commit 822c0a86bd3b3c877177e2284a5cfc9222b365cc · pyrox.dev/nixpkgs

+24 -1
nixos/modules/security/pam.nix
···

       655
       655
        
                   config_file = "/etc/security/pam_mysql.conf";

     

       656
       656
        
                 }; }

     

       657
       657
        
                 { name = "ssh_agent_auth"; enable = config.security.pam.sshAgentAuth.enable && cfg.sshAgentAuth; control = "sufficient"; modulePath = "${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so"; settings = {

     

       658
       658
       -
                   file = lib.concatStringsSep ":" config.services.openssh.authorizedKeysFiles;

     

       658
       658
       +
                   file = lib.concatStringsSep ":" config.security.pam.sshAgentAuth.authorizedKeysFiles;

     

       659
       659
        
                 }; }

     

       660
       660
        
                 (let p11 = config.security.pam.p11; in { name = "p11"; enable = cfg.p11Auth; control = p11.control; modulePath = "${pkgs.pam_p11}/lib/security/pam_p11.so"; args = [

     

       661
       661
        
                   "${pkgs.opensc}/lib/opensc-pkcs11.so"

     
···

       1031
       1031
        
               authenticating using a signature performed by the ssh-agent.

     

       1032
       1032
        
               This allows using SSH keys exclusively, instead of passwords, for instance on remote machines

     

       1033
       1033
        
             '';

     

       1034
       1034
       +
       

     

       1035
       1035
       +
             authorizedKeysFiles = mkOption {

     

       1036
       1036
       +
               type = with types; listOf str;

     

       1037
       1037
       +
               description = ''

     

       1038
       1038
       +
                 A list of paths to files in OpenSSH's `authorized_keys` format, containing

     

       1039
       1039
       +
                 the keys that will be trusted by the `pam_ssh_agent_auth` module.

     

       1040
       1040
       +
       

     

       1041
       1041
       +
                 The following patterns are expanded when interpreting the path:

     

       1042
       1042
       +
                 - `%f` and `%H` respectively expand to the fully-qualified and short hostname ;

     

       1043
       1043
       +
                 - `%u` expands to the username ;

     

       1044
       1044
       +
                 - `~` or `%h` expands to the user's home directory.

     

       1045
       1045
       +
       

     

       1046
       1046
       +
                 ::: {.note}

     

       1047
       1047
       +
                 Specifying user-writeable files here result in an insecure configuration:  a malicious process

     

       1048
       1048
       +
                 can then edit such an authorized_keys file and bypass the ssh-agent-based authentication.

     

       1049
       1049
       +
       

     

       1050
       1050
       +
                 See [issue #31611](https://github.com/NixOS/nixpkgs/issues/31611)

     

       1051
       1051
       +
                 :::

     

       1052
       1052
       +
               '';

     

       1053
       1053
       +
               example = [ "/etc/ssh/authorized_keys.d/%u" ];

     

       1054
       1054
       +
               default = config.services.openssh.authorizedKeysFiles;

     

       1055
       1055
       +
               defaultText = literalExpression "config.services.openssh.authorizedKeysFiles";

     

       1056
       1056
       +
             };

     

       1034
       1057
        
           };

     

       1035
       1058
        
       

     

       1036
       1059
        
           security.pam.enableOTPW = mkEnableOption (lib.mdDoc "the OTPW (one-time password) PAM module");