movefasta/nixpkgs
0
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-07-12 13:18:57 +03:00
Code Activity

nixos/pam: Rename option enableSSHAgentAuth to sshAgentAuth.enable

Browse source
This commit is contained in:
nicoo 2023-12-29 21:13:02 +00:00
parent f6a028db30
commit a46ea51ca3
2 changed files with 9 additions and 13 deletions
Download patch file Download diff file Expand all files Collapse all files

18
nixos/modules/security/pam.nix
View file

@ -654,7 +654,7 @@ let
{ name = "mysql"; enable = cfg.mysqlAuth; control = "sufficient"; modulePath = "${pkgs.pam_mysql}/lib/security/pam_mysql.so"; settings = { { name = "mysql"; enable = cfg.mysqlAuth; control = "sufficient"; modulePath = "${pkgs.pam_mysql}/lib/security/pam_mysql.so"; settings = {
config_file = "/etc/security/pam_mysql.conf"; config_file = "/etc/security/pam_mysql.conf";
}; } }; }
{ name = "ssh_agent_auth"; enable = config.security.pam.enableSSHAgentAuth && cfg.sshAgentAuth; control = "sufficient"; modulePath = "${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so"; settings = { { name = "ssh_agent_auth"; enable = config.security.pam.sshAgentAuth.enable && cfg.sshAgentAuth; control = "sufficient"; modulePath = "${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so"; settings = {
file = lib.concatStringsSep ":" config.services.openssh.authorizedKeysFiles; file = lib.concatStringsSep ":" config.services.openssh.authorizedKeysFiles;
}; } }; }
(let p11 = config.security.pam.p11; in { name = "p11"; enable = cfg.p11Auth; control = p11.control; modulePath = "${pkgs.pam_p11}/lib/security/pam_p11.so"; args = [ (let p11 = config.security.pam.p11; in { name = "p11"; enable = cfg.p11Auth; control = p11.control; modulePath = "${pkgs.pam_p11}/lib/security/pam_p11.so"; args = [
@ -943,7 +943,7 @@ let
value.source = pkgs.writeText "${name}.pam" service.text; value.source = pkgs.writeText "${name}.pam" service.text;
}; };
optionalSudoConfigForSSHAgentAuth = optionalString config.security.pam.enableSSHAgentAuth '' optionalSudoConfigForSSHAgentAuth = optionalString config.security.pam.sshAgentAuth.enable ''
# Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic. # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.
Defaults env_keep+=SSH_AUTH_SOCK Defaults env_keep+=SSH_AUTH_SOCK
''; '';
@ -956,6 +956,7 @@ in
imports = [ imports = [
(mkRenamedOptionModule [ "security" "pam" "enableU2F" ] [ "security" "pam" "u2f" "enable" ]) (mkRenamedOptionModule [ "security" "pam" "enableU2F" ] [ "security" "pam" "u2f" "enable" ])
(mkRenamedOptionModule [ "security" "pam" "enableSSHAgentAuth" ] [ "security" "pam" "sshAgentAuth" "enable" ])
]; ];
###### interface ###### interface
@ -1025,15 +1026,10 @@ in
''; '';
}; };
security.pam.enableSSHAgentAuth = mkOption { security.pam.sshAgentAuth = {
type = types.bool; enable = mkEnableOption ''
default = false; authenticating using a signature performed by the ssh-agent.
description = This allows using SSH keys exclusively, instead of passwords, for instance on remote machines
lib.mdDoc ''
Enable sudo logins if the user's SSH agent provides a key
present in {file}`~/.ssh/authorized_keys`.
This allows machines to exclusively use SSH keys instead of
passwords.
''; '';
}; };

2
nixos/tests/ssh-agent-auth.nix
View file

@ -15,7 +15,7 @@ import ./make-test-python.nix ({ lib, pkgs, ... }:
foo.isNormalUser = true; foo.isNormalUser = true;
}; };
security.pam.enableSSHAgentAuth = true; security.pam.sshAgentAuth.enable = true;
security.${lib.replaceStrings [ "_" ] [ "-" ] n} = { security.${lib.replaceStrings [ "_" ] [ "-" ] n} = {
enable = true; enable = true;
wheelNeedsPassword = true; # We are checking `pam_ssh_agent_auth(8)` works for a sudoer wheelNeedsPassword = true; # We are checking `pam_ssh_agent_auth(8)` works for a sudoer