From f327b072cb8446a44b0b7de7076f79247a29868e Mon Sep 17 00:00:00 2001 From: Eelco Dolstra Date: Mon, 11 Dec 2006 02:44:26 +0000 Subject: [PATCH] * Very basic PAM configuration. We now use Blowfish hashing for /etc/shadow. svn path=/nixos/trunk/; revision=7306 --- configuration/boot-environment.nix | 26 +++++++++++++++++++++++++- configuration/etc/default/passwd | 15 +++++++++++++++ configuration/etc/pam.d/login | 4 ++++ configuration/etc/pam.d/other | 8 ++++++++ configuration/etc/pam.d/passwd | 4 ++++ configuration/etc/pam.d/useradd | 5 +++++ 6 files changed, 61 insertions(+), 1 deletion(-) create mode 100644 configuration/etc/default/passwd create mode 100644 configuration/etc/pam.d/login create mode 100644 configuration/etc/pam.d/other create mode 100644 configuration/etc/pam.d/passwd create mode 100644 configuration/etc/pam.d/useradd diff --git a/configuration/boot-environment.nix b/configuration/boot-environment.nix index 4c4092bf3c9..6e14ef2e193 100644 --- a/configuration/boot-environment.nix +++ b/configuration/boot-environment.nix @@ -234,7 +234,31 @@ rec { target = "event.d"; } - ]; + { # Configuration for passwd and friends (e.g., hash algorithm + # for /etc/passwd). + source = ./etc/default/passwd; + target = "default/passwd"; + } + + ] + + # A bunch of PAM configuration files for various programs. + ++ (map + (program: + { source = pkgs.substituteAll { + src = ./etc/pam.d + ("/" + program); + inherit (pkgs) pam_unix2; + }; + target = "pam.d/" + program; + } + ) + [ + "login" + "passwd" + "useradd" + "other" + ] + ); }; diff --git a/configuration/etc/default/passwd b/configuration/etc/default/passwd new file mode 100644 index 00000000000..5804e28c38b --- /dev/null +++ b/configuration/etc/default/passwd @@ -0,0 +1,15 @@ +# Define default crypt hash +# CRYPT={des,md5,blowfish} +CRYPT=des + +# for local files, use a more secure hash. We +# don't need to be portable here: +CRYPT_FILES=blowfish + +# sometimes we need to specify special options for +# a hash (variable is prepended by the name of the +# crypt hash). +BLOWFISH_CRYPT_FILES=10 + +# For NIS, we should always use DES: +CRYPT_YP=des diff --git a/configuration/etc/pam.d/login b/configuration/etc/pam.d/login new file mode 100644 index 00000000000..29ec6d7b11a --- /dev/null +++ b/configuration/etc/pam.d/login @@ -0,0 +1,4 @@ +auth required @pam_unix2@/lib/security/pam_unix2.so +account required @pam_unix2@/lib/security/pam_unix2.so +password required @pam_unix2@/lib/security/pam_unix2.so nullok use_first_pass use_authtok +session required @pam_unix2@/lib/security/pam_unix2.so diff --git a/configuration/etc/pam.d/other b/configuration/etc/pam.d/other new file mode 100644 index 00000000000..b1ed9205b72 --- /dev/null +++ b/configuration/etc/pam.d/other @@ -0,0 +1,8 @@ +auth required pam_warn.so +auth required pam_deny.so +account required pam_warn.so +account required pam_deny.so +password required pam_warn.so +password required pam_deny.so +session required pam_warn.so +session required pam_deny.so diff --git a/configuration/etc/pam.d/passwd b/configuration/etc/pam.d/passwd new file mode 100644 index 00000000000..423e0efb496 --- /dev/null +++ b/configuration/etc/pam.d/passwd @@ -0,0 +1,4 @@ +auth required @pam_unix2@/lib/security/pam_unix2.so +account required @pam_unix2@/lib/security/pam_unix2.so +password required @pam_unix2@/lib/security/pam_unix2.so nullok debug +session required @pam_unix2@/lib/security/pam_unix2.so diff --git a/configuration/etc/pam.d/useradd b/configuration/etc/pam.d/useradd new file mode 100644 index 00000000000..b4aac2aba95 --- /dev/null +++ b/configuration/etc/pam.d/useradd @@ -0,0 +1,5 @@ +auth sufficient pam_rootok.so +auth required pam_permit.so +account required pam_permit.so +password required pam_permit.so +session required pam_permit.so