From 39c7929c6ec3c584d01b69c63914a1eaf9eef3ab Mon Sep 17 00:00:00 2001
From: Thomas Gerbet <thomas.gerbet@enalean.com>
Date: Wed, 28 May 2025 08:15:27 +0200
Subject: [PATCH] openssh: disable memlocking when building with PAM support

With the current OpenSSH version it can result in some crashes
preventing users to log in.

Upstream issue: https://bugzilla.mindrot.org/show_bug.cgi?id=3822

For reference Debian also disabled it for now:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103418
---
 pkgs/tools/networking/openssh/common.nix | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pkgs/tools/networking/openssh/common.nix b/pkgs/tools/networking/openssh/common.nix
index f50bff766f90..0188f43e6fdb 100644
--- a/pkgs/tools/networking/openssh/common.nix
+++ b/pkgs/tools/networking/openssh/common.nix
@@ -37,7 +37,9 @@
   withFIDO ? stdenv.hostPlatform.isUnix && !stdenv.hostPlatform.isMusl && withSecurityKey,
   withPAM ? stdenv.hostPlatform.isLinux,
   # Attempts to mlock the entire sshd process on startup to prevent swapping.
-  withLinuxMemlock ? stdenv.hostPlatform.isLinux,
+  # Currently disabled when PAM support is enabled due to crashes
+  # See https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103418
+  withLinuxMemlock ? (stdenv.hostPlatform.isLinux && !withPAM),
   linkOpenssl ? true,
   isNixos ? stdenv.hostPlatform.isLinux,
 }: