From 66e040eaac1ac4b5e41d951af5abe48dbf6a636d Mon Sep 17 00:00:00 2001 From: Peter Hoeg Date: Thu, 4 Jun 2020 13:14:30 +0800 Subject: [PATCH] nixos/pam: mount encrypted home earlier This patch was done by curro: The generated /etc/pam.d/* service files invoke the pam_systemd.so session module before pam_mount.so, if both are enabled (e.g. via security.pam.services.foo.startSession and security.pam.services.foo.pamMount respectively). This doesn't work in the most common scenario where the user's home directory is stored in a pam-mounted encrypted volume (because systemd will fail to access the user's systemd configuration). --- nixos/modules/security/pam.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index e1a94b0121a..688344852ae 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -436,6 +436,8 @@ let "session required ${pkgs.pam}/lib/security/pam_lastlog.so silent"} ${optionalString config.security.pam.enableEcryptfs "session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"} + ${optionalString cfg.pamMount + "session optional ${pkgs.pam_mount}/lib/security/pam_mount.so"} ${optionalString use_ldap "session optional ${pam_ldap}/lib/security/pam_ldap.so"} ${optionalString config.services.sssd.enable @@ -452,8 +454,6 @@ let "session required ${pkgs.pam}/lib/security/pam_limits.so conf=${makeLimitsConf cfg.limits}"} ${optionalString (cfg.showMotd && config.users.motd != null) "session optional ${pkgs.pam}/lib/security/pam_motd.so motd=${motd}"} - ${optionalString cfg.pamMount - "session optional ${pkgs.pam_mount}/lib/security/pam_mount.so"} ${optionalString (cfg.enableAppArmor && config.security.apparmor.enable) "session optional ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so order=user,group,default debug"} ${optionalString (cfg.enableKwallet)