mirror of
https://github.com/NixOS/nixpkgs.git
synced 2025-07-13 21:50:33 +03:00
nixos/pam: add an option to control Kerberos PAM modules
Instead of enabling the PAM modules based on config.krb5.enable, introduce a new option to control the PAM modules specifically. Users may want to turn on config.krb5.enable, to get a working Kerberos client config with tools like kinit, while letting pam_sss or something else handle Kerberos password lookups.
This commit is contained in:
Dan Callaghan
parent
ecf0fd9462
commit
43aab2f50b
1 changed files with 26 additions and 6 deletions
|
|
@ -453,7 +453,7 @@ let
|
||||||
optionalString (config.services.sssd.enable && cfg.sssdStrictAccess) ''
|
optionalString (config.services.sssd.enable && cfg.sssdStrictAccess) ''
|
||||||
account [default=bad success=ok user_unknown=ignore] ${pkgs.sssd}/lib/security/pam_sss.so
|
account [default=bad success=ok user_unknown=ignore] ${pkgs.sssd}/lib/security/pam_sss.so
|
||||||
'' +
|
'' +
|
||||||
optionalString config.krb5.enable ''
|
optionalString config.security.pam.krb5.enable ''
|
||||||
account sufficient ${pam_krb5}/lib/security/pam_krb5.so
|
account sufficient ${pam_krb5}/lib/security/pam_krb5.so
|
||||||
'' +
|
'' +
|
||||||
optionalString cfg.googleOsLoginAccountVerification ''
|
optionalString cfg.googleOsLoginAccountVerification ''
|
||||||
|
|
@ -553,7 +553,7 @@ let
|
||||||
optionalString config.services.sssd.enable ''
|
optionalString config.services.sssd.enable ''
|
||||||
auth sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_first_pass
|
auth sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_first_pass
|
||||||
'' +
|
'' +
|
||||||
optionalString config.krb5.enable ''
|
optionalString config.security.pam.krb5.enable ''
|
||||||
auth [default=ignore success=1 service_err=reset] ${pam_krb5}/lib/security/pam_krb5.so use_first_pass
|
auth [default=ignore success=1 service_err=reset] ${pam_krb5}/lib/security/pam_krb5.so use_first_pass
|
||||||
auth [default=die success=done] ${pam_ccreds}/lib/security/pam_ccreds.so action=validate use_first_pass
|
auth [default=die success=done] ${pam_ccreds}/lib/security/pam_ccreds.so action=validate use_first_pass
|
||||||
auth sufficient ${pam_ccreds}/lib/security/pam_ccreds.so action=store use_first_pass
|
auth sufficient ${pam_ccreds}/lib/security/pam_ccreds.so action=store use_first_pass
|
||||||
|
|
@ -576,7 +576,7 @@ let
|
||||||
optionalString config.services.sssd.enable ''
|
optionalString config.services.sssd.enable ''
|
||||||
password sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_authtok
|
password sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_authtok
|
||||||
'' +
|
'' +
|
||||||
optionalString config.krb5.enable ''
|
optionalString config.security.pam.krb5.enable ''
|
||||||
password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass
|
password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass
|
||||||
'' +
|
'' +
|
||||||
optionalString cfg.enableGnomeKeyring ''
|
optionalString cfg.enableGnomeKeyring ''
|
||||||
|
|
@ -619,7 +619,7 @@ let
|
||||||
optionalString config.services.sssd.enable ''
|
optionalString config.services.sssd.enable ''
|
||||||
session optional ${pkgs.sssd}/lib/security/pam_sss.so
|
session optional ${pkgs.sssd}/lib/security/pam_sss.so
|
||||||
'' +
|
'' +
|
||||||
optionalString config.krb5.enable ''
|
optionalString config.security.pam.krb5.enable ''
|
||||||
session optional ${pam_krb5}/lib/security/pam_krb5.so
|
session optional ${pam_krb5}/lib/security/pam_krb5.so
|
||||||
'' +
|
'' +
|
||||||
optionalString cfg.otpwAuth ''
|
optionalString cfg.otpwAuth ''
|
||||||
|
|
@ -802,6 +802,26 @@ in
|
||||||
|
|
||||||
security.pam.enableOTPW = mkEnableOption "the OTPW (one-time password) PAM module";
|
security.pam.enableOTPW = mkEnableOption "the OTPW (one-time password) PAM module";
|
||||||
|
|
||||||
|
security.pam.krb5 = {
|
||||||
|
enable = mkOption {
|
||||||
|
default = config.krb5.enable;
|
||||||
|
defaultText = literalExpression "config.krb5.enable";
|
||||||
|
type = types.bool;
|
||||||
|
description = ''
|
||||||
|
Enables Kerberos PAM modules (<literal>pam-krb5</literal>,
|
||||||
|
<literal>pam-ccreds</literal>).
|
||||||
|
|
||||||
|
If set, users can authenticate with their Kerberos password.
|
||||||
|
This requires a valid Kerberos configuration
|
||||||
|
(<literal>config.krb5.enable</literal> should be set to
|
||||||
|
<literal>true</literal>).
|
||||||
|
|
||||||
|
Note that the Kerberos PAM modules are not necessary when using SSS
|
||||||
|
to handle Kerberos authentication.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
security.pam.p11 = {
|
security.pam.p11 = {
|
||||||
enable = mkOption {
|
enable = mkOption {
|
||||||
default = false;
|
default = false;
|
||||||
|
|
@ -1147,7 +1167,7 @@ in
|
||||||
[ pkgs.pam ]
|
[ pkgs.pam ]
|
||||||
++ optional config.users.ldap.enable pam_ldap
|
++ optional config.users.ldap.enable pam_ldap
|
||||||
++ optional config.services.sssd.enable pkgs.sssd
|
++ optional config.services.sssd.enable pkgs.sssd
|
||||||
++ optionals config.krb5.enable [pam_krb5 pam_ccreds]
|
++ optionals config.security.pam.krb5.enable [pam_krb5 pam_ccreds]
|
||||||
++ optionals config.security.pam.enableOTPW [ pkgs.otpw ]
|
++ optionals config.security.pam.enableOTPW [ pkgs.otpw ]
|
||||||
++ optionals config.security.pam.oath.enable [ pkgs.oath-toolkit ]
|
++ optionals config.security.pam.oath.enable [ pkgs.oath-toolkit ]
|
||||||
++ optionals config.security.pam.p11.enable [ pkgs.pam_p11 ]
|
++ optionals config.security.pam.p11.enable [ pkgs.pam_p11 ]
|
||||||
|
|
@ -1211,7 +1231,7 @@ in
|
||||||
optionalString config.services.sssd.enable ''
|
optionalString config.services.sssd.enable ''
|
||||||
mr ${pkgs.sssd}/lib/security/pam_sss.so,
|
mr ${pkgs.sssd}/lib/security/pam_sss.so,
|
||||||
'' +
|
'' +
|
||||||
optionalString config.krb5.enable ''
|
optionalString config.security.pam.krb5.enable ''
|
||||||
mr ${pam_krb5}/lib/security/pam_krb5.so,
|
mr ${pam_krb5}/lib/security/pam_krb5.so,
|
||||||
mr ${pam_ccreds}/lib/security/pam_ccreds.so,
|
mr ${pam_ccreds}/lib/security/pam_ccreds.so,
|
||||||
'' +
|
'' +
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue