* Add support for sudo authentication using the SSH agent. This
allows password-less servers. svn path=/nixos/trunk/; revision=34474
This commit is contained in:
parent
a3118792a5
commit
03653d43eb
@ -7,7 +7,7 @@ with pkgs.lib;
|
|||||||
|
|
||||||
let
|
let
|
||||||
|
|
||||||
inherit (pkgs) pam_usb pam_ldap pam_krb5 pam_ccreds;
|
inherit (pkgs) pam_ldap pam_krb5 pam_ccreds;
|
||||||
|
|
||||||
otherService = pkgs.writeText "other.pam"
|
otherService = pkgs.writeText "other.pam"
|
||||||
''
|
''
|
||||||
@ -37,6 +37,10 @@ let
|
|||||||
, # If set, user listed in /etc/pamusb.conf are able to log in with
|
, # If set, user listed in /etc/pamusb.conf are able to log in with
|
||||||
# the associated usb key.
|
# the associated usb key.
|
||||||
usbAuth ? config.security.pam.usb.enable
|
usbAuth ? config.security.pam.usb.enable
|
||||||
|
, # If set, the calling user's SSH agent is used to authenticate
|
||||||
|
# against the keys in the calling user's ~/.ssh/authorized_keys.
|
||||||
|
# This is useful for "sudo" on password-less remote systems.
|
||||||
|
sshAgentAuth ? false
|
||||||
, # If set, use ConsoleKit's PAM connector module to claim
|
, # If set, use ConsoleKit's PAM connector module to claim
|
||||||
# ownership of audio devices etc.
|
# ownership of audio devices etc.
|
||||||
ownDevices ? false
|
ownDevices ? false
|
||||||
@ -70,16 +74,17 @@ let
|
|||||||
# Authentication management.
|
# Authentication management.
|
||||||
${optionalString rootOK
|
${optionalString rootOK
|
||||||
"auth sufficient pam_rootok.so"}
|
"auth sufficient pam_rootok.so"}
|
||||||
|
${optionalString sshAgentAuth
|
||||||
|
"auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=~/.ssh/authorized_keys"}
|
||||||
${optionalString usbAuth
|
${optionalString usbAuth
|
||||||
"auth sufficient ${pam_usb}/lib/security/pam_usb.so"}
|
"auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so"}
|
||||||
auth sufficient pam_unix.so ${
|
auth sufficient pam_unix.so ${optionalString allowNullPassword "nullok"} likeauth
|
||||||
optionalString allowNullPassword "nullok"} likeauth
|
|
||||||
${optionalString config.users.ldap.enable
|
${optionalString config.users.ldap.enable
|
||||||
"auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass"}
|
"auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass"}
|
||||||
${optionalString config.krb5.enable
|
${optionalString config.krb5.enable ''
|
||||||
''auth [default=ignore success=1 service_err=reset] ${pam_krb5}/lib/security/pam_krb5.so use_first_pass
|
auth [default=ignore success=1 service_err=reset] ${pam_krb5}/lib/security/pam_krb5.so use_first_pass
|
||||||
auth [default=die success=done] ${pam_ccreds}/lib/security/pam_ccreds.so action=validate use_first_pass
|
auth [default=die success=done] ${pam_ccreds}/lib/security/pam_ccreds.so action=validate use_first_pass
|
||||||
auth sufficient ${pam_ccreds}/lib/security/pam_ccreds.so action=store use_first_pass
|
auth sufficient ${pam_ccreds}/lib/security/pam_ccreds.so action=store use_first_pass
|
||||||
''}
|
''}
|
||||||
auth required pam_deny.so
|
auth required pam_deny.so
|
||||||
|
|
||||||
@ -184,6 +189,17 @@ in
|
|||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
security.pam.enableSSHAgentAuth = mkOption {
|
||||||
|
default = false;
|
||||||
|
description =
|
||||||
|
''
|
||||||
|
Enable sudo logins if the user's SSH agent provides a key
|
||||||
|
present in <filename>~/.ssh/authorized_keys</filename>.
|
||||||
|
This allows machines to exclusively use SSH keys instead of
|
||||||
|
passwords.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
|
@ -30,13 +30,16 @@ in
|
|||||||
# configuration will fail to build.
|
# configuration will fail to build.
|
||||||
default =
|
default =
|
||||||
''
|
''
|
||||||
# Don't edit this file. Set nixos option security.sudo.configFile instead
|
# Don't edit this file. Set the NixOS option ‘security.sudo.configFile’ instead.
|
||||||
|
|
||||||
# env vars to keep for root and %wheel also if not explicitly set
|
# Environment variables to keep for root and %wheel.
|
||||||
Defaults:root,%wheel env_keep+=LOCALE_ARCHIVE
|
Defaults:root,%wheel env_keep+=LOCALE_ARCHIVE
|
||||||
Defaults:root,%wheel env_keep+=NIX_PATH
|
Defaults:root,%wheel env_keep+=NIX_PATH
|
||||||
Defaults:root,%wheel env_keep+=TERMINFO_DIRS
|
Defaults:root,%wheel env_keep+=TERMINFO_DIRS
|
||||||
|
|
||||||
|
# Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.
|
||||||
|
Defaults env_keep+=SSH_AUTH_SOCK
|
||||||
|
|
||||||
# "root" is allowed to do anything.
|
# "root" is allowed to do anything.
|
||||||
root ALL=(ALL) SETENV: ALL
|
root ALL=(ALL) SETENV: ALL
|
||||||
|
|
||||||
@ -60,15 +63,13 @@ in
|
|||||||
|
|
||||||
environment.systemPackages = [ sudo ];
|
environment.systemPackages = [ sudo ];
|
||||||
|
|
||||||
security.pam.services = [ { name = "sudo"; } ];
|
security.pam.services = [ { name = "sudo"; sshAgentAuth = true; } ];
|
||||||
|
|
||||||
environment.etc = singleton
|
environment.etc = singleton
|
||||||
{ source = pkgs.runCommand "sudoers"
|
{ source = pkgs.writeText "sudoers-in" cfg.configFile;
|
||||||
{ src = pkgs.writeText "sudoers-in" cfg.configFile; }
|
|
||||||
# Make sure that the sudoers file is syntactically valid.
|
# Make sure that the sudoers file is syntactically valid.
|
||||||
# (currently disabled - NIXOS-66)
|
# (currently disabled - NIXOS-66)
|
||||||
#"${pkgs.sudo}/sbin/visudo -f $src -c && cp $src $out";
|
#"${pkgs.sudo}/sbin/visudo -f $src -c && cp $src $out";
|
||||||
"cp $src $out";
|
|
||||||
target = "sudoers";
|
target = "sudoers";
|
||||||
mode = "0440";
|
mode = "0440";
|
||||||
};
|
};
|
||||||
|
Loading…
x
Reference in New Issue
Block a user