nixos: authenticate through kerberos
config.krb5.enable needs to be set as true. Also use pam_ccreds to cache Kerberos credentials for offline logins. svn path=/nixos/trunk/; revision=22986
This commit is contained in:
David Guibert
parent
6436ed1de4
commit
6c8c1f935a
@ -6,8 +6,6 @@ let
|
||||
|
||||
cfg = config.krb5;
|
||||
|
||||
#myPkgs = import /home/nixer/nix/my-expr.nix { system = "x86_64-linux"; };
|
||||
|
||||
options = {
|
||||
krb5 = {
|
||||
|
||||
@ -21,6 +19,11 @@ let
|
||||
description = "Default realm.";
|
||||
};
|
||||
|
||||
domainRealm = mkOption {
|
||||
default = "atena.mit.edu";
|
||||
description = "Default domain realm.";
|
||||
};
|
||||
|
||||
kdc = mkOption {
|
||||
default = "kerberos.mit.edu";
|
||||
description = "Kerberos Domain Controller";
|
||||
@ -49,6 +52,7 @@ mkIf config.krb5.enable {
|
||||
''
|
||||
[libdefaults]
|
||||
default_realm = ${cfg.defaultRealm}
|
||||
encrypt = true
|
||||
|
||||
# The following krb5.conf variables are only for MIT Kerberos.
|
||||
krb4_config = /etc/krb.conf
|
||||
@ -84,6 +88,7 @@ mkIf config.krb5.enable {
|
||||
${cfg.defaultRealm} = {
|
||||
kdc = ${cfg.kdc}
|
||||
admin_server = ${cfg.kerberosAdminServer}
|
||||
# kpasswd_server = ${cfg.kerberosAdminServer}
|
||||
}
|
||||
ATHENA.MIT.EDU = {
|
||||
kdc = kerberos.mit.edu:88
|
||||
@ -162,6 +167,8 @@ mkIf config.krb5.enable {
|
||||
}
|
||||
|
||||
[domain_realm]
|
||||
.${cfg.domainRealm} = ${cfg.defaultRealm}
|
||||
${cfg.domainRealm} = ${cfg.defaultRealm}
|
||||
.mit.edu = ATHENA.MIT.EDU
|
||||
mit.edu = ATHENA.MIT.EDU
|
||||
.media.mit.edu = MEDIA-LAB.MIT.EDU
|
||||
@ -172,10 +179,23 @@ mkIf config.krb5.enable {
|
||||
whoi.edu = ATHENA.MIT.EDU
|
||||
.stanford.edu = stanford.edu
|
||||
|
||||
[login]
|
||||
[logging]
|
||||
kdc = SYSLOG:INFO:DAEMON
|
||||
admin_server = SYSLOG:INFO:DAEMON
|
||||
default = SYSLOG:INFO:DAEMON
|
||||
krb4_convert = true
|
||||
krb4_get_tickets = false
|
||||
|
||||
|
||||
|
||||
[appdefaults]
|
||||
pam = {
|
||||
debug = false
|
||||
ticket_lifetime = 36000
|
||||
renew_lifetime = 36000
|
||||
max_timeout = 30
|
||||
timeout_shift = 2
|
||||
initial_timeout = 1
|
||||
}
|
||||
'';
|
||||
target = "krb5.conf";
|
||||
}
|
||||
|
||||
@ -7,7 +7,7 @@ with pkgs.lib;
|
||||
|
||||
let
|
||||
|
||||
inherit (pkgs) pam_usb pam_ldap;
|
||||
inherit (pkgs) pam_usb pam_ldap pam_krb5 pam_ccreds;
|
||||
|
||||
otherService = pkgs.writeText "other.pam"
|
||||
''
|
||||
@ -63,6 +63,8 @@ let
|
||||
# Account management.
|
||||
${optionalString config.users.ldap.enable
|
||||
"account optional ${pam_ldap}/lib/security/pam_ldap.so"}
|
||||
${optionalString config.krb5.enable
|
||||
"account sufficient ${pam_krb5}/lib/security/pam_krb5.so"}
|
||||
account required pam_unix.so
|
||||
|
||||
# Authentication management.
|
||||
@ -74,11 +76,18 @@ let
|
||||
"auth sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
|
||||
auth sufficient pam_unix.so ${
|
||||
optionalString allowNullPassword "nullok"}
|
||||
${optionalString config.krb5.enable
|
||||
''auth [default=ignore success=1 service_err=reset] ${pam_krb5}/lib/security/pam_krb5.so use_first_pass
|
||||
auth [default=die success=done] ${pam_ccreds}/lib/security/pam_ccreds.so action=validate use_first_pass
|
||||
auth sufficient ${pam_ccreds}/lib/security/pam_ccreds.so action=store use_first_pass
|
||||
''}
|
||||
auth required pam_deny.so
|
||||
|
||||
# Password management.
|
||||
${optionalString config.users.ldap.enable
|
||||
"password sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
|
||||
${optionalString config.krb5.enable
|
||||
"password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass"}
|
||||
password requisite pam_unix.so nullok sha512
|
||||
${optionalString config.services.samba.syncPasswordsByPam
|
||||
"password optional ${pkgs.samba}/lib/security/pam_smbpass.so nullok use_authtok try_first_pass"}
|
||||
@ -86,6 +95,8 @@ let
|
||||
# Session management.
|
||||
${optionalString config.users.ldap.enable
|
||||
"session optional ${pam_ldap}/lib/security/pam_ldap.so"}
|
||||
${optionalString config.krb5.enable
|
||||
"session optional ${pam_krb5}/lib/security/pam_krb5.so"}
|
||||
session required pam_unix.so
|
||||
${optionalString ownDevices
|
||||
"session optional ${pkgs.consolekit}/lib/security/pam_ck_connector.so"}
|
||||
@ -184,7 +195,8 @@ in
|
||||
environment.systemPackages =
|
||||
# Include the PAM modules in the system path mostly for the manpages.
|
||||
[ pkgs.pam ]
|
||||
++ optional config.users.ldap.enable pam_ldap;
|
||||
++ optional config.users.ldap.enable pam_ldap
|
||||
++ optional config.krb5.enable [pam_krb5 pam_ccreds];
|
||||
|
||||
environment.etc =
|
||||
map makePAMService config.security.pam.services
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user