* Very basic PAM configuration. We now use Blowfish hashing for

/etc/shadow.

svn path=/nixos/trunk/; revision=7306

configuration/boot-environment.nix

@@ -234,7 +234,31 @@ rec {
         target = "event.d";
       }
 
-    ];
+      { # Configuration for passwd and friends (e.g., hash algorithm
+        # for /etc/passwd).
+        source = ./etc/default/passwd;
+        target = "default/passwd";
+      }
+
+    ]
+
+    # A bunch of PAM configuration files for various programs.
+    ++ (map
+      (program:
+        { source = pkgs.substituteAll {
+            src = ./etc/pam.d + ("/" + program);
+            inherit (pkgs) pam_unix2;
+          };
+          target = "pam.d/" + program;
+        }
+      )
+      [
+        "login"
+        "passwd"
+        "useradd"
+        "other"
+      ]
+    );
   };
 
   

configuration/etc/default/passwd

@@ -0,0 +1,15 @@
+# Define default crypt hash
+# CRYPT={des,md5,blowfish}
+CRYPT=des
+
+# for local files, use a more secure hash. We
+# don't need to be portable here:
+CRYPT_FILES=blowfish
+
+# sometimes we need to specify special options for
+# a hash (variable is prepended by the name of the
+# crypt hash).
+BLOWFISH_CRYPT_FILES=10
+
+# For NIS, we should always use DES:
+CRYPT_YP=des

configuration/etc/pam.d/login

@@ -0,0 +1,4 @@
+auth     required       @pam_unix2@/lib/security/pam_unix2.so
+account  required       @pam_unix2@/lib/security/pam_unix2.so
+password required       @pam_unix2@/lib/security/pam_unix2.so nullok use_first_pass use_authtok
+session  required       @pam_unix2@/lib/security/pam_unix2.so

configuration/etc/pam.d/other

@@ -0,0 +1,8 @@
+auth     required       pam_warn.so
+auth     required       pam_deny.so
+account  required       pam_warn.so
+account  required       pam_deny.so
+password required       pam_warn.so
+password required       pam_deny.so
+session  required       pam_warn.so
+session  required       pam_deny.so

configuration/etc/pam.d/passwd

@@ -0,0 +1,4 @@
+auth     required       @pam_unix2@/lib/security/pam_unix2.so
+account  required       @pam_unix2@/lib/security/pam_unix2.so
+password required       @pam_unix2@/lib/security/pam_unix2.so nullok debug
+session  required       @pam_unix2@/lib/security/pam_unix2.so

configuration/etc/pam.d/useradd

@@ -0,0 +1,5 @@
+auth     sufficient     pam_rootok.so
+auth     required       pam_permit.so
+account  required       pam_permit.so
+password required       pam_permit.so
+session  required       pam_permit.so