public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

sshd: Remove the usePAM option

Browse Source 
Sshd *must* use PAM because we depend on it for proper session
management.  The original goal of this option (disabling password
logins) can also be implemented by removing pam_auth authentication
from sshd's PAM service.
This commit is contained in:
Eelco Dolstra 2013-10-15 15:05:49 +02:00
parent a2c820c678
commit ae74b0ae58
2 changed files with 18 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
nixos/modules/security/pam.nix
View File

@ -17,6 +17,15 @@ let
description = "Name of the PAM service."; description = "Name of the PAM service.";
}; };
unixAuth = mkOption {
default = true;
type = types.bool;
description = ''
Whether users can log in with passwords defined in
<filename>/etc/shadow</filename>.
'';
};
rootOK = mkOption { rootOK = mkOption {
default = false; default = false;
type = types.bool; type = types.bool;
@ -154,7 +163,8 @@ let
"auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=~/.ssh/authorized_keys:~/.ssh/authorized_keys2:/etc/ssh/authorized_keys.d/%u"} "auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=~/.ssh/authorized_keys:~/.ssh/authorized_keys2:/etc/ssh/authorized_keys.d/%u"}
${optionalString cfg.usbAuth ${optionalString cfg.usbAuth
"auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so"} "auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so"}
auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth ${optionalString cfg.unixAuth
"auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth"}
${optionalString cfg.otpwAuth ${optionalString cfg.otpwAuth
"auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so"} "auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so"}
${optionalString config.users.ldap.enable ${optionalString config.users.ldap.enable

21
nixos/modules/services/networking/ssh/sshd.nix
View File

@ -128,21 +128,10 @@ in
''; '';
}; };
usePAM = mkOption {
default = true;
description = ''
Specifies whether the OpenSSH daemon uses PAM to authenticate
login attempts.
'';
};
passwordAuthentication = mkOption { passwordAuthentication = mkOption {
default = true; default = true;
description = '' description = ''
Specifies whether password authentication is allowed. Note Specifies whether password authentication is allowed.
that setting this value to <literal>false</literal> is most
probably not going to have the desired effect unless
<literal>usePAM</literal> is disabled as well.
''; '';
}; };
@ -284,7 +273,11 @@ in
networking.firewall.allowedTCPPorts = cfg.ports; networking.firewall.allowedTCPPorts = cfg.ports;
security.pam.services = optional cfg.usePAM { name = "sshd"; startSession = true; showMotd = true; }; security.pam.services.sshd =
{ startSession = true;
showMotd = true;
unixAuth = cfg.passwordAuthentication;
};
services.openssh.authorizedKeysFiles = services.openssh.authorizedKeysFiles =
[ ".ssh/authorized_keys" ".ssh/authorized_keys2" "/etc/ssh/authorized_keys.d/%u" ]; [ ".ssh/authorized_keys" ".ssh/authorized_keys2" "/etc/ssh/authorized_keys.d/%u" ];
@ -295,7 +288,7 @@ in
Protocol 2 Protocol 2
UsePAM ${if cfg.usePAM then "yes" else "no"} UsePAM yes
AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"} AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"}
${concatMapStrings (port: '' ${concatMapStrings (port: ''