···
# Samba stuff to the Samba module. This requires that the PAM
# module provides the right hooks.
414
-
# Account management.
415
-
account required pam_unix.so
416
-
${optionalString use_ldap
417
-
"account sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
418
-
${optionalString (config.services.sssd.enable && cfg.sssdStrictAccess==false)
419
-
"account sufficient ${pkgs.sssd}/lib/security/pam_sss.so"}
420
-
${optionalString (config.services.sssd.enable && cfg.sssdStrictAccess)
421
-
"account [default=bad success=ok user_unknown=ignore] ${pkgs.sssd}/lib/security/pam_sss.so"}
422
-
${optionalString config.krb5.enable
423
-
"account sufficient ${pam_krb5}/lib/security/pam_krb5.so"}
424
-
${optionalString cfg.googleOsLoginAccountVerification ''
415
+
# Account management.
416
+
account required pam_unix.so
418
+
optionalString use_ldap ''
419
+
account sufficient ${pam_ldap}/lib/security/pam_ldap.so
421
+
optionalString (config.services.sssd.enable && cfg.sssdStrictAccess==false) ''
422
+
account sufficient ${pkgs.sssd}/lib/security/pam_sss.so
424
+
optionalString (config.services.sssd.enable && cfg.sssdStrictAccess) ''
425
+
account [default=bad success=ok user_unknown=ignore] ${pkgs.sssd}/lib/security/pam_sss.so
427
+
optionalString config.krb5.enable ''
428
+
account sufficient ${pam_krb5}/lib/security/pam_krb5.so
430
+
optionalString cfg.googleOsLoginAccountVerification ''
account [success=ok ignore=ignore default=die] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so
account [success=ok default=ignore] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_admin.so
429
-
# Authentication management.
430
-
${optionalString cfg.googleOsLoginAuthentication
431
-
"auth [success=done perm_denied=bad default=ignore] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so"}
432
-
${optionalString cfg.rootOK
433
-
"auth sufficient pam_rootok.so"}
434
-
${optionalString cfg.requireWheel
435
-
"auth required pam_wheel.so use_uid"}
436
-
${optionalString cfg.logFailures
437
-
"auth required pam_faillock.so"}
438
-
${optionalString (config.security.pam.enableSSHAgentAuth && cfg.sshAgentAuth)
439
-
"auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=${lib.concatStringsSep ":" config.services.openssh.authorizedKeysFiles}"}
440
-
${let p11 = config.security.pam.p11; in optionalString cfg.p11Auth
441
-
"auth ${p11.control} ${pkgs.pam_p11}/lib/security/pam_p11.so ${pkgs.opensc}/lib/opensc-pkcs11.so"}
442
-
${let u2f = config.security.pam.u2f; in optionalString cfg.u2fAuth
443
-
"auth ${u2f.control} ${pkgs.pam_u2f}/lib/security/pam_u2f.so ${optionalString u2f.debug "debug"} ${optionalString (u2f.authFile != null) "authfile=${u2f.authFile}"} ${optionalString u2f.interactive "interactive"} ${optionalString u2f.cue "cue"} ${optionalString (u2f.appId != null) "appid=${u2f.appId}"}"}
444
-
${optionalString cfg.usbAuth
445
-
"auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so"}
446
-
${let oath = config.security.pam.oath; in optionalString cfg.oathAuth
447
-
"auth requisite ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}"}
448
-
${let yubi = config.security.pam.yubico; in optionalString cfg.yubicoAuth
449
-
"auth ${yubi.control} ${pkgs.yubico-pam}/lib/security/pam_yubico.so mode=${toString yubi.mode} ${optionalString (yubi.challengeResponsePath != null) "chalresp_path=${yubi.challengeResponsePath}"} ${optionalString (yubi.mode == "client") "id=${toString yubi.id}"} ${optionalString yubi.debug "debug"}"}
450
-
${optionalString cfg.fprintAuth
451
-
"auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so"}
436
+
# Authentication management.
438
+
optionalString cfg.googleOsLoginAuthentication ''
439
+
auth [success=done perm_denied=bad default=ignore] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so
441
+
optionalString cfg.rootOK ''
442
+
auth sufficient pam_rootok.so
444
+
optionalString cfg.requireWheel ''
445
+
auth required pam_wheel.so use_uid
447
+
optionalString cfg.logFailures ''
448
+
auth required pam_faillock.so
450
+
optionalString (config.security.pam.enableSSHAgentAuth && cfg.sshAgentAuth) ''
451
+
auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=${lib.concatStringsSep ":" config.services.openssh.authorizedKeysFiles}
453
+
(let p11 = config.security.pam.p11; in optionalString cfg.p11Auth ''
454
+
auth ${p11.control} ${pkgs.pam_p11}/lib/security/pam_p11.so ${pkgs.opensc}/lib/opensc-pkcs11.so
456
+
(let u2f = config.security.pam.u2f; in optionalString cfg.u2fAuth ''
457
+
auth ${u2f.control} ${pkgs.pam_u2f}/lib/security/pam_u2f.so ${optionalString u2f.debug "debug"} ${optionalString (u2f.authFile != null) "authfile=${u2f.authFile}"} ${optionalString u2f.interactive "interactive"} ${optionalString u2f.cue "cue"} ${optionalString (u2f.appId != null) "appid=${u2f.appId}"}
459
+
optionalString cfg.usbAuth ''
460
+
auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so
462
+
(let oath = config.security.pam.oath; in optionalString cfg.oathAuth ''
463
+
auth requisite ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}
465
+
(let yubi = config.security.pam.yubico; in optionalString cfg.yubicoAuth ''
466
+
auth ${yubi.control} ${pkgs.yubico-pam}/lib/security/pam_yubico.so mode=${toString yubi.mode} ${optionalString (yubi.challengeResponsePath != null) "chalresp_path=${yubi.challengeResponsePath}"} ${optionalString (yubi.mode == "client") "id=${toString yubi.id}"} ${optionalString yubi.debug "debug"}
468
+
optionalString cfg.fprintAuth ''
469
+
auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so
# Modules in this block require having the password set in PAM_AUTHTOK.
# pam_unix is marked as 'sufficient' on NixOS which means nothing will run
# after it succeeds. Certain modules need to run after pam_unix
···
# earlier point and it will run again with 'sufficient' further down.
# We use try_first_pass the second time to avoid prompting password twice
(optionalString (cfg.unixAuth &&
460
-
(config.security.pam.enableEcryptfs
462
-
|| cfg.enableKwallet
463
-
|| cfg.enableGnomeKeyring
464
-
|| cfg.googleAuthenticator.enable
465
-
|| cfg.gnupg.enable
466
-
|| cfg.duoSecurity.enable)) ''
467
-
auth required pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth
468
-
${optionalString config.security.pam.enableEcryptfs
469
-
"auth optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"}
470
-
${optionalString cfg.pamMount
471
-
"auth optional ${pkgs.pam_mount}/lib/security/pam_mount.so disable_interactive"}
472
-
${optionalString cfg.enableKwallet
473
-
("auth optional ${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so" +
474
-
" kwalletd=${pkgs.plasma5Packages.kwallet.bin}/bin/kwalletd5")}
475
-
${optionalString cfg.enableGnomeKeyring
476
-
"auth optional ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so"}
477
-
${optionalString cfg.gnupg.enable
478
-
"auth optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so"
479
-
+ optionalString cfg.gnupg.storeOnly " store-only"
481
-
${optionalString cfg.googleAuthenticator.enable
482
-
"auth required ${pkgs.googleAuthenticator}/lib/security/pam_google_authenticator.so no_increment_hotp"}
483
-
${optionalString cfg.duoSecurity.enable
484
-
"auth required ${pkgs.duo-unix}/lib/security/pam_duo.so"}
486
-
${optionalString cfg.unixAuth
487
-
"auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth try_first_pass"}
488
-
${optionalString cfg.otpwAuth
489
-
"auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so"}
490
-
${optionalString use_ldap
491
-
"auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass"}
492
-
${optionalString config.services.sssd.enable
493
-
"auth sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_first_pass"}
494
-
${optionalString config.krb5.enable ''
478
+
(config.security.pam.enableEcryptfs
480
+
|| cfg.enableKwallet
481
+
|| cfg.enableGnomeKeyring
482
+
|| cfg.googleAuthenticator.enable
483
+
|| cfg.gnupg.enable
484
+
|| cfg.duoSecurity.enable))
487
+
auth required pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth
489
+
optionalString config.security.pam.enableEcryptfs ''
490
+
auth optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap
492
+
optionalString cfg.pamMount ''
493
+
auth optional ${pkgs.pam_mount}/lib/security/pam_mount.so disable_interactive
495
+
optionalString cfg.enableKwallet ''
496
+
auth optional ${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so kwalletd=${pkgs.plasma5Packages.kwallet.bin}/bin/kwalletd5
498
+
optionalString cfg.enableGnomeKeyring ''
499
+
auth optional ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so
501
+
optionalString cfg.gnupg.enable ''
502
+
auth optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so ${optionalString cfg.gnupg.storeOnly " store-only"}
504
+
optionalString cfg.googleAuthenticator.enable ''
505
+
auth required ${pkgs.googleAuthenticator}/lib/security/pam_google_authenticator.so no_increment_hotp
507
+
optionalString cfg.duoSecurity.enable ''
508
+
auth required ${pkgs.duo-unix}/lib/security/pam_duo.so
511
+
optionalString cfg.unixAuth ''
512
+
auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth try_first_pass
514
+
optionalString cfg.otpwAuth ''
515
+
auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so
517
+
optionalString use_ldap ''
518
+
auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass
520
+
optionalString config.services.sssd.enable ''
521
+
auth sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_first_pass
523
+
optionalString config.krb5.enable ''
auth [default=ignore success=1 service_err=reset] ${pam_krb5}/lib/security/pam_krb5.so use_first_pass
auth [default=die success=done] ${pam_ccreds}/lib/security/pam_ccreds.so action=validate use_first_pass
auth sufficient ${pam_ccreds}/lib/security/pam_ccreds.so action=store use_first_pass
499
-
auth required pam_deny.so
529
+
auth required pam_deny.so
501
-
# Password management.
502
-
password sufficient pam_unix.so nullok sha512
503
-
${optionalString config.security.pam.enableEcryptfs
504
-
"password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"}
505
-
${optionalString cfg.pamMount
506
-
"password optional ${pkgs.pam_mount}/lib/security/pam_mount.so"}
507
-
${optionalString use_ldap
508
-
"password sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
509
-
${optionalString config.services.sssd.enable
510
-
"password sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_authtok"}
511
-
${optionalString config.krb5.enable
512
-
"password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass"}
513
-
${optionalString cfg.enableGnomeKeyring
514
-
"password optional ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so use_authtok"}
531
+
# Password management.
532
+
password sufficient pam_unix.so nullok sha512
534
+
optionalString config.security.pam.enableEcryptfs ''
535
+
password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so
537
+
optionalString cfg.pamMount ''
538
+
password optional ${pkgs.pam_mount}/lib/security/pam_mount.so
540
+
optionalString use_ldap ''
541
+
password sufficient ${pam_ldap}/lib/security/pam_ldap.so
543
+
optionalString config.services.sssd.enable ''
544
+
password sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_authtok
546
+
optionalString config.krb5.enable ''
547
+
password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass
549
+
optionalString cfg.enableGnomeKeyring ''
550
+
password optional ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so use_authtok
516
-
# Session management.
517
-
${optionalString cfg.setEnvironment ''
554
+
# Session management.
556
+
optionalString cfg.setEnvironment ''
session required pam_env.so conffile=/etc/pam/environment readenv=0
520
-
session required pam_unix.so
521
-
${optionalString cfg.setLoginUid
523
-
if config.boot.isContainer then "optional" else "required"
524
-
} pam_loginuid.so"}
525
-
${optionalString cfg.ttyAudit.enable
526
-
"session required ${pkgs.pam}/lib/security/pam_tty_audit.so
560
+
session required pam_unix.so
562
+
optionalString cfg.setLoginUid ''
563
+
session ${if config.boot.isContainer then "optional" else "required"} pam_loginuid.so
565
+
optionalString cfg.ttyAudit.enable ''
566
+
session required ${pkgs.pam}/lib/security/pam_tty_audit.so
open_only=${toString cfg.ttyAudit.openOnly}
${optionalString (cfg.ttyAudit.enablePattern != null) "enable=${cfg.ttyAudit.enablePattern}"}
${optionalString (cfg.ttyAudit.disablePattern != null) "disable=${cfg.ttyAudit.disablePattern}"}
531
-
${optionalString cfg.makeHomeDir
532
-
"session required ${pkgs.pam}/lib/security/pam_mkhomedir.so silent skel=${config.security.pam.makeHomeDir.skelDirectory} umask=0077"}
533
-
${optionalString cfg.updateWtmp
534
-
"session required ${pkgs.pam}/lib/security/pam_lastlog.so silent"}
535
-
${optionalString config.security.pam.enableEcryptfs
536
-
"session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"}
537
-
${optionalString cfg.pamMount
538
-
"session optional ${pkgs.pam_mount}/lib/security/pam_mount.so disable_interactive"}
539
-
${optionalString use_ldap
540
-
"session optional ${pam_ldap}/lib/security/pam_ldap.so"}
541
-
${optionalString config.services.sssd.enable
542
-
"session optional ${pkgs.sssd}/lib/security/pam_sss.so"}
543
-
${optionalString config.krb5.enable
544
-
"session optional ${pam_krb5}/lib/security/pam_krb5.so"}
545
-
${optionalString cfg.otpwAuth
546
-
"session optional ${pkgs.otpw}/lib/security/pam_otpw.so"}
547
-
${optionalString cfg.startSession
548
-
"session optional ${pkgs.systemd}/lib/security/pam_systemd.so"}
549
-
${optionalString cfg.forwardXAuth
550
-
"session optional pam_xauth.so xauthpath=${pkgs.xorg.xauth}/bin/xauth systemuser=99"}
551
-
${optionalString (cfg.limits != [])
552
-
"session required ${pkgs.pam}/lib/security/pam_limits.so conf=${makeLimitsConf cfg.limits}"}
553
-
${optionalString (cfg.showMotd && config.users.motd != null)
554
-
"session optional ${pkgs.pam}/lib/security/pam_motd.so motd=${motd}"}
555
-
${optionalString (cfg.enableAppArmor && config.security.apparmor.enable)
556
-
"session optional ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so order=user,group,default debug"}
557
-
${optionalString (cfg.enableKwallet)
558
-
("session optional ${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so" +
559
-
" kwalletd=${pkgs.plasma5Packages.kwallet.bin}/bin/kwalletd5")}
560
-
${optionalString (cfg.enableGnomeKeyring)
561
-
"session optional ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start"}
562
-
${optionalString cfg.gnupg.enable
563
-
"session optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so"
564
-
+ optionalString cfg.gnupg.noAutostart " no-autostart"
566
-
${optionalString (config.virtualisation.lxc.lxcfs.enable)
567
-
"session optional ${pkgs.lxc}/lib/security/pam_cgfs.so -c all"}
571
+
optionalString cfg.makeHomeDir ''
572
+
session required ${pkgs.pam}/lib/security/pam_mkhomedir.so silent skel=${config.security.pam.makeHomeDir.skelDirectory} umask=0077
574
+
optionalString cfg.updateWtmp ''
575
+
session required ${pkgs.pam}/lib/security/pam_lastlog.so silent
577
+
optionalString config.security.pam.enableEcryptfs ''
578
+
session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so
580
+
optionalString cfg.pamMount ''
581
+
session optional ${pkgs.pam_mount}/lib/security/pam_mount.so disable_interactive
583
+
optionalString use_ldap ''
584
+
session optional ${pam_ldap}/lib/security/pam_ldap.so
586
+
optionalString config.services.sssd.enable ''
587
+
session optional ${pkgs.sssd}/lib/security/pam_sss.so
589
+
optionalString config.krb5.enable ''
590
+
session optional ${pam_krb5}/lib/security/pam_krb5.so
592
+
optionalString cfg.otpwAuth ''
593
+
session optional ${pkgs.otpw}/lib/security/pam_otpw.so
595
+
optionalString cfg.startSession ''
596
+
session optional ${pkgs.systemd}/lib/security/pam_systemd.so
598
+
optionalString cfg.forwardXAuth ''
599
+
session optional pam_xauth.so xauthpath=${pkgs.xorg.xauth}/bin/xauth systemuser=99
601
+
optionalString (cfg.limits != []) ''
602
+
session required ${pkgs.pam}/lib/security/pam_limits.so conf=${makeLimitsConf cfg.limits}
604
+
optionalString (cfg.showMotd && config.users.motd != null) ''
605
+
session optional ${pkgs.pam}/lib/security/pam_motd.so motd=${motd}
607
+
optionalString (cfg.enableAppArmor && config.security.apparmor.enable) ''
608
+
session optional ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so order=user,group,default debug
610
+
optionalString (cfg.enableKwallet) ''
611
+
session optional ${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so kwalletd=${pkgs.plasma5Packages.kwallet.bin}/bin/kwalletd5
613
+
optionalString (cfg.enableGnomeKeyring) ''
614
+
session optional ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start
616
+
optionalString cfg.gnupg.enable ''
617
+
session optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so ${optionalString cfg.gnupg.noAutostart " no-autostart"}
619
+
optionalString (config.virtualisation.lxc.lxcfs.enable) ''
620
+
session optional ${pkgs.lxc}/lib/security/pam_cgfs.so -c all
pyrox.dev