = ''
|
||||
nullok yescrypt
|
||||
{ name = "unix"; control = "sufficient"; modulePath = "pam_unix.so"; args = [
|
||||
"nullok"
|
||||
"yescrypt"
|
||||
]; text = ''
|
||||
''; }
|
||||
{ name = "ecryptfs"; enable = config.security.pam.enableEcryptfs; control = "optional"; modulePath = "${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"; text = ''
|
||||
''; }
|
||||
{ name = "fscrypt"; enable = config.security.pam.enableFscrypt; control = "optional"; modulePath = "${pkgs.fscrypt-experimental}/lib/security/pam_fscrypt.so"; text = ''
|
||||
''; }
|
||||
{ name = "zfs_key"; enable = cfg.zfs; control = "optional"; modulePath = "${config.boot.zfs.package}/lib/security/pam_zfs_key.so"; text = ''
|
||||
homes=${config.security.pam.zfs.homes}
|
||||
{ name = "zfs_key"; enable = cfg.zfs; control = "optional"; modulePath = "${config.boot.zfs.package}/lib/security/pam_zfs_key.so"; args = [
|
||||
"homes=${config.security.pam.zfs.homes}"
|
||||
]; text = ''
|
||||
''; }
|
||||
{ name = "mount"; enable = cfg.pamMount; control = "optional"; modulePath = "${pkgs.pam_mount}/lib/security/pam_mount.so"; text = ''
|
||||
''; }
|
||||
{ name = "ldap"; enable = use_ldap; control = "sufficient"; modulePath = "${pam_ldap}/lib/security/pam_ldap.so"; text = ''
|
||||
''; }
|
||||
{ name = "mysql"; enable = cfg.mysqlAuth; control = "sufficient"; modulePath = "${pkgs.pam_mysql}/lib/security/pam_mysql.so"; text = ''
|
||||
config_file=/etc/security/pam_mysql.conf
|
||||
{ name = "mysql"; enable = cfg.mysqlAuth; control = "sufficient"; modulePath = "${pkgs.pam_mysql}/lib/security/pam_mysql.so"; args = [
|
||||
"config_file=/etc/security/pam_mysql.conf"
|
||||
]; text = ''
|
||||
''; }
|
||||
{ name = "kanidm"; enable = config.services.kanidm.enablePam; control = "sufficient"; modulePath = "${pkgs.kanidm}/lib/pam_kanidm.so"; text = ''
|
||||
''; }
|
||||
{ name = "sss"; enable = config.services.sssd.enable; control = "sufficient"; modulePath = "${pkgs.sssd}/lib/security/pam_sss.so"; text = ''
|
||||
''; }
|
||||
{ name = "krb5"; enable = config.security.pam.krb5.enable; control = "sufficient"; modulePath = "${pam_krb5}/lib/security/pam_krb5.so"; text = ''
|
||||
use_first_pass
|
||||
{ name = "krb5"; enable = config.security.pam.krb5.enable; control = "sufficient"; modulePath = "${pam_krb5}/lib/security/pam_krb5.so"; args = [
|
||||
"use_first_pass"
|
||||
]; text = ''
|
||||
''; }
|
||||
{ name = "gnome_keyring"; enable = cfg.enableGnomeKeyring; control = "optional"; modulePath = "${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so"; text = ''
|
||||
use_authtok
|
||||
{ name = "gnome_keyring"; enable = cfg.enableGnomeKeyring; control = "optional"; modulePath = "${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so"; args = [
|
||||
"use_authtok"
|
||||
]; text = ''
|
||||
''; }
|
||||
];
|
||||
|
||||
session = [
|
||||
{ name = "env"; enable = cfg.setEnvironment; control = "required"; modulePath = "pam_env.so"; text = ''
|
||||
conffile=/etc/pam/environment readenv=0
|
||||
{ name = "env"; enable = cfg.setEnvironment; control = "required"; modulePath = "pam_env.so"; args = [
|
||||
"conffile=/etc/pam/environment"
|
||||
"readenv=0"
|
||||
]; text = ''
|
||||
''; }
|
||||
{ name = "unix"; control = "required"; modulePath = "pam_unix.so"; text = ''
|
||||
''; }
|
||||
{ name = "loginuid"; enable = cfg.setLoginUid; control = if config.boot.isContainer then "optional" else "required"; modulePath = "pam_loginuid.so"; text = ''
|
||||
''; }
|
||||
{ name = "tty_audit"; enable = cfg.ttyAudit.enable; control = "required"; modulePath = "${pkgs.pam}/lib/security/pam_tty_audit.so"; text = ''
|
||||
${optionalString cfg.ttyAudit.openOnly "open_only"} ${optionalString (cfg.ttyAudit.enablePattern != null) "enable=${cfg.ttyAudit.enablePattern}"} ${optionalString (cfg.ttyAudit.disablePattern != null) "disable=${cfg.ttyAudit.disablePattern}"}
|
||||
{ name = "tty_audit"; enable = cfg.ttyAudit.enable; control = "required"; modulePath = "${pkgs.pam}/lib/security/pam_tty_audit.so"; args = concatLists [
|
||||
(optional cfg.ttyAudit.openOnly "open_only")
|
||||
(optional (cfg.ttyAudit.enablePattern != null) "enable=${cfg.ttyAudit.enablePattern}")
|
||||
(optional (cfg.ttyAudit.disablePattern != null) "disable=${cfg.ttyAudit.disablePattern}")
|
||||
]; text = ''
|
||||
''; }
|
||||
{ name = "systemd_home"; enable = config.services.homed.enable; control = "required"; modulePath = "${config.systemd.package}/lib/security/pam_systemd_home.so"; text = ''
|
||||
''; }
|
||||
{ name = "mkhomedir"; enable = cfg.makeHomeDir; control = "required"; modulePath = "${pkgs.pam}/lib/security/pam_mkhomedir.so"; text = ''
|
||||
silent skel=${config.security.pam.makeHomeDir.skelDirectory} umask=${config.security.pam.makeHomeDir.umask}
|
||||
{ name = "mkhomedir"; enable = cfg.makeHomeDir; control = "required"; modulePath = "${pkgs.pam}/lib/security/pam_mkhomedir.so"; args = [
|
||||
"silent"
|
||||
"skel=${config.security.pam.makeHomeDir.skelDirectory}"
|
||||
"umask=${config.security.pam.makeHomeDir.umask}"
|
||||
]; text = ''
|
||||
''; }
|
||||
{ name = "lastlog"; enable = cfg.updateWtmp; control = "required"; modulePath = "${pkgs.pam}/lib/security/pam_lastlog.so"; text = ''
|
||||
silent
|
||||
{ name = "lastlog"; enable = cfg.updateWtmp; control = "required"; modulePath = "${pkgs.pam}/lib/security/pam_lastlog.so"; args = [
|
||||
"silent"
|
||||
]; text = ''
|
||||
''; }
|
||||
{ name = "ecryptfs"; enable = config.security.pam.enableEcryptfs; control = "optional"; modulePath = "${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"; text = ''
|
||||
''; }
|
||||
|
|
@ -766,24 +843,30 @@ let
|
|||
# Skips the pam_fscrypt module for systemd-user sessions which do not have a password
|
||||
# anyways.
|
||||
# See also https://github.com/google/fscrypt/issues/95
|
||||
{ name = "fscrypt-skip-systemd"; enable = config.security.pam.enableFscrypt; control = "[success=1 default=ignore]"; modulePath = "pam_succeed_if.so"; text = ''
|
||||
service = systemd-user
|
||||
{ name = "fscrypt-skip-systemd"; enable = config.security.pam.enableFscrypt; control = "[success=1 default=ignore]"; modulePath = "pam_succeed_if.so"; args = [
|
||||
"service" "=" "systemd-user"
|
||||
]; text = ''
|
||||
''; }
|
||||
{ name = "fscrypt"; enable = config.security.pam.enableFscrypt; control = "optional"; modulePath = "${pkgs.fscrypt-experimental}/lib/security/pam_fscrypt.so"; text = ''
|
||||
''; }
|
||||
{ name = "zfs_key-skip-systemd"; enable = cfg.zfs; control = "[success=1 default=ignore]"; modulePath = "pam_succeed_if.so"; text = ''
|
||||
service = systemd-user
|
||||
{ name = "zfs_key-skip-systemd"; enable = cfg.zfs; control = "[success=1 default=ignore]"; modulePath = "pam_succeed_if.so"; args = [
|
||||
"service" "=" "systemd-user"
|
||||
]; text = ''
|
||||
''; }
|
||||
{ name = "zfs_key"; enable = cfg.zfs; control = "optional"; modulePath = "${config.boot.zfs.package}/lib/security/pam_zfs_key.so"; text = ''
|
||||
homes=${config.security.pam.zfs.homes} ${optionalString config.security.pam.zfs.noUnmount "nounmount"}
|
||||
{ name = "zfs_key"; enable = cfg.zfs; control = "optional"; modulePath = "${config.boot.zfs.package}/lib/security/pam_zfs_key.so"; args = concatLists [
|
||||
(singleton "homes=${config.security.pam.zfs.homes}")
|
||||
(optional config.security.pam.zfs.noUnmount "nounmount")
|
||||
]; text = ''
|
||||
''; }
|
||||
{ name = "mount"; enable = cfg.pamMount; control = "optional"; modulePath = "${pkgs.pam_mount}/lib/security/pam_mount.so"; text = ''
|
||||
disable_interactive
|
||||
{ name = "mount"; enable = cfg.pamMount; control = "optional"; modulePath = "${pkgs.pam_mount}/lib/security/pam_mount.so"; args = [
|
||||
"disable_interactive"
|
||||
]; text = ''
|
||||
''; }
|
||||
{ name = "ldap"; enable = use_ldap; control = "optional"; modulePath = "${pam_ldap}/lib/security/pam_ldap.so"; text = ''
|
||||
''; }
|
||||
{ name = "mysql"; enable = cfg.mysqlAuth; control = "optional"; modulePath = "${pkgs.pam_mysql}/lib/security/pam_mysql.so"; text = ''
|
||||
config_file=/etc/security/pam_mysql.conf
|
||||
{ name = "mysql"; enable = cfg.mysqlAuth; control = "optional"; modulePath = "${pkgs.pam_mysql}/lib/security/pam_mysql.so"; args = [
|
||||
"config_file=/etc/security/pam_mysql.conf"
|
||||
]; text = ''
|
||||
''; }
|
||||
{ name = "kanidm"; enable = config.services.kanidm.enablePam; control = "optional"; modulePath = "${pkgs.kanidm}/lib/pam_kanidm.so"; text = ''
|
||||
''; }
|
||||
|
|
@ -795,29 +878,39 @@ let
|
|||
''; }
|
||||
{ name = "systemd"; enable = cfg.startSession; control = "optional"; modulePath = "${config.systemd.package}/lib/security/pam_systemd.so"; text = ''
|
||||
''; }
|
||||
{ name = "xauth"; enable = cfg.forwardXAuth; control = "optional"; modulePath = "pam_xauth.so"; text = ''
|
||||
xauthpath=${pkgs.xorg.xauth}/bin/xauth systemuser=99
|
||||
{ name = "xauth"; enable = cfg.forwardXAuth; control = "optional"; modulePath = "pam_xauth.so"; args = [
|
||||
"xauthpath=${pkgs.xorg.xauth}/bin/xauth"
|
||||
"systemuser=99"
|
||||
]; text = ''
|
||||
''; }
|
||||
{ name = "limits"; enable = cfg.limits != []; control = "required"; modulePath = "${pkgs.pam}/lib/security/pam_limits.so"; text = ''
|
||||
conf=${makeLimitsConf cfg.limits}
|
||||
{ name = "limits"; enable = cfg.limits != []; control = "required"; modulePath = "${pkgs.pam}/lib/security/pam_limits.so"; args = [
|
||||
"conf=${makeLimitsConf cfg.limits}"
|
||||
]; text = ''
|
||||
''; }
|
||||
{ name = "motd"; enable = cfg.showMotd && (config.users.motd != null || config.users.motdFile != null); control = "optional"; modulePath = "${pkgs.pam}/lib/security/pam_motd.so"; text = ''
|
||||
motd=${motd}
|
||||
{ name = "motd"; enable = cfg.showMotd && (config.users.motd != null || config.users.motdFile != null); control = "optional"; modulePath = "${pkgs.pam}/lib/security/pam_motd.so"; args = [
|
||||
"motd=${motd}"
|
||||
]; text = ''
|
||||
''; }
|
||||
{ name = "apparmor"; enable = cfg.enableAppArmor && config.security.apparmor.enable; control = "optional"; modulePath = "${pkgs.apparmor-pam}/lib/security/pam_apparmor.so"; text = ''
|
||||
order=user,group,default debug
|
||||
{ name = "apparmor"; enable = cfg.enableAppArmor && config.security.apparmor.enable; control = "optional"; modulePath = "${pkgs.apparmor-pam}/lib/security/pam_apparmor.so"; args = [
|
||||
"order=user,group,default"
|
||||
"debug"
|
||||
]; text = ''
|
||||
''; }
|
||||
{ name = "kwallet5"; enable = cfg.enableKwallet; control = "optional"; modulePath = "${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so"; text = ''
|
||||
kwalletd=${pkgs.plasma5Packages.kwallet.bin}/bin/kwalletd5
|
||||
{ name = "kwallet5"; enable = cfg.enableKwallet; control = "optional"; modulePath = "${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so"; args = [
|
||||
"kwalletd=${pkgs.plasma5Packages.kwallet.bin}/bin/kwalletd5"
|
||||
]; text = ''
|
||||
''; }
|
||||
{ name = "gnome_keyring"; enable = cfg.enableGnomeKeyring; control = "optional"; modulePath = "${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so"; text = ''
|
||||
auto_start
|
||||
{ name = "gnome_keyring"; enable = cfg.enableGnomeKeyring; control = "optional"; modulePath = "${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so"; args = [
|
||||
"auto_start"
|
||||
]; text = ''
|
||||
''; }
|
||||
{ name = "gnupg"; enable = cfg.gnupg.enable; control = "optional"; modulePath = "${pkgs.pam_gnupg}/lib/security/pam_gnupg.so"; text = ''
|
||||
${optionalString cfg.gnupg.noAutostart " no-autostart"}
|
||||
{ name = "gnupg"; enable = cfg.gnupg.enable; control = "optional"; modulePath = "${pkgs.pam_gnupg}/lib/security/pam_gnupg.so"; args = concatLists [
|
||||
(optional cfg.gnupg.noAutostart " no-autostart")
|
||||
]; text = ''
|
||||
''; }
|
||||
{ name = "cgfs"; enable = config.virtualisation.lxc.lxcfs.enable; control = "optional"; modulePath = "${pkgs.lxc}/lib/security/pam_cgfs.so"; text = ''
|
||||
-c all
|
||||
{ name = "cgfs"; enable = config.virtualisation.lxc.lxcfs.enable; control = "optional"; modulePath = "${pkgs.lxc}/lib/security/pam_cgfs.so"; args = [
|
||||
"-c" "all"
|
||||
]; text = ''
|
||||
''; }
|
||||
];
|
||||
};
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ expected_lines = {
|
|||
"auth required pam_deny.so",
|
||||
"auth sufficient @@pam_ccreds@@/lib/security/pam_ccreds.so action=store use_first_pass",
|
||||
"auth sufficient pam_rootok.so",
|
||||
"auth sufficient pam_unix.so likeauth try_first_pass",
|
||||
"auth sufficient pam_unix.so likeauth try_first_pass",
|
||||
"password sufficient @@pam_krb5@@/lib/security/pam_krb5.so use_first_pass",
|
||||
"password sufficient pam_unix.so nullok yescrypt",
|
||||
"session optional @@pam_krb5@@/lib/security/pam_krb5.so",
|
||||
|
|
|
|||
Loading…
Reference in a new issue