nixos/pam: clean up generated files (no functional change) (#18580)
The generated files in /etc/pam.d/ typically have a lot of empty lines
in them, due to how the generated Nix strings are joined together;
optional elements that are excluded still produce a newline. This patch
changes how the files are generated to create more compact,
human-friendly output files.
The change is basically this, repeated:
- ''
- ${optionalString use_ldap
- "account sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
- ''
+ optionalString use_ldap ''
+ account sufficient ${pam_ldap}/lib/security/pam_ldap.so
+ ''
This commit is contained in:
Bjørn Forsman
obadz
parent
642a42875f
commit
1010271c63
@ -231,101 +231,104 @@ let
|
|||||||
(''
|
(''
|
||||||
# Account management.
|
# Account management.
|
||||||
account sufficient pam_unix.so
|
account sufficient pam_unix.so
|
||||||
${optionalString use_ldap
|
'' + optionalString use_ldap ''
|
||||||
"account sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
|
account sufficient ${pam_ldap}/lib/security/pam_ldap.so
|
||||||
${optionalString config.krb5.enable
|
'' + optionalString config.krb5.enable ''
|
||||||
"account sufficient ${pam_krb5}/lib/security/pam_krb5.so"}
|
account sufficient ${pam_krb5}/lib/security/pam_krb5.so
|
||||||
|
'' + ''
|
||||||
|
|
||||||
# Authentication management.
|
# Authentication management.
|
||||||
${optionalString cfg.rootOK
|
'' + optionalString cfg.rootOK ''
|
||||||
"auth sufficient pam_rootok.so"}
|
auth sufficient pam_rootok.so
|
||||||
${optionalString cfg.requireWheel
|
'' + optionalString cfg.requireWheel ''
|
||||||
"auth required pam_wheel.so use_uid"}
|
auth required pam_wheel.so use_uid
|
||||||
${optionalString cfg.logFailures
|
'' + optionalString cfg.logFailures ''
|
||||||
"auth required pam_tally.so"}
|
auth required pam_tally.so
|
||||||
${optionalString (config.security.pam.enableSSHAgentAuth && cfg.sshAgentAuth)
|
'' + optionalString (config.security.pam.enableSSHAgentAuth && cfg.sshAgentAuth) ''
|
||||||
"auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=~/.ssh/authorized_keys:~/.ssh/authorized_keys2:/etc/ssh/authorized_keys.d/%u"}
|
auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=~/.ssh/authorized_keys:~/.ssh/authorized_keys2:/etc/ssh/authorized_keys.d/%u
|
||||||
${optionalString cfg.fprintAuth
|
'' + optionalString cfg.fprintAuth ''
|
||||||
"auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so"}
|
auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so
|
||||||
${optionalString cfg.u2fAuth
|
'' + optionalString cfg.u2fAuth ''
|
||||||
"auth sufficient ${pkgs.pam_u2f}/lib/security/pam_u2f.so"}
|
auth sufficient ${pkgs.pam_u2f}/lib/security/pam_u2f.so
|
||||||
${optionalString cfg.usbAuth
|
'' + optionalString cfg.usbAuth ''
|
||||||
"auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so"}
|
auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so
|
||||||
'' +
|
''
|
||||||
|
|
||||||
# Modules in this block require having the password set in PAM_AUTHTOK.
|
# Modules in this block require having the password set in PAM_AUTHTOK.
|
||||||
# pam_unix is marked as 'sufficient' on NixOS which means nothing will run
|
# pam_unix is marked as 'sufficient' on NixOS which means nothing will run
|
||||||
# after it succeeds. Certain modules need to run after pam_unix
|
# after it succeeds. Certain modules need to run after pam_unix
|
||||||
# prompts the user for password so we run it once with 'required' at an
|
# prompts the user for password so we run it once with 'required' at an
|
||||||
# earlier point and it will run again with 'sufficient' further down.
|
# earlier point and it will run again with 'sufficient' further down.
|
||||||
# We use try_first_pass the second time to avoid prompting password twice
|
# We use try_first_pass the second time to avoid prompting password twice
|
||||||
(optionalString (cfg.unixAuth && (config.security.pam.enableEcryptfs || cfg.pamMount)) ''
|
+ optionalString (cfg.unixAuth && (config.security.pam.enableEcryptfs || cfg.pamMount)) (''
|
||||||
auth required pam_unix.so ${optionalString cfg.allowNullPassword "nullok "}likeauth
|
auth required pam_unix.so ${optionalString cfg.allowNullPassword "nullok "}likeauth
|
||||||
${optionalString config.security.pam.enableEcryptfs
|
'' + optionalString config.security.pam.enableEcryptfs ''
|
||||||
"auth optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"}
|
auth optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap
|
||||||
${optionalString cfg.pamMount
|
'' + optionalString cfg.pamMount ''
|
||||||
"auth optional ${pkgs.pam_mount}/lib/security/pam_mount.so"}
|
auth optional ${pkgs.pam_mount}/lib/security/pam_mount.so
|
||||||
'') + ''
|
'')
|
||||||
${optionalString cfg.unixAuth
|
+ optionalString cfg.unixAuth ''
|
||||||
"auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth try_first_pass"}
|
auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok "}likeauth try_first_pass
|
||||||
${optionalString cfg.otpwAuth
|
'' + optionalString cfg.otpwAuth ''
|
||||||
"auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so"}
|
auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so
|
||||||
${let oath = config.security.pam.oath; in optionalString cfg.oathAuth
|
'' + (let oath = config.security.pam.oath; in optionalString cfg.oathAuth ''
|
||||||
"auth sufficient ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}"}
|
auth sufficient ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}
|
||||||
${optionalString use_ldap
|
'') + optionalString use_ldap ''
|
||||||
"auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass"}
|
auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass
|
||||||
${optionalString config.krb5.enable ''
|
'' + optionalString config.krb5.enable ''
|
||||||
auth [default=ignore success=1 service_err=reset] ${pam_krb5}/lib/security/pam_krb5.so use_first_pass
|
auth [default=ignore success=1 service_err=reset] ${pam_krb5}/lib/security/pam_krb5.so use_first_pass
|
||||||
auth [default=die success=done] ${pam_ccreds}/lib/security/pam_ccreds.so action=validate use_first_pass
|
auth [default=die success=done] ${pam_ccreds}/lib/security/pam_ccreds.so action=validate use_first_pass
|
||||||
auth sufficient ${pam_ccreds}/lib/security/pam_ccreds.so action=store use_first_pass
|
auth sufficient ${pam_ccreds}/lib/security/pam_ccreds.so action=store use_first_pass
|
||||||
''}
|
'' + ''
|
||||||
auth required pam_deny.so
|
auth required pam_deny.so
|
||||||
|
|
||||||
# Password management.
|
# Password management.
|
||||||
password requisite pam_unix.so nullok sha512
|
password requisite pam_unix.so nullok sha512
|
||||||
${optionalString config.security.pam.enableEcryptfs
|
'' + optionalString config.security.pam.enableEcryptfs ''
|
||||||
"password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"}
|
password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so
|
||||||
${optionalString cfg.pamMount
|
'' + optionalString cfg.pamMount ''
|
||||||
"password optional ${pkgs.pam_mount}/lib/security/pam_mount.so"}
|
password optional ${pkgs.pam_mount}/lib/security/pam_mount.so
|
||||||
${optionalString use_ldap
|
'' + optionalString use_ldap ''
|
||||||
"password sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
|
password sufficient ${pam_ldap}/lib/security/pam_ldap.so
|
||||||
${optionalString config.krb5.enable
|
'' + optionalString config.krb5.enable ''
|
||||||
"password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass"}
|
password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass
|
||||||
${optionalString config.services.samba.syncPasswordsByPam
|
'' + optionalString config.services.samba.syncPasswordsByPam ''
|
||||||
"password optional ${pkgs.samba}/lib/security/pam_smbpass.so nullok use_authtok try_first_pass"}
|
password optional ${pkgs.samba}/lib/security/pam_smbpass.so nullok use_authtok try_first_pass
|
||||||
|
'' + ''
|
||||||
|
|
||||||
# Session management.
|
# Session management.
|
||||||
${optionalString cfg.setEnvironment ''
|
'' + optionalString cfg.setEnvironment ''
|
||||||
session required pam_env.so envfile=${config.system.build.pamEnvironment}
|
session required pam_env.so envfile=${config.system.build.pamEnvironment}
|
||||||
''}
|
'' + ''
|
||||||
session required pam_unix.so
|
session required pam_unix.so
|
||||||
${optionalString cfg.setLoginUid
|
'' + optionalString cfg.setLoginUid
|
||||||
"session ${
|
"session ${
|
||||||
if config.boot.isContainer then "optional" else "required"
|
if config.boot.isContainer then "optional" else "required"
|
||||||
} pam_loginuid.so"}
|
} pam_loginuid.so"
|
||||||
${optionalString cfg.makeHomeDir
|
+ optionalString cfg.makeHomeDir ''
|
||||||
"session required ${pkgs.pam}/lib/security/pam_mkhomedir.so silent skel=/etc/skel umask=0022"}
|
session required ${pkgs.pam}/lib/security/pam_mkhomedir.so silent skel=/etc/skel umask=0022
|
||||||
${optionalString cfg.updateWtmp
|
'' + optionalString cfg.updateWtmp ''
|
||||||
"session required ${pkgs.pam}/lib/security/pam_lastlog.so silent"}
|
session required ${pkgs.pam}/lib/security/pam_lastlog.so silent
|
||||||
${optionalString config.security.pam.enableEcryptfs
|
'' + optionalString config.security.pam.enableEcryptfs ''
|
||||||
"session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"}
|
session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so
|
||||||
${optionalString use_ldap
|
'' + optionalString use_ldap ''
|
||||||
"session optional ${pam_ldap}/lib/security/pam_ldap.so"}
|
session optional ${pam_ldap}/lib/security/pam_ldap.so
|
||||||
${optionalString config.krb5.enable
|
'' + optionalString config.krb5.enable ''
|
||||||
"session optional ${pam_krb5}/lib/security/pam_krb5.so"}
|
session optional ${pam_krb5}/lib/security/pam_krb5.so
|
||||||
${optionalString cfg.otpwAuth
|
'' + optionalString cfg.otpwAuth ''
|
||||||
"session optional ${pkgs.otpw}/lib/security/pam_otpw.so"}
|
session optional ${pkgs.otpw}/lib/security/pam_otpw.so
|
||||||
${optionalString cfg.startSession
|
'' + optionalString cfg.startSession ''
|
||||||
"session optional ${pkgs.systemd}/lib/security/pam_systemd.so"}
|
session optional ${pkgs.systemd}/lib/security/pam_systemd.so
|
||||||
${optionalString cfg.forwardXAuth
|
'' + optionalString cfg.forwardXAuth ''
|
||||||
"session optional pam_xauth.so xauthpath=${pkgs.xorg.xauth}/bin/xauth systemuser=99"}
|
session optional pam_xauth.so xauthpath=${pkgs.xorg.xauth}/bin/xauth systemuser=99
|
||||||
${optionalString (cfg.limits != [])
|
'' + optionalString (cfg.limits != []) ''
|
||||||
"session required ${pkgs.pam}/lib/security/pam_limits.so conf=${makeLimitsConf cfg.limits}"}
|
session required ${pkgs.pam}/lib/security/pam_limits.so conf=${makeLimitsConf cfg.limits}
|
||||||
${optionalString (cfg.showMotd && config.users.motd != null)
|
'' + optionalString (cfg.showMotd && config.users.motd != null) ''
|
||||||
"session optional ${pkgs.pam}/lib/security/pam_motd.so motd=${motd}"}
|
session optional ${pkgs.pam}/lib/security/pam_motd.so motd=${motd}
|
||||||
${optionalString cfg.pamMount
|
'' + optionalString cfg.pamMount ''
|
||||||
"session optional ${pkgs.pam_mount}/lib/security/pam_mount.so"}
|
session optional ${pkgs.pam_mount}/lib/security/pam_mount.so
|
||||||
${optionalString (cfg.enableAppArmor && config.security.apparmor.enable)
|
'' + optionalString (cfg.enableAppArmor && config.security.apparmor.enable) ''
|
||||||
"session optional ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so order=user,group,default debug"}
|
session optional ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so order=user,group,default debug
|
||||||
'');
|
'');
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user