From bcc2d1238a1c97347518812f224921d29aa3b3f8 Mon Sep 17 00:00:00 2001 From: nicoo Date: Mon, 4 Sep 2023 21:06:12 +0000 Subject: [PATCH] nixos/sudo-rs: Move support for `pam_ssh_agent_auth(8)` to PAM's NixOS module Similar to delroth's suggestion in #262790. --- nixos/modules/security/pam.nix | 13 ++++++++----- nixos/modules/security/sudo-rs.nix | 4 ---- 2 files changed, 8 insertions(+), 9 deletions(-) diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index b7e1ea526535..c99615d5a636 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -943,6 +943,11 @@ let value.source = pkgs.writeText "${name}.pam" service.text; }; + optionalSudoConfigForSSHAgentAuth = optionalString config.security.pam.enableSSHAgentAuth '' + # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic. + Defaults env_keep+=SSH_AUTH_SOCK + ''; + in { @@ -1532,9 +1537,7 @@ in concatLines ]); - security.sudo.extraConfig = optionalString config.security.pam.enableSSHAgentAuth '' - # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic. - Defaults env_keep+=SSH_AUTH_SOCK - ''; - }; + security.sudo.extraConfig = optionalSudoConfigForSSHAgentAuth; + security.sudo-rs.extraConfig = optionalSudoConfigForSSHAgentAuth; + }; } diff --git a/nixos/modules/security/sudo-rs.nix b/nixos/modules/security/sudo-rs.nix index 0c97b9e1d79a..f991675827ef 100644 --- a/nixos/modules/security/sudo-rs.nix +++ b/nixos/modules/security/sudo-rs.nix @@ -220,10 +220,6 @@ in # Don't edit this file. Set the NixOS options ‘security.sudo-rs.configFile’ # or ‘security.sudo-rs.extraRules’ instead. '' - (optionalString enableSSHAgentAuth '' - # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic. - Defaults env_keep+=SSH_AUTH_SOCK - '') (pipe cfg.extraRules [ (filter (rule: length rule.commands != 0)) (map (rule: [