movefasta/nixpkgs
1
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-06-10 03:23:29 +03:00
Code Issues Projects Releases Packages Wiki Activity

nixos/pam: Warn on insecure sshAgentAuth configurations

Browse source
This commit is contained in:
nicoo 2023-12-29 21:35:46 +00:00
parent 822c0a86bd
commit 9ed1423dcf
2 changed files with 15 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

6
nixos/tests/ssh-agent-auth.nix
View file

@ -15,7 +15,11 @@ import ./make-test-python.nix ({ lib, pkgs, ... }:
foo.isNormalUser = true;
};
security.pam.sshAgentAuth.enable = true;
security.pam.sshAgentAuth = {
# Must be specified, as nixpkgs CI expects everything to eval without warning
authorizedKeysFiles = [ "/etc/ssh/authorized_keys.d/%u" ];
enable = true;
};
security.${lib.replaceStrings [ "_" ] [ "-" ] n} = {
enable = true;
wheelNeedsPassword = true; # We are checking `pam_ssh_agent_auth(8)` works for a sudoer