Revert "nixos/pam: clean up generated files (no functional change) (#18580)"
This reverts commit 1010271c63f503113c0e8337977610ea783880ec. This reverts commit e85e51d41f0f3be40490b0de9a76f20f3685659c. The first commit causes multiple regressions. The second commit tries to fix the regressions, but does not catch all of them. There are multiple failing tests, one of which is blocking a package update. That is not acceptable for a cosmetic patch.
This commit is contained in:
Thomas Tuegel
parent
d997f4581c
commit
9300b4903f
@ -231,104 +231,101 @@ let
|
|||||||
(''
|
(''
|
||||||
# Account management.
|
# Account management.
|
||||||
account sufficient pam_unix.so
|
account sufficient pam_unix.so
|
||||||
'' + optionalString use_ldap ''
|
${optionalString use_ldap
|
||||||
account sufficient ${pam_ldap}/lib/security/pam_ldap.so
|
"account sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
|
||||||
'' + optionalString config.krb5.enable ''
|
${optionalString config.krb5.enable
|
||||||
account sufficient ${pam_krb5}/lib/security/pam_krb5.so
|
"account sufficient ${pam_krb5}/lib/security/pam_krb5.so"}
|
||||||
'' + ''
|
|
||||||
|
|
||||||
# Authentication management.
|
# Authentication management.
|
||||||
'' + optionalString cfg.rootOK ''
|
${optionalString cfg.rootOK
|
||||||
auth sufficient pam_rootok.so
|
"auth sufficient pam_rootok.so"}
|
||||||
'' + optionalString cfg.requireWheel ''
|
${optionalString cfg.requireWheel
|
||||||
auth required pam_wheel.so use_uid
|
"auth required pam_wheel.so use_uid"}
|
||||||
'' + optionalString cfg.logFailures ''
|
${optionalString cfg.logFailures
|
||||||
auth required pam_tally.so
|
"auth required pam_tally.so"}
|
||||||
'' + optionalString (config.security.pam.enableSSHAgentAuth && cfg.sshAgentAuth) ''
|
${optionalString (config.security.pam.enableSSHAgentAuth && cfg.sshAgentAuth)
|
||||||
auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=~/.ssh/authorized_keys:~/.ssh/authorized_keys2:/etc/ssh/authorized_keys.d/%u
|
"auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=~/.ssh/authorized_keys:~/.ssh/authorized_keys2:/etc/ssh/authorized_keys.d/%u"}
|
||||||
'' + optionalString cfg.fprintAuth ''
|
${optionalString cfg.fprintAuth
|
||||||
auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so
|
"auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so"}
|
||||||
'' + optionalString cfg.u2fAuth ''
|
${optionalString cfg.u2fAuth
|
||||||
auth sufficient ${pkgs.pam_u2f}/lib/security/pam_u2f.so
|
"auth sufficient ${pkgs.pam_u2f}/lib/security/pam_u2f.so"}
|
||||||
'' + optionalString cfg.usbAuth ''
|
${optionalString cfg.usbAuth
|
||||||
auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so
|
"auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so"}
|
||||||
''
|
'' +
|
||||||
|
|
||||||
# Modules in this block require having the password set in PAM_AUTHTOK.
|
# Modules in this block require having the password set in PAM_AUTHTOK.
|
||||||
# pam_unix is marked as 'sufficient' on NixOS which means nothing will run
|
# pam_unix is marked as 'sufficient' on NixOS which means nothing will run
|
||||||
# after it succeeds. Certain modules need to run after pam_unix
|
# after it succeeds. Certain modules need to run after pam_unix
|
||||||
# prompts the user for password so we run it once with 'required' at an
|
# prompts the user for password so we run it once with 'required' at an
|
||||||
# earlier point and it will run again with 'sufficient' further down.
|
# earlier point and it will run again with 'sufficient' further down.
|
||||||
# We use try_first_pass the second time to avoid prompting password twice
|
# We use try_first_pass the second time to avoid prompting password twice
|
||||||
+ optionalString (cfg.unixAuth && (config.security.pam.enableEcryptfs || cfg.pamMount)) (''
|
(optionalString (cfg.unixAuth && (config.security.pam.enableEcryptfs || cfg.pamMount)) ''
|
||||||
auth required pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth
|
auth required pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth
|
||||||
'' + optionalString config.security.pam.enableEcryptfs ''
|
${optionalString config.security.pam.enableEcryptfs
|
||||||
auth optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap
|
"auth optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"}
|
||||||
'' + optionalString cfg.pamMount ''
|
${optionalString cfg.pamMount
|
||||||
auth optional ${pkgs.pam_mount}/lib/security/pam_mount.so
|
"auth optional ${pkgs.pam_mount}/lib/security/pam_mount.so"}
|
||||||
'')
|
'') + ''
|
||||||
+ optionalString cfg.unixAuth ''
|
${optionalString cfg.unixAuth
|
||||||
auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok "}likeauth try_first_pass
|
"auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth try_first_pass"}
|
||||||
'' + optionalString cfg.otpwAuth ''
|
${optionalString cfg.otpwAuth
|
||||||
auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so
|
"auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so"}
|
||||||
'' + (let oath = config.security.pam.oath; in optionalString cfg.oathAuth ''
|
${let oath = config.security.pam.oath; in optionalString cfg.oathAuth
|
||||||
auth sufficient ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}
|
"auth sufficient ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}"}
|
||||||
'') + optionalString use_ldap ''
|
${optionalString use_ldap
|
||||||
auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass
|
"auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass"}
|
||||||
'' + optionalString config.krb5.enable ''
|
${optionalString config.krb5.enable ''
|
||||||
auth [default=ignore success=1 service_err=reset] ${pam_krb5}/lib/security/pam_krb5.so use_first_pass
|
auth [default=ignore success=1 service_err=reset] ${pam_krb5}/lib/security/pam_krb5.so use_first_pass
|
||||||
auth [default=die success=done] ${pam_ccreds}/lib/security/pam_ccreds.so action=validate use_first_pass
|
auth [default=die success=done] ${pam_ccreds}/lib/security/pam_ccreds.so action=validate use_first_pass
|
||||||
auth sufficient ${pam_ccreds}/lib/security/pam_ccreds.so action=store use_first_pass
|
auth sufficient ${pam_ccreds}/lib/security/pam_ccreds.so action=store use_first_pass
|
||||||
'' + ''
|
''}
|
||||||
auth required pam_deny.so
|
auth required pam_deny.so
|
||||||
|
|
||||||
# Password management.
|
# Password management.
|
||||||
password requisite pam_unix.so nullok sha512
|
password requisite pam_unix.so nullok sha512
|
||||||
'' + optionalString config.security.pam.enableEcryptfs ''
|
${optionalString config.security.pam.enableEcryptfs
|
||||||
password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so
|
"password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"}
|
||||||
'' + optionalString cfg.pamMount ''
|
${optionalString cfg.pamMount
|
||||||
password optional ${pkgs.pam_mount}/lib/security/pam_mount.so
|
"password optional ${pkgs.pam_mount}/lib/security/pam_mount.so"}
|
||||||
'' + optionalString use_ldap ''
|
${optionalString use_ldap
|
||||||
password sufficient ${pam_ldap}/lib/security/pam_ldap.so
|
"password sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
|
||||||
'' + optionalString config.krb5.enable ''
|
${optionalString config.krb5.enable
|
||||||
password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass
|
"password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass"}
|
||||||
'' + optionalString config.services.samba.syncPasswordsByPam ''
|
${optionalString config.services.samba.syncPasswordsByPam
|
||||||
password optional ${pkgs.samba}/lib/security/pam_smbpass.so nullok use_authtok try_first_pass
|
"password optional ${pkgs.samba}/lib/security/pam_smbpass.so nullok use_authtok try_first_pass"}
|
||||||
'' + ''
|
|
||||||
|
|
||||||
# Session management.
|
# Session management.
|
||||||
'' + optionalString cfg.setEnvironment ''
|
${optionalString cfg.setEnvironment ''
|
||||||
session required pam_env.so envfile=${config.system.build.pamEnvironment}
|
session required pam_env.so envfile=${config.system.build.pamEnvironment}
|
||||||
'' + ''
|
''}
|
||||||
session required pam_unix.so
|
session required pam_unix.so
|
||||||
'' + optionalString cfg.setLoginUid ''
|
${optionalString cfg.setLoginUid
|
||||||
session ${
|
"session ${
|
||||||
if config.boot.isContainer then "optional" else "required"
|
if config.boot.isContainer then "optional" else "required"
|
||||||
} pam_loginuid.so
|
} pam_loginuid.so"}
|
||||||
'' + optionalString cfg.makeHomeDir ''
|
${optionalString cfg.makeHomeDir
|
||||||
session required ${pkgs.pam}/lib/security/pam_mkhomedir.so silent skel=/etc/skel umask=0022
|
"session required ${pkgs.pam}/lib/security/pam_mkhomedir.so silent skel=/etc/skel umask=0022"}
|
||||||
'' + optionalString cfg.updateWtmp ''
|
${optionalString cfg.updateWtmp
|
||||||
session required ${pkgs.pam}/lib/security/pam_lastlog.so silent
|
"session required ${pkgs.pam}/lib/security/pam_lastlog.so silent"}
|
||||||
'' + optionalString config.security.pam.enableEcryptfs ''
|
${optionalString config.security.pam.enableEcryptfs
|
||||||
session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so
|
"session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"}
|
||||||
'' + optionalString use_ldap ''
|
${optionalString use_ldap
|
||||||
session optional ${pam_ldap}/lib/security/pam_ldap.so
|
"session optional ${pam_ldap}/lib/security/pam_ldap.so"}
|
||||||
'' + optionalString config.krb5.enable ''
|
${optionalString config.krb5.enable
|
||||||
session optional ${pam_krb5}/lib/security/pam_krb5.so
|
"session optional ${pam_krb5}/lib/security/pam_krb5.so"}
|
||||||
'' + optionalString cfg.otpwAuth ''
|
${optionalString cfg.otpwAuth
|
||||||
session optional ${pkgs.otpw}/lib/security/pam_otpw.so
|
"session optional ${pkgs.otpw}/lib/security/pam_otpw.so"}
|
||||||
'' + optionalString cfg.startSession ''
|
${optionalString cfg.startSession
|
||||||
session optional ${pkgs.systemd}/lib/security/pam_systemd.so
|
"session optional ${pkgs.systemd}/lib/security/pam_systemd.so"}
|
||||||
'' + optionalString cfg.forwardXAuth ''
|
${optionalString cfg.forwardXAuth
|
||||||
session optional pam_xauth.so xauthpath=${pkgs.xorg.xauth}/bin/xauth systemuser=99
|
"session optional pam_xauth.so xauthpath=${pkgs.xorg.xauth}/bin/xauth systemuser=99"}
|
||||||
'' + optionalString (cfg.limits != []) ''
|
${optionalString (cfg.limits != [])
|
||||||
session required ${pkgs.pam}/lib/security/pam_limits.so conf=${makeLimitsConf cfg.limits}
|
"session required ${pkgs.pam}/lib/security/pam_limits.so conf=${makeLimitsConf cfg.limits}"}
|
||||||
'' + optionalString (cfg.showMotd && config.users.motd != null) ''
|
${optionalString (cfg.showMotd && config.users.motd != null)
|
||||||
session optional ${pkgs.pam}/lib/security/pam_motd.so motd=${motd}
|
"session optional ${pkgs.pam}/lib/security/pam_motd.so motd=${motd}"}
|
||||||
'' + optionalString cfg.pamMount ''
|
${optionalString cfg.pamMount
|
||||||
session optional ${pkgs.pam_mount}/lib/security/pam_mount.so
|
"session optional ${pkgs.pam_mount}/lib/security/pam_mount.so"}
|
||||||
'' + optionalString (cfg.enableAppArmor && config.security.apparmor.enable) ''
|
${optionalString (cfg.enableAppArmor && config.security.apparmor.enable)
|
||||||
session optional ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so order=user,group,default debug
|
"session optional ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so order=user,group,default debug"}
|
||||||
'');
|
'');
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user