Revert "nixos/pam: clean up generated files (no functional change) (#18580)"
This reverts commit1010271c63. This reverts commite85e51d41f. The first commit causes multiple regressions. The second commit tries to fix the regressions, but does not catch all of them. There are multiple failing tests, one of which is blocking a package update. That is not acceptable for a cosmetic patch.
This commit is contained in:
Thomas Tuegel
parent
d997f4581c
commit
9300b4903f
@ -229,107 +229,104 @@ let
|
|||||||
# module provides the right hooks.
|
# module provides the right hooks.
|
||||||
text = mkDefault
|
text = mkDefault
|
||||||
(''
|
(''
|
||||||
# Account management.
|
# Account management.
|
||||||
account sufficient pam_unix.so
|
account sufficient pam_unix.so
|
||||||
'' + optionalString use_ldap ''
|
${optionalString use_ldap
|
||||||
account sufficient ${pam_ldap}/lib/security/pam_ldap.so
|
"account sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
|
||||||
'' + optionalString config.krb5.enable ''
|
${optionalString config.krb5.enable
|
||||||
account sufficient ${pam_krb5}/lib/security/pam_krb5.so
|
"account sufficient ${pam_krb5}/lib/security/pam_krb5.so"}
|
||||||
'' + ''
|
|
||||||
|
|
||||||
# Authentication management.
|
# Authentication management.
|
||||||
'' + optionalString cfg.rootOK ''
|
${optionalString cfg.rootOK
|
||||||
auth sufficient pam_rootok.so
|
"auth sufficient pam_rootok.so"}
|
||||||
'' + optionalString cfg.requireWheel ''
|
${optionalString cfg.requireWheel
|
||||||
auth required pam_wheel.so use_uid
|
"auth required pam_wheel.so use_uid"}
|
||||||
'' + optionalString cfg.logFailures ''
|
${optionalString cfg.logFailures
|
||||||
auth required pam_tally.so
|
"auth required pam_tally.so"}
|
||||||
'' + optionalString (config.security.pam.enableSSHAgentAuth && cfg.sshAgentAuth) ''
|
${optionalString (config.security.pam.enableSSHAgentAuth && cfg.sshAgentAuth)
|
||||||
auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=~/.ssh/authorized_keys:~/.ssh/authorized_keys2:/etc/ssh/authorized_keys.d/%u
|
"auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=~/.ssh/authorized_keys:~/.ssh/authorized_keys2:/etc/ssh/authorized_keys.d/%u"}
|
||||||
'' + optionalString cfg.fprintAuth ''
|
${optionalString cfg.fprintAuth
|
||||||
auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so
|
"auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so"}
|
||||||
'' + optionalString cfg.u2fAuth ''
|
${optionalString cfg.u2fAuth
|
||||||
auth sufficient ${pkgs.pam_u2f}/lib/security/pam_u2f.so
|
"auth sufficient ${pkgs.pam_u2f}/lib/security/pam_u2f.so"}
|
||||||
'' + optionalString cfg.usbAuth ''
|
${optionalString cfg.usbAuth
|
||||||
auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so
|
"auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so"}
|
||||||
''
|
'' +
|
||||||
|
# Modules in this block require having the password set in PAM_AUTHTOK.
|
||||||
|
# pam_unix is marked as 'sufficient' on NixOS which means nothing will run
|
||||||
|
# after it succeeds. Certain modules need to run after pam_unix
|
||||||
|
# prompts the user for password so we run it once with 'required' at an
|
||||||
|
# earlier point and it will run again with 'sufficient' further down.
|
||||||
|
# We use try_first_pass the second time to avoid prompting password twice
|
||||||
|
(optionalString (cfg.unixAuth && (config.security.pam.enableEcryptfs || cfg.pamMount)) ''
|
||||||
|
auth required pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth
|
||||||
|
${optionalString config.security.pam.enableEcryptfs
|
||||||
|
"auth optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"}
|
||||||
|
${optionalString cfg.pamMount
|
||||||
|
"auth optional ${pkgs.pam_mount}/lib/security/pam_mount.so"}
|
||||||
|
'') + ''
|
||||||
|
${optionalString cfg.unixAuth
|
||||||
|
"auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth try_first_pass"}
|
||||||
|
${optionalString cfg.otpwAuth
|
||||||
|
"auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so"}
|
||||||
|
${let oath = config.security.pam.oath; in optionalString cfg.oathAuth
|
||||||
|
"auth sufficient ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}"}
|
||||||
|
${optionalString use_ldap
|
||||||
|
"auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass"}
|
||||||
|
${optionalString config.krb5.enable ''
|
||||||
|
auth [default=ignore success=1 service_err=reset] ${pam_krb5}/lib/security/pam_krb5.so use_first_pass
|
||||||
|
auth [default=die success=done] ${pam_ccreds}/lib/security/pam_ccreds.so action=validate use_first_pass
|
||||||
|
auth sufficient ${pam_ccreds}/lib/security/pam_ccreds.so action=store use_first_pass
|
||||||
|
''}
|
||||||
|
auth required pam_deny.so
|
||||||
|
|
||||||
# Modules in this block require having the password set in PAM_AUTHTOK.
|
# Password management.
|
||||||
# pam_unix is marked as 'sufficient' on NixOS which means nothing will run
|
password requisite pam_unix.so nullok sha512
|
||||||
# after it succeeds. Certain modules need to run after pam_unix
|
${optionalString config.security.pam.enableEcryptfs
|
||||||
# prompts the user for password so we run it once with 'required' at an
|
"password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"}
|
||||||
# earlier point and it will run again with 'sufficient' further down.
|
${optionalString cfg.pamMount
|
||||||
# We use try_first_pass the second time to avoid prompting password twice
|
"password optional ${pkgs.pam_mount}/lib/security/pam_mount.so"}
|
||||||
+ optionalString (cfg.unixAuth && (config.security.pam.enableEcryptfs || cfg.pamMount)) (''
|
${optionalString use_ldap
|
||||||
auth required pam_unix.so ${optionalString cfg.allowNullPassword "nullok "}likeauth
|
"password sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
|
||||||
'' + optionalString config.security.pam.enableEcryptfs ''
|
${optionalString config.krb5.enable
|
||||||
auth optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap
|
"password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass"}
|
||||||
'' + optionalString cfg.pamMount ''
|
${optionalString config.services.samba.syncPasswordsByPam
|
||||||
auth optional ${pkgs.pam_mount}/lib/security/pam_mount.so
|
"password optional ${pkgs.samba}/lib/security/pam_smbpass.so nullok use_authtok try_first_pass"}
|
||||||
'')
|
|
||||||
+ optionalString cfg.unixAuth ''
|
|
||||||
auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok "}likeauth try_first_pass
|
|
||||||
'' + optionalString cfg.otpwAuth ''
|
|
||||||
auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so
|
|
||||||
'' + (let oath = config.security.pam.oath; in optionalString cfg.oathAuth ''
|
|
||||||
auth sufficient ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}
|
|
||||||
'') + optionalString use_ldap ''
|
|
||||||
auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass
|
|
||||||
'' + optionalString config.krb5.enable ''
|
|
||||||
auth [default=ignore success=1 service_err=reset] ${pam_krb5}/lib/security/pam_krb5.so use_first_pass
|
|
||||||
auth [default=die success=done] ${pam_ccreds}/lib/security/pam_ccreds.so action=validate use_first_pass
|
|
||||||
auth sufficient ${pam_ccreds}/lib/security/pam_ccreds.so action=store use_first_pass
|
|
||||||
'' + ''
|
|
||||||
auth required pam_deny.so
|
|
||||||
|
|
||||||
# Password management.
|
# Session management.
|
||||||
password requisite pam_unix.so nullok sha512
|
${optionalString cfg.setEnvironment ''
|
||||||
'' + optionalString config.security.pam.enableEcryptfs ''
|
session required pam_env.so envfile=${config.system.build.pamEnvironment}
|
||||||
password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so
|
''}
|
||||||
'' + optionalString cfg.pamMount ''
|
session required pam_unix.so
|
||||||
password optional ${pkgs.pam_mount}/lib/security/pam_mount.so
|
${optionalString cfg.setLoginUid
|
||||||
'' + optionalString use_ldap ''
|
"session ${
|
||||||
password sufficient ${pam_ldap}/lib/security/pam_ldap.so
|
if config.boot.isContainer then "optional" else "required"
|
||||||
'' + optionalString config.krb5.enable ''
|
} pam_loginuid.so"}
|
||||||
password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass
|
${optionalString cfg.makeHomeDir
|
||||||
'' + optionalString config.services.samba.syncPasswordsByPam ''
|
"session required ${pkgs.pam}/lib/security/pam_mkhomedir.so silent skel=/etc/skel umask=0022"}
|
||||||
password optional ${pkgs.samba}/lib/security/pam_smbpass.so nullok use_authtok try_first_pass
|
${optionalString cfg.updateWtmp
|
||||||
'' + ''
|
"session required ${pkgs.pam}/lib/security/pam_lastlog.so silent"}
|
||||||
|
${optionalString config.security.pam.enableEcryptfs
|
||||||
# Session management.
|
"session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"}
|
||||||
'' + optionalString cfg.setEnvironment ''
|
${optionalString use_ldap
|
||||||
session required pam_env.so envfile=${config.system.build.pamEnvironment}
|
"session optional ${pam_ldap}/lib/security/pam_ldap.so"}
|
||||||
'' + ''
|
${optionalString config.krb5.enable
|
||||||
session required pam_unix.so
|
"session optional ${pam_krb5}/lib/security/pam_krb5.so"}
|
||||||
'' + optionalString cfg.setLoginUid ''
|
${optionalString cfg.otpwAuth
|
||||||
session ${
|
"session optional ${pkgs.otpw}/lib/security/pam_otpw.so"}
|
||||||
if config.boot.isContainer then "optional" else "required"
|
${optionalString cfg.startSession
|
||||||
} pam_loginuid.so
|
"session optional ${pkgs.systemd}/lib/security/pam_systemd.so"}
|
||||||
'' + optionalString cfg.makeHomeDir ''
|
${optionalString cfg.forwardXAuth
|
||||||
session required ${pkgs.pam}/lib/security/pam_mkhomedir.so silent skel=/etc/skel umask=0022
|
"session optional pam_xauth.so xauthpath=${pkgs.xorg.xauth}/bin/xauth systemuser=99"}
|
||||||
'' + optionalString cfg.updateWtmp ''
|
${optionalString (cfg.limits != [])
|
||||||
session required ${pkgs.pam}/lib/security/pam_lastlog.so silent
|
"session required ${pkgs.pam}/lib/security/pam_limits.so conf=${makeLimitsConf cfg.limits}"}
|
||||||
'' + optionalString config.security.pam.enableEcryptfs ''
|
${optionalString (cfg.showMotd && config.users.motd != null)
|
||||||
session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so
|
"session optional ${pkgs.pam}/lib/security/pam_motd.so motd=${motd}"}
|
||||||
'' + optionalString use_ldap ''
|
${optionalString cfg.pamMount
|
||||||
session optional ${pam_ldap}/lib/security/pam_ldap.so
|
"session optional ${pkgs.pam_mount}/lib/security/pam_mount.so"}
|
||||||
'' + optionalString config.krb5.enable ''
|
${optionalString (cfg.enableAppArmor && config.security.apparmor.enable)
|
||||||
session optional ${pam_krb5}/lib/security/pam_krb5.so
|
"session optional ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so order=user,group,default debug"}
|
||||||
'' + optionalString cfg.otpwAuth ''
|
'');
|
||||||
session optional ${pkgs.otpw}/lib/security/pam_otpw.so
|
|
||||||
'' + optionalString cfg.startSession ''
|
|
||||||
session optional ${pkgs.systemd}/lib/security/pam_systemd.so
|
|
||||||
'' + optionalString cfg.forwardXAuth ''
|
|
||||||
session optional pam_xauth.so xauthpath=${pkgs.xorg.xauth}/bin/xauth systemuser=99
|
|
||||||
'' + optionalString (cfg.limits != []) ''
|
|
||||||
session required ${pkgs.pam}/lib/security/pam_limits.so conf=${makeLimitsConf cfg.limits}
|
|
||||||
'' + optionalString (cfg.showMotd && config.users.motd != null) ''
|
|
||||||
session optional ${pkgs.pam}/lib/security/pam_motd.so motd=${motd}
|
|
||||||
'' + optionalString cfg.pamMount ''
|
|
||||||
session optional ${pkgs.pam_mount}/lib/security/pam_mount.so
|
|
||||||
'' + optionalString (cfg.enableAppArmor && config.security.apparmor.enable) ''
|
|
||||||
session optional ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so order=user,group,default debug
|
|
||||||
'');
|
|
||||||
};
|
};
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user