nixos: authenticate through kerberos

config.krb5.enable needs to be set as true.
Also use pam_ccreds to cache Kerberos credentials for offline logins.

svn path=/nixos/trunk/; revision=22986
This commit is contained in:
David Guibert 2010-08-06 08:50:48 +00:00
parent 6436ed1de4
commit 6c8c1f935a
2 changed files with 38 additions and 6 deletions

View File

@ -6,8 +6,6 @@ let
cfg = config.krb5;
#myPkgs = import /home/nixer/nix/my-expr.nix { system = "x86_64-linux"; };
options = {
krb5 = {
@ -21,6 +19,11 @@ let
description = "Default realm.";
};
domainRealm = mkOption {
default = "atena.mit.edu";
description = "Default domain realm.";
};
kdc = mkOption {
default = "kerberos.mit.edu";
description = "Kerberos Domain Controller";
@ -49,6 +52,7 @@ mkIf config.krb5.enable {
''
[libdefaults]
default_realm = ${cfg.defaultRealm}
encrypt = true
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
@ -84,6 +88,7 @@ mkIf config.krb5.enable {
${cfg.defaultRealm} = {
kdc = ${cfg.kdc}
admin_server = ${cfg.kerberosAdminServer}
# kpasswd_server = ${cfg.kerberosAdminServer}
}
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu:88
@ -162,6 +167,8 @@ mkIf config.krb5.enable {
}
[domain_realm]
.${cfg.domainRealm} = ${cfg.defaultRealm}
${cfg.domainRealm} = ${cfg.defaultRealm}
.mit.edu = ATHENA.MIT.EDU
mit.edu = ATHENA.MIT.EDU
.media.mit.edu = MEDIA-LAB.MIT.EDU
@ -172,10 +179,23 @@ mkIf config.krb5.enable {
whoi.edu = ATHENA.MIT.EDU
.stanford.edu = stanford.edu
[login]
[logging]
kdc = SYSLOG:INFO:DAEMON
admin_server = SYSLOG:INFO:DAEMON
default = SYSLOG:INFO:DAEMON
krb4_convert = true
krb4_get_tickets = false
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
max_timeout = 30
timeout_shift = 2
initial_timeout = 1
}
'';
target = "krb5.conf";
}

View File

@ -7,7 +7,7 @@ with pkgs.lib;
let
inherit (pkgs) pam_usb pam_ldap;
inherit (pkgs) pam_usb pam_ldap pam_krb5 pam_ccreds;
otherService = pkgs.writeText "other.pam"
''
@ -63,6 +63,8 @@ let
# Account management.
${optionalString config.users.ldap.enable
"account optional ${pam_ldap}/lib/security/pam_ldap.so"}
${optionalString config.krb5.enable
"account sufficient ${pam_krb5}/lib/security/pam_krb5.so"}
account required pam_unix.so
# Authentication management.
@ -74,11 +76,18 @@ let
"auth sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
auth sufficient pam_unix.so ${
optionalString allowNullPassword "nullok"}
${optionalString config.krb5.enable
''auth [default=ignore success=1 service_err=reset] ${pam_krb5}/lib/security/pam_krb5.so use_first_pass
auth [default=die success=done] ${pam_ccreds}/lib/security/pam_ccreds.so action=validate use_first_pass
auth sufficient ${pam_ccreds}/lib/security/pam_ccreds.so action=store use_first_pass
''}
auth required pam_deny.so
# Password management.
${optionalString config.users.ldap.enable
"password sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
${optionalString config.krb5.enable
"password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass"}
password requisite pam_unix.so nullok sha512
${optionalString config.services.samba.syncPasswordsByPam
"password optional ${pkgs.samba}/lib/security/pam_smbpass.so nullok use_authtok try_first_pass"}
@ -86,6 +95,8 @@ let
# Session management.
${optionalString config.users.ldap.enable
"session optional ${pam_ldap}/lib/security/pam_ldap.so"}
${optionalString config.krb5.enable
"session optional ${pam_krb5}/lib/security/pam_krb5.so"}
session required pam_unix.so
${optionalString ownDevices
"session optional ${pkgs.consolekit}/lib/security/pam_ck_connector.so"}
@ -184,7 +195,8 @@ in
environment.systemPackages =
# Include the PAM modules in the system path mostly for the manpages.
[ pkgs.pam ]
++ optional config.users.ldap.enable pam_ldap;
++ optional config.users.ldap.enable pam_ldap
++ optional config.krb5.enable [pam_krb5 pam_ccreds];
environment.etc =
map makePAMService config.security.pam.services