From 86c1e10a43c512465ced4b592fdd05d2659eb40e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Llu=C3=ADs=20Batlle=20i=20Rossell?= Date: Sat, 30 Mar 2013 22:25:19 +0100 Subject: [PATCH] Setting pam otpw *after* pam_unix, for dovecot failed auth messages. I think it's nice that it first asks the usual password, and then offers the otpw one if enabled. That enables dovecot to show the last pam prompt. I also add the dovecot option for that. --- modules/security/pam.nix | 2 +- modules/services/mail/dovecot.nix | 6 +++++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/modules/security/pam.nix b/modules/security/pam.nix index 6742ec3aaca..8c0231288ec 100644 --- a/modules/security/pam.nix +++ b/modules/security/pam.nix @@ -87,9 +87,9 @@ let "auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=~/.ssh/authorized_keys:~/.ssh/authorized_keys2:/etc/ssh/authorized_keys.d/%u"} ${optionalString usbAuth "auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so"} + auth sufficient pam_unix.so ${optionalString allowNullPassword "nullok"} likeauth ${optionalString otpwAuth "auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so"} - auth sufficient pam_unix.so ${optionalString allowNullPassword "nullok"} likeauth ${optionalString config.users.ldap.enable "auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass"} ${optionalString config.krb5.enable '' diff --git a/modules/services/mail/dovecot.nix b/modules/services/mail/dovecot.nix index b4662936b3c..5f8e8e1ade3 100644 --- a/modules/services/mail/dovecot.nix +++ b/modules/services/mail/dovecot.nix @@ -39,7 +39,7 @@ let } passdb { driver = pam - args = dovecot2 + args = ${optionalString cfg.showPAMFailure "failure_show_msg=yes"} dovecot2 } pop3_uidl_format = %08Xv%08Xu @@ -111,6 +111,10 @@ in description = "Server key."; }; + showPAMFailure = mkOption { + default = false; + description = "Show the PAM failure message on authentication error (useful for OTPW)."; + }; }; };