commit ef58bbf9b7ce34f1f4fcace04484b9bbea0d3ed2 · pyrox.dev/nixpkgs

+191 -137

nixos/modules/security/pam.nix

···

       410
        
             # Samba stuff to the Samba module.  This requires that the PAM

     

       411
        
             # module provides the right hooks.

     

       412
        
             text = mkDefault

     

       413
       -
               (''

     

       414
       -
                 # Account management.

     

       415
       -
                 account required pam_unix.so

     

       416
       -
                 ${optionalString use_ldap

     

       417
       -
                     "account sufficient ${pam_ldap}/lib/security/pam_ldap.so"}

     

       418
       -
                 ${optionalString (config.services.sssd.enable && cfg.sssdStrictAccess==false)

     

       419
       -
                     "account sufficient ${pkgs.sssd}/lib/security/pam_sss.so"}

     

       420
       -
                 ${optionalString (config.services.sssd.enable && cfg.sssdStrictAccess)

     

       421
       -
                     "account [default=bad success=ok user_unknown=ignore] ${pkgs.sssd}/lib/security/pam_sss.so"}

     

       422
       -
                 ${optionalString config.krb5.enable

     

       423
       -
                     "account sufficient ${pam_krb5}/lib/security/pam_krb5.so"}

     

       424
       -
                 ${optionalString cfg.googleOsLoginAccountVerification ''

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       425
        
                   account [success=ok ignore=ignore default=die] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so

     

       426
        
                   account [success=ok default=ignore] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_admin.so

     

       427
       -
                 ''}

     

       0
        
       
     

       428
        
       

     

       429
       -
                 # Authentication management.

     

       430
       -
                 ${optionalString cfg.googleOsLoginAuthentication

     

       431
       -
                     "auth [success=done perm_denied=bad default=ignore] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so"}

     

       432
       -
                 ${optionalString cfg.rootOK

     

       433
       -
                     "auth sufficient pam_rootok.so"}

     

       434
       -
                 ${optionalString cfg.requireWheel

     

       435
       -
                     "auth required pam_wheel.so use_uid"}

     

       436
       -
                 ${optionalString cfg.logFailures

     

       437
       -
                     "auth required pam_faillock.so"}

     

       438
       -
                 ${optionalString (config.security.pam.enableSSHAgentAuth && cfg.sshAgentAuth)

     

       439
       -
                     "auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=${lib.concatStringsSep ":" config.services.openssh.authorizedKeysFiles}"}

     

       440
       -
                 ${let p11 = config.security.pam.p11; in optionalString cfg.p11Auth

     

       441
       -
                     "auth ${p11.control} ${pkgs.pam_p11}/lib/security/pam_p11.so ${pkgs.opensc}/lib/opensc-pkcs11.so"}

     

       442
       -
                 ${let u2f = config.security.pam.u2f; in optionalString cfg.u2fAuth

     

       443
       -
                     "auth ${u2f.control} ${pkgs.pam_u2f}/lib/security/pam_u2f.so ${optionalString u2f.debug "debug"} ${optionalString (u2f.authFile != null) "authfile=${u2f.authFile}"} ${optionalString u2f.interactive "interactive"} ${optionalString u2f.cue "cue"} ${optionalString (u2f.appId != null) "appid=${u2f.appId}"}"}

     

       444
       -
                 ${optionalString cfg.usbAuth

     

       445
       -
                     "auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so"}

     

       446
       -
                 ${let oath = config.security.pam.oath; in optionalString cfg.oathAuth

     

       447
       -
                     "auth requisite ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}"}

     

       448
       -
                 ${let yubi = config.security.pam.yubico; in optionalString cfg.yubicoAuth

     

       449
       -
                     "auth ${yubi.control} ${pkgs.yubico-pam}/lib/security/pam_yubico.so mode=${toString yubi.mode} ${optionalString (yubi.challengeResponsePath != null) "chalresp_path=${yubi.challengeResponsePath}"} ${optionalString (yubi.mode == "client") "id=${toString yubi.id}"} ${optionalString yubi.debug "debug"}"}

     

       450
       -
                 ${optionalString cfg.fprintAuth

     

       451
       -
                     "auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so"}

     

       452
       -
               '' +

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       453
        
                 # Modules in this block require having the password set in PAM_AUTHTOK.

     

       454
        
                 # pam_unix is marked as 'sufficient' on NixOS which means nothing will run

     

       455
        
                 # after it succeeds. Certain modules need to run after pam_unix

     
···

       457
        
                 # earlier point and it will run again with 'sufficient' further down.

     

       458
        
                 # We use try_first_pass the second time to avoid prompting password twice

     

       459
        
                 (optionalString (cfg.unixAuth &&

     

       460
       -
                 (config.security.pam.enableEcryptfs

     

       461
       -
                   || cfg.pamMount

     

       462
       -
                   || cfg.enableKwallet

     

       463
       -
                   || cfg.enableGnomeKeyring

     

       464
       -
                   || cfg.googleAuthenticator.enable

     

       465
       -
                   || cfg.gnupg.enable

     

       466
       -
                   || cfg.duoSecurity.enable)) ''

     

       467
       -
                     auth required pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth

     

       468
       -
                     ${optionalString config.security.pam.enableEcryptfs

     

       469
       -
                       "auth optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"}

     

       470
       -
                     ${optionalString cfg.pamMount

     

       471
       -
                       "auth optional ${pkgs.pam_mount}/lib/security/pam_mount.so disable_interactive"}

     

       472
       -
                     ${optionalString cfg.enableKwallet

     

       473
       -
                       ("auth optional ${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so" +

     

       474
       -
                        " kwalletd=${pkgs.plasma5Packages.kwallet.bin}/bin/kwalletd5")}

     

       475
       -
                     ${optionalString cfg.enableGnomeKeyring

     

       476
       -
                       "auth optional ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so"}

     

       477
       -
                     ${optionalString cfg.gnupg.enable

     

       478
       -
                       "auth optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so"

     

       479
       -
                       + optionalString cfg.gnupg.storeOnly " store-only"

     

       480
       -
                      }

     

       481
       -
                     ${optionalString cfg.googleAuthenticator.enable

     

       482
       -
                       "auth required ${pkgs.googleAuthenticator}/lib/security/pam_google_authenticator.so no_increment_hotp"}

     

       483
       -
                     ${optionalString cfg.duoSecurity.enable

     

       484
       -
                       "auth required ${pkgs.duo-unix}/lib/security/pam_duo.so"}

     

       485
       -
                   '') + ''

     

       486
       -
                 ${optionalString cfg.unixAuth

     

       487
       -
                     "auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth try_first_pass"}

     

       488
       -
                 ${optionalString cfg.otpwAuth

     

       489
       -
                     "auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so"}

     

       490
       -
                 ${optionalString use_ldap

     

       491
       -
                     "auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass"}

     

       492
       -
                 ${optionalString config.services.sssd.enable

     

       493
       -
                     "auth sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_first_pass"}

     

       494
       -
                 ${optionalString config.krb5.enable ''

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       495
        
                   auth [default=ignore success=1 service_err=reset] ${pam_krb5}/lib/security/pam_krb5.so use_first_pass

     

       496
        
                   auth [default=die success=done] ${pam_ccreds}/lib/security/pam_ccreds.so action=validate use_first_pass

     

       497
        
                   auth sufficient ${pam_ccreds}/lib/security/pam_ccreds.so action=store use_first_pass

     

       498
       -
                 ''}

     

       499
       -
                 auth required pam_deny.so

     

       0
        
       
     

       500
        
       

     

       501
       -
                 # Password management.

     

       502
       -
                 password sufficient pam_unix.so nullok sha512

     

       503
       -
                 ${optionalString config.security.pam.enableEcryptfs

     

       504
       -
                     "password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"}

     

       505
       -
                 ${optionalString cfg.pamMount

     

       506
       -
                     "password optional ${pkgs.pam_mount}/lib/security/pam_mount.so"}

     

       507
       -
                 ${optionalString use_ldap

     

       508
       -
                     "password sufficient ${pam_ldap}/lib/security/pam_ldap.so"}

     

       509
       -
                 ${optionalString config.services.sssd.enable

     

       510
       -
                     "password sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_authtok"}

     

       511
       -
                 ${optionalString config.krb5.enable

     

       512
       -
                     "password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass"}

     

       513
       -
                 ${optionalString cfg.enableGnomeKeyring

     

       514
       -
                     "password optional ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so use_authtok"}

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       515
        
       

     

       516
       -
                 # Session management.

     

       517
       -
                 ${optionalString cfg.setEnvironment ''

     

       0
        
       
     

       518
        
                   session required pam_env.so conffile=/etc/pam/environment readenv=0

     

       519
       -
                 ''}

     

       520
       -
                 session required pam_unix.so

     

       521
       -
                 ${optionalString cfg.setLoginUid

     

       522
       -
                     "session ${

     

       523
       -
                       if config.boot.isContainer then "optional" else "required"

     

       524
       -
                     } pam_loginuid.so"}

     

       525
       -
                 ${optionalString cfg.ttyAudit.enable

     

       526
       -
                     "session required ${pkgs.pam}/lib/security/pam_tty_audit.so

     

       0
        
       
     

       527
        
                       open_only=${toString cfg.ttyAudit.openOnly}

     

       528
        
                       ${optionalString (cfg.ttyAudit.enablePattern != null) "enable=${cfg.ttyAudit.enablePattern}"}

     

       529
        
                       ${optionalString (cfg.ttyAudit.disablePattern != null) "disable=${cfg.ttyAudit.disablePattern}"}

     

       530
       -
                     "}

     

       531
       -
                 ${optionalString cfg.makeHomeDir

     

       532
       -
                     "session required ${pkgs.pam}/lib/security/pam_mkhomedir.so silent skel=${config.security.pam.makeHomeDir.skelDirectory} umask=0077"}

     

       533
       -
                 ${optionalString cfg.updateWtmp

     

       534
       -
                     "session required ${pkgs.pam}/lib/security/pam_lastlog.so silent"}

     

       535
       -
                 ${optionalString config.security.pam.enableEcryptfs

     

       536
       -
                     "session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"}

     

       537
       -
                 ${optionalString cfg.pamMount

     

       538
       -
                     "session optional ${pkgs.pam_mount}/lib/security/pam_mount.so disable_interactive"}

     

       539
       -
                 ${optionalString use_ldap

     

       540
       -
                     "session optional ${pam_ldap}/lib/security/pam_ldap.so"}

     

       541
       -
                 ${optionalString config.services.sssd.enable

     

       542
       -
                     "session optional ${pkgs.sssd}/lib/security/pam_sss.so"}

     

       543
       -
                 ${optionalString config.krb5.enable

     

       544
       -
                     "session optional ${pam_krb5}/lib/security/pam_krb5.so"}

     

       545
       -
                 ${optionalString cfg.otpwAuth

     

       546
       -
                     "session optional ${pkgs.otpw}/lib/security/pam_otpw.so"}

     

       547
       -
                 ${optionalString cfg.startSession

     

       548
       -
                     "session optional ${pkgs.systemd}/lib/security/pam_systemd.so"}

     

       549
       -
                 ${optionalString cfg.forwardXAuth

     

       550
       -
                     "session optional pam_xauth.so xauthpath=${pkgs.xorg.xauth}/bin/xauth systemuser=99"}

     

       551
       -
                 ${optionalString (cfg.limits != [])

     

       552
       -
                     "session required ${pkgs.pam}/lib/security/pam_limits.so conf=${makeLimitsConf cfg.limits}"}

     

       553
       -
                 ${optionalString (cfg.showMotd && config.users.motd != null)

     

       554
       -
                     "session optional ${pkgs.pam}/lib/security/pam_motd.so motd=${motd}"}

     

       555
       -
                 ${optionalString (cfg.enableAppArmor && config.security.apparmor.enable)

     

       556
       -
                     "session optional ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so order=user,group,default debug"}

     

       557
       -
                 ${optionalString (cfg.enableKwallet)

     

       558
       -
                     ("session optional ${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so" +

     

       559
       -
                      " kwalletd=${pkgs.plasma5Packages.kwallet.bin}/bin/kwalletd5")}

     

       560
       -
                 ${optionalString (cfg.enableGnomeKeyring)

     

       561
       -
                     "session optional ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start"}

     

       562
       -
                 ${optionalString cfg.gnupg.enable

     

       563
       -
                     "session optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so"

     

       564
       -
                     + optionalString cfg.gnupg.noAutostart " no-autostart"

     

       565
       -
                  }

     

       566
       -
                 ${optionalString (config.virtualisation.lxc.lxcfs.enable)

     

       567
       -
                      "session optional ${pkgs.lxc}/lib/security/pam_cgfs.so -c all"}

     

       568
       -
               '');

     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       0
        
       
     

       569
        
           };

     

       570
        
       

     

       571
        
         };

···

       410
        
             # Samba stuff to the Samba module.  This requires that the PAM

     

       411
        
             # module provides the right hooks.

     

       412
        
             text = mkDefault

     

       413
       +
               (

     

       414
       +
                 ''

     

       415
       +
                   # Account management.

     

       416
       +
                   account required pam_unix.so

     

       417
       +
                 '' +

     

       418
       +
                 optionalString use_ldap ''

     

       419
       +
                   account sufficient ${pam_ldap}/lib/security/pam_ldap.so

     

       420
       +
                 '' +

     

       421
       +
                 optionalString (config.services.sssd.enable && cfg.sssdStrictAccess==false) ''

     

       422
       +
                   account sufficient ${pkgs.sssd}/lib/security/pam_sss.so

     

       423
       +
                 '' +

     

       424
       +
                 optionalString (config.services.sssd.enable && cfg.sssdStrictAccess) ''

     

       425
       +
                   account [default=bad success=ok user_unknown=ignore] ${pkgs.sssd}/lib/security/pam_sss.so

     

       426
       +
                 '' +

     

       427
       +
                 optionalString config.krb5.enable ''

     

       428
       +
                   account sufficient ${pam_krb5}/lib/security/pam_krb5.so

     

       429
       +
                 '' +

     

       430
       +
                 optionalString cfg.googleOsLoginAccountVerification ''

     

       431
        
                   account [success=ok ignore=ignore default=die] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so

     

       432
        
                   account [success=ok default=ignore] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_admin.so

     

       433
       +
                 '' +

     

       434
       +
                 ''

     

       435
        
       

     

       436
       +
                   # Authentication management.

     

       437
       +
                 '' +

     

       438
       +
                 optionalString cfg.googleOsLoginAuthentication ''

     

       439
       +
                   auth [success=done perm_denied=bad default=ignore] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so

     

       440
       +
                 '' +

     

       441
       +
                 optionalString cfg.rootOK ''

     

       442
       +
                   auth sufficient pam_rootok.so

     

       443
       +
                 '' +

     

       444
       +
                 optionalString cfg.requireWheel ''

     

       445
       +
                   auth required pam_wheel.so use_uid

     

       446
       +
                 '' +

     

       447
       +
                 optionalString cfg.logFailures ''

     

       448
       +
                   auth required pam_faillock.so

     

       449
       +
                 '' +

     

       450
       +
                 optionalString (config.security.pam.enableSSHAgentAuth && cfg.sshAgentAuth) ''

     

       451
       +
                   auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=${lib.concatStringsSep ":" config.services.openssh.authorizedKeysFiles}

     

       452
       +
                 '' +

     

       453
       +
                 (let p11 = config.security.pam.p11; in optionalString cfg.p11Auth ''

     

       454
       +
                   auth ${p11.control} ${pkgs.pam_p11}/lib/security/pam_p11.so ${pkgs.opensc}/lib/opensc-pkcs11.so

     

       455
       +
                 '') +

     

       456
       +
                 (let u2f = config.security.pam.u2f; in optionalString cfg.u2fAuth ''

     

       457
       +
                   auth ${u2f.control} ${pkgs.pam_u2f}/lib/security/pam_u2f.so ${optionalString u2f.debug "debug"} ${optionalString (u2f.authFile != null) "authfile=${u2f.authFile}"} ${optionalString u2f.interactive "interactive"} ${optionalString u2f.cue "cue"} ${optionalString (u2f.appId != null) "appid=${u2f.appId}"}

     

       458
       +
                 '') +

     

       459
       +
                 optionalString cfg.usbAuth ''

     

       460
       +
                   auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so

     

       461
       +
                 '' +

     

       462
       +
                 (let oath = config.security.pam.oath; in optionalString cfg.oathAuth ''

     

       463
       +
                   auth requisite ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}

     

       464
       +
                 '') +

     

       465
       +
                 (let yubi = config.security.pam.yubico; in optionalString cfg.yubicoAuth ''

     

       466
       +
                   auth ${yubi.control} ${pkgs.yubico-pam}/lib/security/pam_yubico.so mode=${toString yubi.mode} ${optionalString (yubi.challengeResponsePath != null) "chalresp_path=${yubi.challengeResponsePath}"} ${optionalString (yubi.mode == "client") "id=${toString yubi.id}"} ${optionalString yubi.debug "debug"}

     

       467
       +
                 '') +

     

       468
       +
                 optionalString cfg.fprintAuth ''

     

       469
       +
                   auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so

     

       470
       +
                 '' +

     

       471
        
                 # Modules in this block require having the password set in PAM_AUTHTOK.

     

       472
        
                 # pam_unix is marked as 'sufficient' on NixOS which means nothing will run

     

       473
        
                 # after it succeeds. Certain modules need to run after pam_unix

     
···

       475
        
                 # earlier point and it will run again with 'sufficient' further down.

     

       476
        
                 # We use try_first_pass the second time to avoid prompting password twice

     

       477
        
                 (optionalString (cfg.unixAuth &&

     

       478
       +
                   (config.security.pam.enableEcryptfs

     

       479
       +
                     || cfg.pamMount

     

       480
       +
                     || cfg.enableKwallet

     

       481
       +
                     || cfg.enableGnomeKeyring

     

       482
       +
                     || cfg.googleAuthenticator.enable

     

       483
       +
                     || cfg.gnupg.enable

     

       484
       +
                     || cfg.duoSecurity.enable))

     

       485
       +
                   (

     

       486
       +
                     ''

     

       487
       +
                       auth required pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth

     

       488
       +
                     '' +

     

       489
       +
                     optionalString config.security.pam.enableEcryptfs ''

     

       490
       +
                       auth optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap

     

       491
       +
                     '' +

     

       492
       +
                     optionalString cfg.pamMount ''

     

       493
       +
                       auth optional ${pkgs.pam_mount}/lib/security/pam_mount.so disable_interactive

     

       494
       +
                     '' +

     

       495
       +
                     optionalString cfg.enableKwallet ''

     

       496
       +
                      auth optional ${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so kwalletd=${pkgs.plasma5Packages.kwallet.bin}/bin/kwalletd5

     

       497
       +
                     '' +

     

       498
       +
                     optionalString cfg.enableGnomeKeyring ''

     

       499
       +
                       auth optional ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so

     

       500
       +
                     '' +

     

       501
       +
                     optionalString cfg.gnupg.enable ''

     

       502
       +
                       auth optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so ${optionalString cfg.gnupg.storeOnly " store-only"}

     

       503
       +
                     '' +

     

       504
       +
                     optionalString cfg.googleAuthenticator.enable ''

     

       505
       +
                       auth required ${pkgs.googleAuthenticator}/lib/security/pam_google_authenticator.so no_increment_hotp

     

       506
       +
                     '' +

     

       507
       +
                     optionalString cfg.duoSecurity.enable ''

     

       508
       +
                       auth required ${pkgs.duo-unix}/lib/security/pam_duo.so

     

       509
       +
                     ''

     

       510
       +
                   )) +

     

       511
       +
                 optionalString cfg.unixAuth ''

     

       512
       +
                   auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth try_first_pass

     

       513
       +
                 '' +

     

       514
       +
                 optionalString cfg.otpwAuth ''

     

       515
       +
                   auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so

     

       516
       +
                 '' +

     

       517
       +
                 optionalString use_ldap ''

     

       518
       +
                   auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass

     

       519
       +
                 '' +

     

       520
       +
                 optionalString config.services.sssd.enable ''

     

       521
       +
                   auth sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_first_pass

     

       522
       +
                 '' +

     

       523
       +
                 optionalString config.krb5.enable ''

     

       524
        
                   auth [default=ignore success=1 service_err=reset] ${pam_krb5}/lib/security/pam_krb5.so use_first_pass

     

       525
        
                   auth [default=die success=done] ${pam_ccreds}/lib/security/pam_ccreds.so action=validate use_first_pass

     

       526
        
                   auth sufficient ${pam_ccreds}/lib/security/pam_ccreds.so action=store use_first_pass

     

       527
       +
                 '' +

     

       528
       +
                 ''

     

       529
       +
                   auth required pam_deny.so

     

       530
        
       

     

       531
       +
                   # Password management.

     

       532
       +
                   password sufficient pam_unix.so nullok sha512

     

       533
       +
                 '' +

     

       534
       +
                 optionalString config.security.pam.enableEcryptfs ''

     

       535
       +
                   password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so

     

       536
       +
                 '' +

     

       537
       +
                 optionalString cfg.pamMount ''

     

       538
       +
                   password optional ${pkgs.pam_mount}/lib/security/pam_mount.so

     

       539
       +
                 '' +

     

       540
       +
                 optionalString use_ldap ''

     

       541
       +
                   password sufficient ${pam_ldap}/lib/security/pam_ldap.so

     

       542
       +
                 '' +

     

       543
       +
                 optionalString config.services.sssd.enable ''

     

       544
       +
                   password sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_authtok

     

       545
       +
                 '' +

     

       546
       +
                 optionalString config.krb5.enable ''

     

       547
       +
                   password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass

     

       548
       +
                 '' +

     

       549
       +
                 optionalString cfg.enableGnomeKeyring ''

     

       550
       +
                   password optional ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so use_authtok

     

       551
       +
                 '' +

     

       552
       +
                 ''

     

       553
        
       

     

       554
       +
                   # Session management.

     

       555
       +
                 '' +

     

       556
       +
                 optionalString cfg.setEnvironment ''

     

       557
        
                   session required pam_env.so conffile=/etc/pam/environment readenv=0

     

       558
       +
                 '' +

     

       559
       +
                 ''

     

       560
       +
                   session required pam_unix.so

     

       561
       +
                 '' +

     

       562
       +
                 optionalString cfg.setLoginUid ''

     

       563
       +
                   session ${if config.boot.isContainer then "optional" else "required"} pam_loginuid.so

     

       564
       +
                 '' +

     

       565
       +
                 optionalString cfg.ttyAudit.enable ''

     

       566
       +
                   session required ${pkgs.pam}/lib/security/pam_tty_audit.so

     

       567
        
                       open_only=${toString cfg.ttyAudit.openOnly}

     

       568
        
                       ${optionalString (cfg.ttyAudit.enablePattern != null) "enable=${cfg.ttyAudit.enablePattern}"}

     

       569
        
                       ${optionalString (cfg.ttyAudit.disablePattern != null) "disable=${cfg.ttyAudit.disablePattern}"}

     

       570
       +
                 '' +

     

       571
       +
                 optionalString cfg.makeHomeDir ''

     

       572
       +
                   session required ${pkgs.pam}/lib/security/pam_mkhomedir.so silent skel=${config.security.pam.makeHomeDir.skelDirectory} umask=0077

     

       573
       +
                 '' +

     

       574
       +
                 optionalString cfg.updateWtmp ''

     

       575
       +
                   session required ${pkgs.pam}/lib/security/pam_lastlog.so silent

     

       576
       +
                 '' +

     

       577
       +
                 optionalString config.security.pam.enableEcryptfs ''

     

       578
       +
                   session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so

     

       579
       +
                 '' +

     

       580
       +
                 optionalString cfg.pamMount ''

     

       581
       +
                   session optional ${pkgs.pam_mount}/lib/security/pam_mount.so disable_interactive

     

       582
       +
                 '' +

     

       583
       +
                 optionalString use_ldap ''

     

       584
       +
                   session optional ${pam_ldap}/lib/security/pam_ldap.so

     

       585
       +
                 '' +

     

       586
       +
                 optionalString config.services.sssd.enable ''

     

       587
       +
                   session optional ${pkgs.sssd}/lib/security/pam_sss.so

     

       588
       +
                 '' +

     

       589
       +
                 optionalString config.krb5.enable ''

     

       590
       +
                   session optional ${pam_krb5}/lib/security/pam_krb5.so

     

       591
       +
                 '' +

     

       592
       +
                 optionalString cfg.otpwAuth ''

     

       593
       +
                   session optional ${pkgs.otpw}/lib/security/pam_otpw.so

     

       594
       +
                 '' +

     

       595
       +
                 optionalString cfg.startSession ''

     

       596
       +
                   session optional ${pkgs.systemd}/lib/security/pam_systemd.so

     

       597
       +
                 '' +

     

       598
       +
                 optionalString cfg.forwardXAuth ''

     

       599
       +
                   session optional pam_xauth.so xauthpath=${pkgs.xorg.xauth}/bin/xauth systemuser=99

     

       600
       +
                 '' +

     

       601
       +
                 optionalString (cfg.limits != []) ''

     

       602
       +
                   session required ${pkgs.pam}/lib/security/pam_limits.so conf=${makeLimitsConf cfg.limits}

     

       603
       +
                 '' +

     

       604
       +
                 optionalString (cfg.showMotd && config.users.motd != null) ''

     

       605
       +
                   session optional ${pkgs.pam}/lib/security/pam_motd.so motd=${motd}

     

       606
       +
                 '' +

     

       607
       +
                 optionalString (cfg.enableAppArmor && config.security.apparmor.enable) ''

     

       608
       +
                   session optional ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so order=user,group,default debug

     

       609
       +
                 '' +

     

       610
       +
                 optionalString (cfg.enableKwallet) ''

     

       611
       +
                   session optional ${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so kwalletd=${pkgs.plasma5Packages.kwallet.bin}/bin/kwalletd5

     

       612
       +
                 '' +

     

       613
       +
                 optionalString (cfg.enableGnomeKeyring) ''

     

       614
       +
                   session optional ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start

     

       615
       +
                 '' +

     

       616
       +
                 optionalString cfg.gnupg.enable ''

     

       617
       +
                   session optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so ${optionalString cfg.gnupg.noAutostart " no-autostart"}

     

       618
       +
                 '' +

     

       619
       +
                 optionalString (config.virtualisation.lxc.lxcfs.enable) ''

     

       620
       +
                   session optional ${pkgs.lxc}/lib/security/pam_cgfs.so -c all

     

       621
       +
                 ''

     

       622
       +
               );

     

       623
        
           };

     

       624
        
       

     

       625
        
         };