2009-05-28 14:10:02 +01:00
|
|
|
|
# This module provides configuration for the PAM (Pluggable
|
|
|
|
|
# Authentication Modules) system.
|
|
|
|
|
|
2014-04-14 15:26:48 +01:00
|
|
|
|
{ config, lib, pkgs, ... }:
|
2009-05-28 14:10:02 +01:00
|
|
|
|
|
2014-04-14 15:26:48 +01:00
|
|
|
|
with lib;
|
2009-08-16 15:49:14 +01:00
|
|
|
|
|
2009-05-28 14:10:02 +01:00
|
|
|
|
let
|
2014-05-05 20:18:53 +01:00
|
|
|
|
parentConfig = config;
|
2009-05-28 14:10:02 +01:00
|
|
|
|
|
2014-05-05 20:18:53 +01:00
|
|
|
|
pamOpts = { config, name, ... }: let cfg = config; in let config = parentConfig; in {
|
2013-10-15 13:47:51 +01:00
|
|
|
|
|
|
|
|
|
options = {
|
|
|
|
|
|
|
|
|
|
name = mkOption {
|
|
|
|
|
example = "sshd";
|
2013-10-30 10:02:04 +00:00
|
|
|
|
type = types.str;
|
2013-10-15 13:47:51 +01:00
|
|
|
|
description = "Name of the PAM service.";
|
|
|
|
|
};
|
|
|
|
|
|
2013-10-15 14:05:49 +01:00
|
|
|
|
unixAuth = mkOption {
|
|
|
|
|
default = true;
|
|
|
|
|
type = types.bool;
|
|
|
|
|
description = ''
|
|
|
|
|
Whether users can log in with passwords defined in
|
|
|
|
|
<filename>/etc/shadow</filename>.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2013-10-15 13:47:51 +01:00
|
|
|
|
rootOK = mkOption {
|
|
|
|
|
default = false;
|
|
|
|
|
type = types.bool;
|
|
|
|
|
description = ''
|
|
|
|
|
If set, root doesn't need to authenticate (e.g. for the
|
|
|
|
|
<command>useradd</command> service).
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2020-05-30 10:03:10 +01:00
|
|
|
|
p11Auth = mkOption {
|
|
|
|
|
default = config.security.pam.p11.enable;
|
2021-11-26 00:16:05 +00:00
|
|
|
|
defaultText = literalExpression "config.security.pam.p11.enable";
|
2020-05-30 10:03:10 +01:00
|
|
|
|
type = types.bool;
|
|
|
|
|
description = ''
|
|
|
|
|
If set, keys listed in
|
|
|
|
|
<filename>~/.ssh/authorized_keys</filename> and
|
|
|
|
|
<filename>~/.eid/authorized_certificates</filename>
|
|
|
|
|
can be used to log in with the associated PKCS#11 tokens.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2015-05-03 15:29:42 +01:00
|
|
|
|
u2fAuth = mkOption {
|
2019-01-29 16:45:26 +00:00
|
|
|
|
default = config.security.pam.u2f.enable;
|
2021-11-26 00:16:05 +00:00
|
|
|
|
defaultText = literalExpression "config.security.pam.u2f.enable";
|
2015-05-03 15:29:42 +01:00
|
|
|
|
type = types.bool;
|
|
|
|
|
description = ''
|
|
|
|
|
If set, users listed in
|
2019-01-29 16:45:26 +00:00
|
|
|
|
<filename>$XDG_CONFIG_HOME/Yubico/u2f_keys</filename> (or
|
|
|
|
|
<filename>$HOME/.config/Yubico/u2f_keys</filename> if XDG variable is
|
|
|
|
|
not set) are able to log in with the associated U2F key. Path can be
|
|
|
|
|
changed using <option>security.pam.u2f.authFile</option> option.
|
2015-05-03 15:29:42 +01:00
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2019-03-31 02:07:16 +01:00
|
|
|
|
yubicoAuth = mkOption {
|
|
|
|
|
default = config.security.pam.yubico.enable;
|
2021-11-26 00:16:05 +00:00
|
|
|
|
defaultText = literalExpression "config.security.pam.yubico.enable";
|
2019-03-31 02:07:16 +01:00
|
|
|
|
type = types.bool;
|
|
|
|
|
description = ''
|
|
|
|
|
If set, users listed in
|
|
|
|
|
<filename>~/.yubico/authorized_yubikeys</filename>
|
2020-05-12 20:51:07 +01:00
|
|
|
|
are able to log in with the associated Yubikey tokens.
|
2019-03-31 02:07:16 +01:00
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2018-02-08 07:18:30 +00:00
|
|
|
|
googleAuthenticator = {
|
|
|
|
|
enable = mkOption {
|
|
|
|
|
default = false;
|
|
|
|
|
type = types.bool;
|
|
|
|
|
description = ''
|
|
|
|
|
If set, users with enabled Google Authenticator (created
|
|
|
|
|
<filename>~/.google_authenticator</filename>) will be required
|
|
|
|
|
to provide Google Authenticator token to log in.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
2013-10-15 13:47:51 +01:00
|
|
|
|
usbAuth = mkOption {
|
|
|
|
|
default = config.security.pam.usb.enable;
|
2021-11-26 00:16:05 +00:00
|
|
|
|
defaultText = literalExpression "config.security.pam.usb.enable";
|
2013-10-15 13:47:51 +01:00
|
|
|
|
type = types.bool;
|
|
|
|
|
description = ''
|
|
|
|
|
If set, users listed in
|
|
|
|
|
<filename>/etc/pamusb.conf</filename> are able to log in
|
|
|
|
|
with the associated USB key.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
otpwAuth = mkOption {
|
|
|
|
|
default = config.security.pam.enableOTPW;
|
2021-11-26 00:16:05 +00:00
|
|
|
|
defaultText = literalExpression "config.security.pam.enableOTPW";
|
2013-10-15 13:47:51 +01:00
|
|
|
|
type = types.bool;
|
|
|
|
|
description = ''
|
|
|
|
|
If set, the OTPW system will be used (if
|
|
|
|
|
<filename>~/.otpw</filename> exists).
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2018-12-12 12:53:51 +00:00
|
|
|
|
googleOsLoginAccountVerification = mkOption {
|
|
|
|
|
default = false;
|
|
|
|
|
type = types.bool;
|
|
|
|
|
description = ''
|
|
|
|
|
If set, will use the Google OS Login PAM modules
|
|
|
|
|
(<literal>pam_oslogin_login</literal>,
|
|
|
|
|
<literal>pam_oslogin_admin</literal>) to verify possible OS Login
|
|
|
|
|
users and set sudoers configuration accordingly.
|
|
|
|
|
This only makes sense to enable for the <literal>sshd</literal> PAM
|
|
|
|
|
service.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
googleOsLoginAuthentication = mkOption {
|
|
|
|
|
default = false;
|
|
|
|
|
type = types.bool;
|
|
|
|
|
description = ''
|
|
|
|
|
If set, will use the <literal>pam_oslogin_login</literal>'s user
|
|
|
|
|
authentication methods to authenticate users using 2FA.
|
|
|
|
|
This only makes sense to enable for the <literal>sshd</literal> PAM
|
|
|
|
|
service.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2015-01-03 16:47:38 +00:00
|
|
|
|
fprintAuth = mkOption {
|
|
|
|
|
default = config.services.fprintd.enable;
|
2021-11-26 00:16:05 +00:00
|
|
|
|
defaultText = literalExpression "config.services.fprintd.enable";
|
2015-01-03 16:47:38 +00:00
|
|
|
|
type = types.bool;
|
|
|
|
|
description = ''
|
|
|
|
|
If set, fingerprint reader will be used (if exists and
|
|
|
|
|
your fingerprints are enrolled).
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2015-02-14 22:52:22 +00:00
|
|
|
|
oathAuth = mkOption {
|
2016-02-24 21:41:02 +00:00
|
|
|
|
default = config.security.pam.oath.enable;
|
2021-11-26 00:16:05 +00:00
|
|
|
|
defaultText = literalExpression "config.security.pam.oath.enable";
|
2015-02-14 22:52:22 +00:00
|
|
|
|
type = types.bool;
|
|
|
|
|
description = ''
|
|
|
|
|
If set, the OATH Toolkit will be used.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2013-10-15 13:47:51 +01:00
|
|
|
|
sshAgentAuth = mkOption {
|
|
|
|
|
default = false;
|
|
|
|
|
type = types.bool;
|
|
|
|
|
description = ''
|
|
|
|
|
If set, the calling user's SSH agent is used to authenticate
|
|
|
|
|
against the keys in the calling user's
|
|
|
|
|
<filename>~/.ssh/authorized_keys</filename>. This is useful
|
|
|
|
|
for <command>sudo</command> on password-less remote systems.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2019-02-13 01:12:51 +00:00
|
|
|
|
duoSecurity = {
|
|
|
|
|
enable = mkOption {
|
|
|
|
|
default = false;
|
|
|
|
|
type = types.bool;
|
|
|
|
|
description = ''
|
|
|
|
|
If set, use the Duo Security pam module
|
|
|
|
|
<literal>pam_duo</literal> for authentication. Requires
|
|
|
|
|
configuration of <option>security.duosec</option> options.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
2013-10-15 13:47:51 +01:00
|
|
|
|
startSession = mkOption {
|
|
|
|
|
default = false;
|
|
|
|
|
type = types.bool;
|
|
|
|
|
description = ''
|
|
|
|
|
If set, the service will register a new session with
|
|
|
|
|
systemd's login manager. For local sessions, this will give
|
|
|
|
|
the user access to audio devices, CD-ROM drives. In the
|
|
|
|
|
default PolicyKit configuration, it also allows the user to
|
|
|
|
|
reboot the system.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2016-09-06 16:23:27 +01:00
|
|
|
|
setEnvironment = mkOption {
|
|
|
|
|
type = types.bool;
|
|
|
|
|
default = true;
|
|
|
|
|
description = ''
|
|
|
|
|
Whether the service should set the environment variables
|
|
|
|
|
listed in <option>environment.sessionVariables</option>
|
|
|
|
|
using <literal>pam_env.so</literal>.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2013-10-15 13:47:51 +01:00
|
|
|
|
setLoginUid = mkOption {
|
|
|
|
|
type = types.bool;
|
|
|
|
|
description = ''
|
|
|
|
|
Set the login uid of the process
|
|
|
|
|
(<filename>/proc/self/loginuid</filename>) for auditing
|
|
|
|
|
purposes. The login uid is only set by ‘entry points’ like
|
|
|
|
|
<command>login</command> and <command>sshd</command>, not by
|
|
|
|
|
commands like <command>sudo</command>.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2021-09-13 13:43:12 +01:00
|
|
|
|
ttyAudit = {
|
|
|
|
|
enable = mkOption {
|
|
|
|
|
type = types.bool;
|
|
|
|
|
default = false;
|
|
|
|
|
description = ''
|
|
|
|
|
Enable or disable TTY auditing for specified users
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
enablePattern = mkOption {
|
|
|
|
|
type = types.nullOr types.str;
|
|
|
|
|
default = null;
|
|
|
|
|
description = ''
|
|
|
|
|
For each user matching one of comma-separated
|
|
|
|
|
glob patterns, enable TTY auditing
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
disablePattern = mkOption {
|
|
|
|
|
type = types.nullOr types.str;
|
|
|
|
|
default = null;
|
|
|
|
|
description = ''
|
|
|
|
|
For each user matching one of comma-separated
|
|
|
|
|
glob patterns, disable TTY auditing
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
openOnly = mkOption {
|
|
|
|
|
type = types.bool;
|
|
|
|
|
default = false;
|
|
|
|
|
description = ''
|
|
|
|
|
Set the TTY audit flag when opening the session,
|
|
|
|
|
but do not restore it when closing the session.
|
|
|
|
|
Using this option is necessary for some services
|
|
|
|
|
that don't fork() to run the authenticated session,
|
|
|
|
|
such as sudo.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
2013-10-15 13:47:51 +01:00
|
|
|
|
forwardXAuth = mkOption {
|
|
|
|
|
default = false;
|
|
|
|
|
type = types.bool;
|
|
|
|
|
description = ''
|
|
|
|
|
Whether X authentication keys should be passed from the
|
|
|
|
|
calling user to the target user (e.g. for
|
|
|
|
|
<command>su</command>)
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2015-07-02 15:46:56 +01:00
|
|
|
|
pamMount = mkOption {
|
|
|
|
|
default = config.security.pam.mount.enable;
|
2021-11-26 00:16:05 +00:00
|
|
|
|
defaultText = literalExpression "config.security.pam.mount.enable";
|
2015-07-02 15:46:56 +01:00
|
|
|
|
type = types.bool;
|
|
|
|
|
description = ''
|
|
|
|
|
Enable PAM mount (pam_mount) system to mount fileystems on user login.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2013-10-15 13:47:51 +01:00
|
|
|
|
allowNullPassword = mkOption {
|
|
|
|
|
default = false;
|
|
|
|
|
type = types.bool;
|
|
|
|
|
description = ''
|
|
|
|
|
Whether to allow logging into accounts that have no password
|
|
|
|
|
set (i.e., have an empty password field in
|
|
|
|
|
<filename>/etc/passwd</filename> or
|
|
|
|
|
<filename>/etc/group</filename>). This does not enable
|
|
|
|
|
logging into disabled accounts (i.e., that have the password
|
|
|
|
|
field set to <literal>!</literal>). Note that regardless of
|
|
|
|
|
what the pam_unix documentation says, accounts with hashed
|
|
|
|
|
empty passwords are always allowed to log in.
|
|
|
|
|
'';
|
|
|
|
|
};
|
2012-09-16 18:14:19 +01:00
|
|
|
|
|
2020-02-23 13:55:47 +00:00
|
|
|
|
nodelay = mkOption {
|
|
|
|
|
default = false;
|
|
|
|
|
type = types.bool;
|
|
|
|
|
description = ''
|
|
|
|
|
Wheather the delay after typing a wrong password should be disabled.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2014-05-16 21:37:44 +01:00
|
|
|
|
requireWheel = mkOption {
|
|
|
|
|
default = false;
|
|
|
|
|
type = types.bool;
|
|
|
|
|
description = ''
|
|
|
|
|
Whether to permit root access only to members of group wheel.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2013-10-15 13:47:51 +01:00
|
|
|
|
limits = mkOption {
|
2021-12-07 17:26:25 +00:00
|
|
|
|
default = [];
|
|
|
|
|
type = limitsType;
|
2013-10-15 13:47:51 +01:00
|
|
|
|
description = ''
|
|
|
|
|
Attribute set describing resource limits. Defaults to the
|
|
|
|
|
value of <option>security.pam.loginLimits</option>.
|
2021-12-07 17:26:25 +00:00
|
|
|
|
The meaning of the values is explained in <citerefentry>
|
|
|
|
|
<refentrytitle>limits.conf</refentrytitle><manvolnum>5</manvolnum>
|
|
|
|
|
</citerefentry>.
|
2013-10-15 13:47:51 +01:00
|
|
|
|
'';
|
|
|
|
|
};
|
2009-05-28 14:10:02 +01:00
|
|
|
|
|
2013-10-15 13:47:51 +01:00
|
|
|
|
showMotd = mkOption {
|
|
|
|
|
default = false;
|
|
|
|
|
type = types.bool;
|
|
|
|
|
description = "Whether to show the message of the day.";
|
|
|
|
|
};
|
2009-08-16 16:46:24 +01:00
|
|
|
|
|
2014-04-15 15:46:35 +01:00
|
|
|
|
makeHomeDir = mkOption {
|
|
|
|
|
default = false;
|
|
|
|
|
type = types.bool;
|
|
|
|
|
description = ''
|
|
|
|
|
Whether to try to create home directories for users
|
|
|
|
|
with <literal>$HOME</literal>s pointing to nonexistent
|
|
|
|
|
locations on session login.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2013-10-15 13:47:51 +01:00
|
|
|
|
updateWtmp = mkOption {
|
|
|
|
|
default = false;
|
|
|
|
|
type = types.bool;
|
|
|
|
|
description = "Whether to update <filename>/var/log/wtmp</filename>.";
|
|
|
|
|
};
|
2010-01-12 11:02:23 +00:00
|
|
|
|
|
2014-05-14 16:53:58 +01:00
|
|
|
|
logFailures = mkOption {
|
|
|
|
|
default = false;
|
|
|
|
|
type = types.bool;
|
|
|
|
|
description = "Whether to log authentication failures in <filename>/var/log/faillog</filename>.";
|
|
|
|
|
};
|
|
|
|
|
|
2015-04-18 22:15:35 +01:00
|
|
|
|
enableAppArmor = mkOption {
|
|
|
|
|
default = false;
|
|
|
|
|
type = types.bool;
|
|
|
|
|
description = ''
|
|
|
|
|
Enable support for attaching AppArmor profiles at the
|
|
|
|
|
user/group level, e.g., as part of a role based access
|
|
|
|
|
control scheme.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2017-02-15 00:38:52 +00:00
|
|
|
|
enableKwallet = mkOption {
|
|
|
|
|
default = false;
|
|
|
|
|
type = types.bool;
|
|
|
|
|
description = ''
|
|
|
|
|
If enabled, pam_wallet will attempt to automatically unlock the
|
|
|
|
|
user's default KDE wallet upon login. If the user has no wallet named
|
|
|
|
|
"kdewallet", or the login password does not match their wallet
|
|
|
|
|
password, KDE will prompt separately after login.
|
|
|
|
|
'';
|
|
|
|
|
};
|
2017-11-22 17:07:04 +00:00
|
|
|
|
sssdStrictAccess = mkOption {
|
|
|
|
|
default = false;
|
|
|
|
|
type = types.bool;
|
|
|
|
|
description = "enforce sssd access control";
|
|
|
|
|
};
|
2017-02-15 00:38:52 +00:00
|
|
|
|
|
2017-10-22 13:42:00 +01:00
|
|
|
|
enableGnomeKeyring = mkOption {
|
|
|
|
|
default = false;
|
|
|
|
|
type = types.bool;
|
|
|
|
|
description = ''
|
|
|
|
|
If enabled, pam_gnome_keyring will attempt to automatically unlock the
|
|
|
|
|
user's default Gnome keyring upon login. If the user login password does
|
|
|
|
|
not match their keyring password, Gnome Keyring will prompt separately
|
|
|
|
|
after login.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2020-09-11 01:13:53 +01:00
|
|
|
|
gnupg = {
|
|
|
|
|
enable = mkOption {
|
|
|
|
|
type = types.bool;
|
|
|
|
|
default = false;
|
|
|
|
|
description = ''
|
|
|
|
|
If enabled, pam_gnupg will attempt to automatically unlock the
|
|
|
|
|
user's GPG keys with the login password via
|
|
|
|
|
<command>gpg-agent</command>. The keygrips of all keys to be
|
|
|
|
|
unlocked should be written to <filename>~/.pam-gnupg</filename>,
|
|
|
|
|
and can be queried with <command>gpg -K --with-keygrip</command>.
|
|
|
|
|
Presetting passphrases must be enabled by adding
|
|
|
|
|
<literal>allow-preset-passphrase</literal> in
|
|
|
|
|
<filename>~/.gnupg/gpg-agent.conf</filename>.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
noAutostart = mkOption {
|
|
|
|
|
type = types.bool;
|
|
|
|
|
default = false;
|
|
|
|
|
description = ''
|
|
|
|
|
Don't start <command>gpg-agent</command> if it is not running.
|
|
|
|
|
Useful in conjunction with starting <command>gpg-agent</command> as
|
|
|
|
|
a systemd user service.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
storeOnly = mkOption {
|
|
|
|
|
type = types.bool;
|
|
|
|
|
default = false;
|
|
|
|
|
description = ''
|
|
|
|
|
Don't send the password immediately after login, but store for PAM
|
|
|
|
|
<literal>session</literal>.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
2013-10-15 13:47:51 +01:00
|
|
|
|
text = mkOption {
|
2013-10-30 16:37:45 +00:00
|
|
|
|
type = types.nullOr types.lines;
|
2013-10-15 13:47:51 +01:00
|
|
|
|
description = "Contents of the PAM service file.";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
};
|
|
|
|
|
|
2021-11-27 08:13:53 +00:00
|
|
|
|
# The resulting /etc/pam.d/* file contents are verified in
|
|
|
|
|
# nixos/tests/pam/pam-file-contents.nix. Please update tests there when
|
|
|
|
|
# changing the derivation.
|
2014-05-05 20:18:53 +01:00
|
|
|
|
config = {
|
|
|
|
|
name = mkDefault name;
|
2013-10-15 13:47:51 +01:00
|
|
|
|
setLoginUid = mkDefault cfg.startSession;
|
|
|
|
|
limits = mkDefault config.security.pam.loginLimits;
|
2012-10-23 14:10:48 +01:00
|
|
|
|
|
2013-10-15 13:47:51 +01:00
|
|
|
|
# !!! TODO: move the LDAP stuff to the LDAP module, and the
|
|
|
|
|
# Samba stuff to the Samba module. This requires that the PAM
|
|
|
|
|
# module provides the right hooks.
|
|
|
|
|
text = mkDefault
|
2021-11-12 01:19:54 +00:00
|
|
|
|
(
|
|
|
|
|
''
|
|
|
|
|
# Account management.
|
|
|
|
|
account required pam_unix.so
|
|
|
|
|
'' +
|
|
|
|
|
optionalString use_ldap ''
|
|
|
|
|
account sufficient ${pam_ldap}/lib/security/pam_ldap.so
|
|
|
|
|
'' +
|
|
|
|
|
optionalString (config.services.sssd.enable && cfg.sssdStrictAccess==false) ''
|
|
|
|
|
account sufficient ${pkgs.sssd}/lib/security/pam_sss.so
|
|
|
|
|
'' +
|
|
|
|
|
optionalString (config.services.sssd.enable && cfg.sssdStrictAccess) ''
|
|
|
|
|
account [default=bad success=ok user_unknown=ignore] ${pkgs.sssd}/lib/security/pam_sss.so
|
|
|
|
|
'' +
|
|
|
|
|
optionalString config.krb5.enable ''
|
|
|
|
|
account sufficient ${pam_krb5}/lib/security/pam_krb5.so
|
|
|
|
|
'' +
|
|
|
|
|
optionalString cfg.googleOsLoginAccountVerification ''
|
2021-03-18 17:02:07 +00:00
|
|
|
|
account [success=ok ignore=ignore default=die] ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so
|
|
|
|
|
account [success=ok default=ignore] ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_admin.so
|
2021-11-12 01:19:54 +00:00
|
|
|
|
'' +
|
|
|
|
|
''
|
|
|
|
|
|
|
|
|
|
# Authentication management.
|
|
|
|
|
'' +
|
|
|
|
|
optionalString cfg.googleOsLoginAuthentication ''
|
2021-03-18 17:02:07 +00:00
|
|
|
|
auth [success=done perm_denied=die default=ignore] ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so
|
2021-11-12 01:19:54 +00:00
|
|
|
|
'' +
|
|
|
|
|
optionalString cfg.rootOK ''
|
|
|
|
|
auth sufficient pam_rootok.so
|
|
|
|
|
'' +
|
|
|
|
|
optionalString cfg.requireWheel ''
|
|
|
|
|
auth required pam_wheel.so use_uid
|
|
|
|
|
'' +
|
|
|
|
|
optionalString cfg.logFailures ''
|
|
|
|
|
auth required pam_faillock.so
|
|
|
|
|
'' +
|
|
|
|
|
optionalString (config.security.pam.enableSSHAgentAuth && cfg.sshAgentAuth) ''
|
|
|
|
|
auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=${lib.concatStringsSep ":" config.services.openssh.authorizedKeysFiles}
|
|
|
|
|
'' +
|
|
|
|
|
(let p11 = config.security.pam.p11; in optionalString cfg.p11Auth ''
|
|
|
|
|
auth ${p11.control} ${pkgs.pam_p11}/lib/security/pam_p11.so ${pkgs.opensc}/lib/opensc-pkcs11.so
|
|
|
|
|
'') +
|
|
|
|
|
(let u2f = config.security.pam.u2f; in optionalString cfg.u2fAuth ''
|
|
|
|
|
auth ${u2f.control} ${pkgs.pam_u2f}/lib/security/pam_u2f.so ${optionalString u2f.debug "debug"} ${optionalString (u2f.authFile != null) "authfile=${u2f.authFile}"} ${optionalString u2f.interactive "interactive"} ${optionalString u2f.cue "cue"} ${optionalString (u2f.appId != null) "appid=${u2f.appId}"}
|
|
|
|
|
'') +
|
|
|
|
|
optionalString cfg.usbAuth ''
|
|
|
|
|
auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so
|
|
|
|
|
'' +
|
|
|
|
|
(let oath = config.security.pam.oath; in optionalString cfg.oathAuth ''
|
|
|
|
|
auth requisite ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}
|
|
|
|
|
'') +
|
|
|
|
|
(let yubi = config.security.pam.yubico; in optionalString cfg.yubicoAuth ''
|
|
|
|
|
auth ${yubi.control} ${pkgs.yubico-pam}/lib/security/pam_yubico.so mode=${toString yubi.mode} ${optionalString (yubi.challengeResponsePath != null) "chalresp_path=${yubi.challengeResponsePath}"} ${optionalString (yubi.mode == "client") "id=${toString yubi.id}"} ${optionalString yubi.debug "debug"}
|
|
|
|
|
'') +
|
|
|
|
|
optionalString cfg.fprintAuth ''
|
|
|
|
|
auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so
|
|
|
|
|
'' +
|
2015-11-21 21:04:11 +00:00
|
|
|
|
# Modules in this block require having the password set in PAM_AUTHTOK.
|
|
|
|
|
# pam_unix is marked as 'sufficient' on NixOS which means nothing will run
|
|
|
|
|
# after it succeeds. Certain modules need to run after pam_unix
|
|
|
|
|
# prompts the user for password so we run it once with 'required' at an
|
|
|
|
|
# earlier point and it will run again with 'sufficient' further down.
|
|
|
|
|
# We use try_first_pass the second time to avoid prompting password twice
|
2018-02-08 07:18:30 +00:00
|
|
|
|
(optionalString (cfg.unixAuth &&
|
2021-11-12 01:19:54 +00:00
|
|
|
|
(config.security.pam.enableEcryptfs
|
|
|
|
|
|| cfg.pamMount
|
|
|
|
|
|| cfg.enableKwallet
|
|
|
|
|
|| cfg.enableGnomeKeyring
|
|
|
|
|
|| cfg.googleAuthenticator.enable
|
|
|
|
|
|| cfg.gnupg.enable
|
|
|
|
|
|| cfg.duoSecurity.enable))
|
|
|
|
|
(
|
|
|
|
|
''
|
|
|
|
|
auth required pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth
|
|
|
|
|
'' +
|
|
|
|
|
optionalString config.security.pam.enableEcryptfs ''
|
|
|
|
|
auth optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap
|
|
|
|
|
'' +
|
|
|
|
|
optionalString cfg.pamMount ''
|
|
|
|
|
auth optional ${pkgs.pam_mount}/lib/security/pam_mount.so disable_interactive
|
|
|
|
|
'' +
|
|
|
|
|
optionalString cfg.enableKwallet ''
|
|
|
|
|
auth optional ${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so kwalletd=${pkgs.plasma5Packages.kwallet.bin}/bin/kwalletd5
|
|
|
|
|
'' +
|
|
|
|
|
optionalString cfg.enableGnomeKeyring ''
|
|
|
|
|
auth optional ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so
|
|
|
|
|
'' +
|
|
|
|
|
optionalString cfg.gnupg.enable ''
|
|
|
|
|
auth optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so ${optionalString cfg.gnupg.storeOnly " store-only"}
|
|
|
|
|
'' +
|
|
|
|
|
optionalString cfg.googleAuthenticator.enable ''
|
2022-03-02 15:18:58 +00:00
|
|
|
|
auth required ${pkgs.google-authenticator}/lib/security/pam_google_authenticator.so no_increment_hotp
|
2021-11-12 01:19:54 +00:00
|
|
|
|
'' +
|
|
|
|
|
optionalString cfg.duoSecurity.enable ''
|
|
|
|
|
auth required ${pkgs.duo-unix}/lib/security/pam_duo.so
|
|
|
|
|
''
|
|
|
|
|
)) +
|
|
|
|
|
optionalString cfg.unixAuth ''
|
|
|
|
|
auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth try_first_pass
|
|
|
|
|
'' +
|
|
|
|
|
optionalString cfg.otpwAuth ''
|
|
|
|
|
auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so
|
|
|
|
|
'' +
|
|
|
|
|
optionalString use_ldap ''
|
|
|
|
|
auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass
|
|
|
|
|
'' +
|
|
|
|
|
optionalString config.services.sssd.enable ''
|
|
|
|
|
auth sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_first_pass
|
|
|
|
|
'' +
|
|
|
|
|
optionalString config.krb5.enable ''
|
2012-06-11 23:41:07 +01:00
|
|
|
|
auth [default=ignore success=1 service_err=reset] ${pam_krb5}/lib/security/pam_krb5.so use_first_pass
|
|
|
|
|
auth [default=die success=done] ${pam_ccreds}/lib/security/pam_ccreds.so action=validate use_first_pass
|
|
|
|
|
auth sufficient ${pam_ccreds}/lib/security/pam_ccreds.so action=store use_first_pass
|
2021-11-12 01:19:54 +00:00
|
|
|
|
'' +
|
|
|
|
|
''
|
|
|
|
|
auth required pam_deny.so
|
|
|
|
|
|
|
|
|
|
# Password management.
|
|
|
|
|
password sufficient pam_unix.so nullok sha512
|
|
|
|
|
'' +
|
|
|
|
|
optionalString config.security.pam.enableEcryptfs ''
|
|
|
|
|
password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so
|
|
|
|
|
'' +
|
|
|
|
|
optionalString cfg.pamMount ''
|
|
|
|
|
password optional ${pkgs.pam_mount}/lib/security/pam_mount.so
|
|
|
|
|
'' +
|
|
|
|
|
optionalString use_ldap ''
|
|
|
|
|
password sufficient ${pam_ldap}/lib/security/pam_ldap.so
|
|
|
|
|
'' +
|
|
|
|
|
optionalString config.services.sssd.enable ''
|
|
|
|
|
password sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_authtok
|
|
|
|
|
'' +
|
|
|
|
|
optionalString config.krb5.enable ''
|
|
|
|
|
password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass
|
|
|
|
|
'' +
|
|
|
|
|
optionalString cfg.enableGnomeKeyring ''
|
|
|
|
|
password optional ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so use_authtok
|
|
|
|
|
'' +
|
|
|
|
|
''
|
|
|
|
|
|
|
|
|
|
# Session management.
|
|
|
|
|
'' +
|
|
|
|
|
optionalString cfg.setEnvironment ''
|
2021-07-28 05:28:25 +01:00
|
|
|
|
session required pam_env.so conffile=/etc/pam/environment readenv=0
|
2021-11-12 01:19:54 +00:00
|
|
|
|
'' +
|
|
|
|
|
''
|
|
|
|
|
session required pam_unix.so
|
|
|
|
|
'' +
|
|
|
|
|
optionalString cfg.setLoginUid ''
|
|
|
|
|
session ${if config.boot.isContainer then "optional" else "required"} pam_loginuid.so
|
|
|
|
|
'' +
|
|
|
|
|
optionalString cfg.ttyAudit.enable ''
|
|
|
|
|
session required ${pkgs.pam}/lib/security/pam_tty_audit.so
|
2021-09-13 13:43:12 +01:00
|
|
|
|
open_only=${toString cfg.ttyAudit.openOnly}
|
|
|
|
|
${optionalString (cfg.ttyAudit.enablePattern != null) "enable=${cfg.ttyAudit.enablePattern}"}
|
|
|
|
|
${optionalString (cfg.ttyAudit.disablePattern != null) "disable=${cfg.ttyAudit.disablePattern}"}
|
2021-11-12 01:19:54 +00:00
|
|
|
|
'' +
|
|
|
|
|
optionalString cfg.makeHomeDir ''
|
|
|
|
|
session required ${pkgs.pam}/lib/security/pam_mkhomedir.so silent skel=${config.security.pam.makeHomeDir.skelDirectory} umask=0077
|
|
|
|
|
'' +
|
|
|
|
|
optionalString cfg.updateWtmp ''
|
|
|
|
|
session required ${pkgs.pam}/lib/security/pam_lastlog.so silent
|
|
|
|
|
'' +
|
|
|
|
|
optionalString config.security.pam.enableEcryptfs ''
|
|
|
|
|
session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so
|
|
|
|
|
'' +
|
|
|
|
|
optionalString cfg.pamMount ''
|
|
|
|
|
session optional ${pkgs.pam_mount}/lib/security/pam_mount.so disable_interactive
|
|
|
|
|
'' +
|
|
|
|
|
optionalString use_ldap ''
|
|
|
|
|
session optional ${pam_ldap}/lib/security/pam_ldap.so
|
|
|
|
|
'' +
|
|
|
|
|
optionalString config.services.sssd.enable ''
|
|
|
|
|
session optional ${pkgs.sssd}/lib/security/pam_sss.so
|
|
|
|
|
'' +
|
|
|
|
|
optionalString config.krb5.enable ''
|
|
|
|
|
session optional ${pam_krb5}/lib/security/pam_krb5.so
|
|
|
|
|
'' +
|
|
|
|
|
optionalString cfg.otpwAuth ''
|
|
|
|
|
session optional ${pkgs.otpw}/lib/security/pam_otpw.so
|
|
|
|
|
'' +
|
|
|
|
|
optionalString cfg.startSession ''
|
|
|
|
|
session optional ${pkgs.systemd}/lib/security/pam_systemd.so
|
|
|
|
|
'' +
|
|
|
|
|
optionalString cfg.forwardXAuth ''
|
|
|
|
|
session optional pam_xauth.so xauthpath=${pkgs.xorg.xauth}/bin/xauth systemuser=99
|
|
|
|
|
'' +
|
|
|
|
|
optionalString (cfg.limits != []) ''
|
|
|
|
|
session required ${pkgs.pam}/lib/security/pam_limits.so conf=${makeLimitsConf cfg.limits}
|
|
|
|
|
'' +
|
|
|
|
|
optionalString (cfg.showMotd && config.users.motd != null) ''
|
|
|
|
|
session optional ${pkgs.pam}/lib/security/pam_motd.so motd=${motd}
|
|
|
|
|
'' +
|
|
|
|
|
optionalString (cfg.enableAppArmor && config.security.apparmor.enable) ''
|
|
|
|
|
session optional ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so order=user,group,default debug
|
|
|
|
|
'' +
|
|
|
|
|
optionalString (cfg.enableKwallet) ''
|
|
|
|
|
session optional ${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so kwalletd=${pkgs.plasma5Packages.kwallet.bin}/bin/kwalletd5
|
|
|
|
|
'' +
|
|
|
|
|
optionalString (cfg.enableGnomeKeyring) ''
|
|
|
|
|
session optional ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start
|
|
|
|
|
'' +
|
|
|
|
|
optionalString cfg.gnupg.enable ''
|
|
|
|
|
session optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so ${optionalString cfg.gnupg.noAutostart " no-autostart"}
|
|
|
|
|
'' +
|
|
|
|
|
optionalString (config.virtualisation.lxc.lxcfs.enable) ''
|
|
|
|
|
session optional ${pkgs.lxc}/lib/security/pam_cgfs.so -c all
|
|
|
|
|
''
|
|
|
|
|
);
|
2013-10-15 13:47:51 +01:00
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
inherit (pkgs) pam_krb5 pam_ccreds;
|
|
|
|
|
|
2016-07-18 14:20:21 +01:00
|
|
|
|
use_ldap = (config.users.ldap.enable && config.users.ldap.loginPam);
|
2013-10-15 13:47:51 +01:00
|
|
|
|
pam_ldap = if config.users.ldap.daemon.enable then pkgs.nss_pam_ldapd else pkgs.pam_ldap;
|
|
|
|
|
|
|
|
|
|
# Create a limits.conf(5) file.
|
|
|
|
|
makeLimitsConf = limits:
|
|
|
|
|
pkgs.writeText "limits.conf"
|
2013-10-17 14:36:59 +01:00
|
|
|
|
(concatMapStrings ({ domain, type, item, value }:
|
|
|
|
|
"${domain} ${type} ${item} ${toString value}\n")
|
|
|
|
|
limits);
|
2013-10-15 13:47:51 +01:00
|
|
|
|
|
2021-12-07 17:26:25 +00:00
|
|
|
|
limitsType = with lib.types; listOf (submodule ({ ... }: {
|
|
|
|
|
options = {
|
|
|
|
|
domain = mkOption {
|
|
|
|
|
description = "Username, groupname, or wildcard this limit applies to";
|
|
|
|
|
example = "@wheel";
|
|
|
|
|
type = str;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
type = mkOption {
|
|
|
|
|
description = "Type of this limit";
|
|
|
|
|
type = enum [ "-" "hard" "soft" ];
|
|
|
|
|
default = "-";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
item = mkOption {
|
|
|
|
|
description = "Item this limit applies to";
|
|
|
|
|
type = enum [
|
|
|
|
|
"core"
|
|
|
|
|
"data"
|
|
|
|
|
"fsize"
|
|
|
|
|
"memlock"
|
|
|
|
|
"nofile"
|
|
|
|
|
"rss"
|
|
|
|
|
"stack"
|
|
|
|
|
"cpu"
|
|
|
|
|
"nproc"
|
|
|
|
|
"as"
|
|
|
|
|
"maxlogins"
|
|
|
|
|
"maxsyslogins"
|
|
|
|
|
"priority"
|
|
|
|
|
"locks"
|
|
|
|
|
"sigpending"
|
|
|
|
|
"msgqueue"
|
|
|
|
|
"nice"
|
|
|
|
|
"rtprio"
|
|
|
|
|
];
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
value = mkOption {
|
|
|
|
|
description = "Value of this limit";
|
|
|
|
|
type = oneOf [ str int ];
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
}));
|
|
|
|
|
|
2013-10-15 13:47:51 +01:00
|
|
|
|
motd = pkgs.writeText "motd" config.users.motd;
|
|
|
|
|
|
2019-09-14 18:51:29 +01:00
|
|
|
|
makePAMService = name: service:
|
|
|
|
|
{ name = "pam.d/${name}";
|
|
|
|
|
value.source = pkgs.writeText "${name}.pam" service.text;
|
2009-05-28 14:10:02 +01:00
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
in
|
|
|
|
|
|
|
|
|
|
{
|
2009-08-16 15:49:14 +01:00
|
|
|
|
|
2019-12-10 01:51:19 +00:00
|
|
|
|
imports = [
|
|
|
|
|
(mkRenamedOptionModule [ "security" "pam" "enableU2F" ] [ "security" "pam" "u2f" "enable" ])
|
|
|
|
|
];
|
|
|
|
|
|
2009-08-16 15:49:14 +01:00
|
|
|
|
###### interface
|
|
|
|
|
|
|
|
|
|
options = {
|
|
|
|
|
|
2010-01-12 11:02:23 +00:00
|
|
|
|
security.pam.loginLimits = mkOption {
|
|
|
|
|
default = [];
|
2021-12-07 17:26:25 +00:00
|
|
|
|
type = limitsType;
|
2010-01-12 11:02:23 +00:00
|
|
|
|
example =
|
|
|
|
|
[ { domain = "ftp";
|
|
|
|
|
type = "hard";
|
|
|
|
|
item = "nproc";
|
|
|
|
|
value = "0";
|
|
|
|
|
}
|
|
|
|
|
{ domain = "@student";
|
|
|
|
|
type = "-";
|
|
|
|
|
item = "maxlogins";
|
|
|
|
|
value = "4";
|
|
|
|
|
}
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
description =
|
2011-08-01 11:17:18 +01:00
|
|
|
|
'' Define resource limits that should apply to users or groups.
|
|
|
|
|
Each item in the list should be an attribute set with a
|
|
|
|
|
<varname>domain</varname>, <varname>type</varname>,
|
|
|
|
|
<varname>item</varname>, and <varname>value</varname>
|
|
|
|
|
attribute. The syntax and semantics of these attributes
|
2021-12-07 17:26:25 +00:00
|
|
|
|
must be that described in <citerefentry><refentrytitle>limits.conf</refentrytitle>
|
|
|
|
|
<manvolnum>5</manvolnum></citerefentry>.
|
2018-05-12 16:44:57 +01:00
|
|
|
|
|
|
|
|
|
Note that these limits do not apply to systemd services,
|
|
|
|
|
whose limits can be changed via <option>systemd.extraConfig</option>
|
|
|
|
|
instead.
|
2010-01-12 11:02:23 +00:00
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2009-08-16 15:49:14 +01:00
|
|
|
|
security.pam.services = mkOption {
|
2021-10-03 17:06:03 +01:00
|
|
|
|
default = {};
|
2020-08-23 00:28:45 +01:00
|
|
|
|
type = with types; attrsOf (submodule pamOpts);
|
2009-08-16 15:49:14 +01:00
|
|
|
|
description =
|
|
|
|
|
''
|
|
|
|
|
This option defines the PAM services. A service typically
|
|
|
|
|
corresponds to a program that uses PAM,
|
|
|
|
|
e.g. <command>login</command> or <command>passwd</command>.
|
2013-10-15 13:47:51 +01:00
|
|
|
|
Each attribute of this set defines a PAM service, with the attribute name
|
|
|
|
|
defining the name of the service.
|
2009-08-16 15:49:14 +01:00
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2016-04-14 19:18:09 +01:00
|
|
|
|
security.pam.makeHomeDir.skelDirectory = mkOption {
|
|
|
|
|
type = types.str;
|
|
|
|
|
default = "/var/empty";
|
|
|
|
|
example = "/etc/skel";
|
|
|
|
|
description = ''
|
|
|
|
|
Path to skeleton directory whose contents are copied to home
|
|
|
|
|
directories newly created by <literal>pam_mkhomedir</literal>.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2012-06-11 23:41:07 +01:00
|
|
|
|
security.pam.enableSSHAgentAuth = mkOption {
|
2020-04-27 08:04:07 +01:00
|
|
|
|
type = types.bool;
|
2012-06-11 23:41:07 +01:00
|
|
|
|
default = false;
|
|
|
|
|
description =
|
|
|
|
|
''
|
|
|
|
|
Enable sudo logins if the user's SSH agent provides a key
|
|
|
|
|
present in <filename>~/.ssh/authorized_keys</filename>.
|
|
|
|
|
This allows machines to exclusively use SSH keys instead of
|
|
|
|
|
passwords.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
2020-04-27 08:04:07 +01:00
|
|
|
|
security.pam.enableOTPW = mkEnableOption "the OTPW (one-time password) PAM module";
|
2013-03-30 20:06:23 +00:00
|
|
|
|
|
2020-05-30 10:03:10 +01:00
|
|
|
|
security.pam.p11 = {
|
|
|
|
|
enable = mkOption {
|
|
|
|
|
default = false;
|
|
|
|
|
type = types.bool;
|
|
|
|
|
description = ''
|
|
|
|
|
Enables P11 PAM (<literal>pam_p11</literal>) module.
|
|
|
|
|
|
|
|
|
|
If set, users can log in with SSH keys and PKCS#11 tokens.
|
|
|
|
|
|
|
|
|
|
More information can be found <link
|
|
|
|
|
xlink:href="https://github.com/OpenSC/pam_p11">here</link>.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
control = mkOption {
|
|
|
|
|
default = "sufficient";
|
|
|
|
|
type = types.enum [ "required" "requisite" "sufficient" "optional" ];
|
|
|
|
|
description = ''
|
|
|
|
|
This option sets pam "control".
|
|
|
|
|
If you want to have multi factor authentication, use "required".
|
|
|
|
|
If you want to use the PKCS#11 device instead of the regular password,
|
|
|
|
|
use "sufficient".
|
|
|
|
|
|
|
|
|
|
Read
|
|
|
|
|
<citerefentry>
|
|
|
|
|
<refentrytitle>pam.conf</refentrytitle>
|
|
|
|
|
<manvolnum>5</manvolnum>
|
|
|
|
|
</citerefentry>
|
|
|
|
|
for better understanding of this option.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
2019-01-29 16:45:26 +00:00
|
|
|
|
security.pam.u2f = {
|
|
|
|
|
enable = mkOption {
|
|
|
|
|
default = false;
|
|
|
|
|
type = types.bool;
|
|
|
|
|
description = ''
|
|
|
|
|
Enables U2F PAM (<literal>pam-u2f</literal>) module.
|
|
|
|
|
|
|
|
|
|
If set, users listed in
|
|
|
|
|
<filename>$XDG_CONFIG_HOME/Yubico/u2f_keys</filename> (or
|
|
|
|
|
<filename>$HOME/.config/Yubico/u2f_keys</filename> if XDG variable is
|
|
|
|
|
not set) are able to log in with the associated U2F key. The path can
|
|
|
|
|
be changed using <option>security.pam.u2f.authFile</option> option.
|
|
|
|
|
|
|
|
|
|
File format is:
|
|
|
|
|
<literal>username:first_keyHandle,first_public_key: second_keyHandle,second_public_key</literal>
|
|
|
|
|
This file can be generated using <command>pamu2fcfg</command> command.
|
|
|
|
|
|
|
|
|
|
More information can be found <link
|
|
|
|
|
xlink:href="https://developers.yubico.com/pam-u2f/">here</link>.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
authFile = mkOption {
|
|
|
|
|
default = null;
|
|
|
|
|
type = with types; nullOr path;
|
|
|
|
|
description = ''
|
|
|
|
|
By default <literal>pam-u2f</literal> module reads the keys from
|
|
|
|
|
<filename>$XDG_CONFIG_HOME/Yubico/u2f_keys</filename> (or
|
|
|
|
|
<filename>$HOME/.config/Yubico/u2f_keys</filename> if XDG variable is
|
|
|
|
|
not set).
|
|
|
|
|
|
|
|
|
|
If you want to change auth file locations or centralize database (for
|
|
|
|
|
example use <filename>/etc/u2f-mappings</filename>) you can set this
|
|
|
|
|
option.
|
|
|
|
|
|
|
|
|
|
File format is:
|
|
|
|
|
<literal>username:first_keyHandle,first_public_key: second_keyHandle,second_public_key</literal>
|
|
|
|
|
This file can be generated using <command>pamu2fcfg</command> command.
|
|
|
|
|
|
|
|
|
|
More information can be found <link
|
|
|
|
|
xlink:href="https://developers.yubico.com/pam-u2f/">here</link>.
|
|
|
|
|
'';
|
|
|
|
|
};
|
2020-10-09 09:31:15 +01:00
|
|
|
|
|
2020-10-08 19:37:40 +01:00
|
|
|
|
appId = mkOption {
|
|
|
|
|
default = null;
|
|
|
|
|
type = with types; nullOr str;
|
|
|
|
|
description = ''
|
|
|
|
|
By default <literal>pam-u2f</literal> module sets the application
|
|
|
|
|
ID to <literal>pam://$HOSTNAME</literal>.
|
|
|
|
|
|
|
|
|
|
When using <command>pamu2fcfg</command>, you can specify your
|
|
|
|
|
application ID with the <literal>-i</literal> flag.
|
|
|
|
|
|
|
|
|
|
More information can be found <link
|
|
|
|
|
xlink:href="https://developers.yubico.com/pam-u2f/Manuals/pam_u2f.8.html">
|
|
|
|
|
here</link>
|
|
|
|
|
'';
|
|
|
|
|
};
|
2019-01-29 16:45:26 +00:00
|
|
|
|
|
|
|
|
|
control = mkOption {
|
|
|
|
|
default = "sufficient";
|
|
|
|
|
type = types.enum [ "required" "requisite" "sufficient" "optional" ];
|
|
|
|
|
description = ''
|
|
|
|
|
This option sets pam "control".
|
|
|
|
|
If you want to have multi factor authentication, use "required".
|
|
|
|
|
If you want to use U2F device instead of regular password, use "sufficient".
|
|
|
|
|
|
|
|
|
|
Read
|
|
|
|
|
<citerefentry>
|
|
|
|
|
<refentrytitle>pam.conf</refentrytitle>
|
|
|
|
|
<manvolnum>5</manvolnum>
|
|
|
|
|
</citerefentry>
|
|
|
|
|
for better understanding of this option.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
debug = mkOption {
|
|
|
|
|
default = false;
|
|
|
|
|
type = types.bool;
|
|
|
|
|
description = ''
|
|
|
|
|
Debug output to stderr.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
interactive = mkOption {
|
|
|
|
|
default = false;
|
|
|
|
|
type = types.bool;
|
|
|
|
|
description = ''
|
|
|
|
|
Set to prompt a message and wait before testing the presence of a U2F device.
|
|
|
|
|
Recommended if your device doesn’t have a tactile trigger.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
cue = mkOption {
|
|
|
|
|
default = false;
|
|
|
|
|
type = types.bool;
|
|
|
|
|
description = ''
|
|
|
|
|
By default <literal>pam-u2f</literal> module does not inform user
|
|
|
|
|
that he needs to use the u2f device, it just waits without a prompt.
|
|
|
|
|
|
|
|
|
|
If you set this option to <literal>true</literal>,
|
|
|
|
|
<literal>cue</literal> option is added to <literal>pam-u2f</literal>
|
|
|
|
|
module and reminder message will be displayed.
|
|
|
|
|
'';
|
|
|
|
|
};
|
2015-05-03 15:29:42 +01:00
|
|
|
|
};
|
|
|
|
|
|
2019-03-31 02:07:16 +01:00
|
|
|
|
security.pam.yubico = {
|
|
|
|
|
enable = mkOption {
|
|
|
|
|
default = false;
|
|
|
|
|
type = types.bool;
|
|
|
|
|
description = ''
|
|
|
|
|
Enables Yubico PAM (<literal>yubico-pam</literal>) module.
|
|
|
|
|
|
|
|
|
|
If set, users listed in
|
|
|
|
|
<filename>~/.yubico/authorized_yubikeys</filename>
|
|
|
|
|
are able to log in with the associated Yubikey tokens.
|
|
|
|
|
|
|
|
|
|
The file must have only one line:
|
|
|
|
|
<literal>username:yubikey_token_id1:yubikey_token_id2</literal>
|
|
|
|
|
More information can be found <link
|
|
|
|
|
xlink:href="https://developers.yubico.com/yubico-pam/">here</link>.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
control = mkOption {
|
|
|
|
|
default = "sufficient";
|
|
|
|
|
type = types.enum [ "required" "requisite" "sufficient" "optional" ];
|
|
|
|
|
description = ''
|
|
|
|
|
This option sets pam "control".
|
|
|
|
|
If you want to have multi factor authentication, use "required".
|
|
|
|
|
If you want to use Yubikey instead of regular password, use "sufficient".
|
|
|
|
|
|
|
|
|
|
Read
|
|
|
|
|
<citerefentry>
|
|
|
|
|
<refentrytitle>pam.conf</refentrytitle>
|
|
|
|
|
<manvolnum>5</manvolnum>
|
|
|
|
|
</citerefentry>
|
|
|
|
|
for better understanding of this option.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
id = mkOption {
|
|
|
|
|
example = "42";
|
2019-08-08 21:48:27 +01:00
|
|
|
|
type = types.str;
|
2019-03-31 02:07:16 +01:00
|
|
|
|
description = "client id";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
debug = mkOption {
|
|
|
|
|
default = false;
|
|
|
|
|
type = types.bool;
|
|
|
|
|
description = ''
|
|
|
|
|
Debug output to stderr.
|
|
|
|
|
'';
|
|
|
|
|
};
|
2019-08-30 18:33:08 +01:00
|
|
|
|
mode = mkOption {
|
|
|
|
|
default = "client";
|
|
|
|
|
type = types.enum [ "client" "challenge-response" ];
|
|
|
|
|
description = ''
|
|
|
|
|
Mode of operation.
|
|
|
|
|
|
|
|
|
|
Use "client" for online validation with a YubiKey validation service such as
|
|
|
|
|
the YubiCloud.
|
|
|
|
|
|
|
|
|
|
Use "challenge-response" for offline validation using YubiKeys with HMAC-SHA-1
|
|
|
|
|
Challenge-Response configurations. See the man-page ykpamcfg(1) for further
|
2019-12-10 01:51:19 +00:00
|
|
|
|
details on how to configure offline Challenge-Response validation.
|
2019-08-30 18:33:08 +01:00
|
|
|
|
|
2021-07-17 07:56:55 +01:00
|
|
|
|
More information can be found <link
|
|
|
|
|
xlink:href="https://developers.yubico.com/yubico-pam/Authentication_Using_Challenge-Response.html">here</link>.
|
|
|
|
|
'';
|
|
|
|
|
};
|
|
|
|
|
challengeResponsePath = mkOption {
|
|
|
|
|
default = null;
|
2021-08-17 15:55:50 +01:00
|
|
|
|
type = types.nullOr types.path;
|
2021-07-17 07:56:55 +01:00
|
|
|
|
description = ''
|
|
|
|
|
If not null, set the path used by yubico pam module where the challenge expected response is stored.
|
|
|
|
|
|
2019-08-30 18:33:08 +01:00
|
|
|
|
More information can be found <link
|
|
|
|
|
xlink:href="https://developers.yubico.com/yubico-pam/Authentication_Using_Challenge-Response.html">here</link>.
|
|
|
|
|
'';
|
|
|
|
|
};
|
2019-03-31 02:07:16 +01:00
|
|
|
|
};
|
|
|
|
|
|
2020-04-27 08:04:07 +01:00
|
|
|
|
security.pam.enableEcryptfs = mkEnableOption "eCryptfs PAM module (mounting ecryptfs home directory on login)";
|
2015-03-05 00:33:05 +00:00
|
|
|
|
|
2012-10-23 14:10:48 +01:00
|
|
|
|
users.motd = mkOption {
|
|
|
|
|
default = null;
|
|
|
|
|
example = "Today is Sweetmorn, the 4th day of The Aftermath in the YOLD 3178.";
|
2015-08-17 18:52:45 +01:00
|
|
|
|
type = types.nullOr types.lines;
|
2012-10-23 14:10:48 +01:00
|
|
|
|
description = "Message of the day shown to users when they log in.";
|
|
|
|
|
};
|
|
|
|
|
|
2009-08-16 15:49:14 +01:00
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
###### implementation
|
|
|
|
|
|
|
|
|
|
config = {
|
2010-08-13 15:07:34 +01:00
|
|
|
|
|
2009-08-16 15:49:14 +01:00
|
|
|
|
environment.systemPackages =
|
|
|
|
|
# Include the PAM modules in the system path mostly for the manpages.
|
2010-06-02 20:59:44 +01:00
|
|
|
|
[ pkgs.pam ]
|
2010-08-06 09:50:48 +01:00
|
|
|
|
++ optional config.users.ldap.enable pam_ldap
|
2016-04-14 19:18:09 +01:00
|
|
|
|
++ optional config.services.sssd.enable pkgs.sssd
|
2013-03-30 20:06:23 +00:00
|
|
|
|
++ optionals config.krb5.enable [pam_krb5 pam_ccreds]
|
2015-02-14 22:52:22 +00:00
|
|
|
|
++ optionals config.security.pam.enableOTPW [ pkgs.otpw ]
|
2016-02-24 21:41:02 +00:00
|
|
|
|
++ optionals config.security.pam.oath.enable [ pkgs.oathToolkit ]
|
2020-05-30 10:03:10 +01:00
|
|
|
|
++ optionals config.security.pam.p11.enable [ pkgs.pam_p11 ]
|
2019-01-29 16:45:26 +00:00
|
|
|
|
++ optionals config.security.pam.u2f.enable [ pkgs.pam_u2f ];
|
2017-10-07 16:27:46 +01:00
|
|
|
|
|
|
|
|
|
boot.supportedFilesystems = optionals config.security.pam.enableEcryptfs [ "ecryptfs" ];
|
2015-03-05 00:33:05 +00:00
|
|
|
|
|
2017-01-29 11:33:56 +00:00
|
|
|
|
security.wrappers = {
|
|
|
|
|
unix_chkpwd = {
|
|
|
|
|
setuid = true;
|
2021-09-12 18:04:55 +01:00
|
|
|
|
owner = "root";
|
|
|
|
|
group = "root";
|
2022-01-09 09:20:36 +00:00
|
|
|
|
source = "${pkgs.pam}/bin/unix_chkpwd";
|
2017-01-29 11:33:56 +00:00
|
|
|
|
};
|
2017-10-07 16:27:46 +01:00
|
|
|
|
};
|
2009-08-16 15:49:14 +01:00
|
|
|
|
|
2019-09-14 18:51:29 +01:00
|
|
|
|
environment.etc = mapAttrs' makePAMService config.security.pam.services;
|
2009-08-16 15:49:14 +01:00
|
|
|
|
|
|
|
|
|
security.pam.services =
|
2013-10-15 13:47:51 +01:00
|
|
|
|
{ other.text =
|
|
|
|
|
''
|
|
|
|
|
auth required pam_warn.so
|
|
|
|
|
auth required pam_deny.so
|
|
|
|
|
account required pam_warn.so
|
|
|
|
|
account required pam_deny.so
|
|
|
|
|
password required pam_warn.so
|
|
|
|
|
password required pam_deny.so
|
|
|
|
|
session required pam_warn.so
|
|
|
|
|
session required pam_deny.so
|
|
|
|
|
'';
|
|
|
|
|
|
|
|
|
|
# Most of these should be moved to specific modules.
|
|
|
|
|
i3lock = {};
|
2016-05-15 06:47:31 +01:00
|
|
|
|
i3lock-color = {};
|
2013-10-15 13:47:51 +01:00
|
|
|
|
vlock = {};
|
|
|
|
|
xlock = {};
|
|
|
|
|
xscreensaver = {};
|
2016-09-06 16:23:27 +01:00
|
|
|
|
|
|
|
|
|
runuser = { rootOK = true; unixAuth = false; setEnvironment = false; };
|
|
|
|
|
|
|
|
|
|
/* FIXME: should runuser -l start a systemd session? Currently
|
|
|
|
|
it complains "Cannot create session: Already running in a
|
|
|
|
|
session". */
|
|
|
|
|
runuser-l = { rootOK = true; unixAuth = false; };
|
2013-10-15 13:47:51 +01:00
|
|
|
|
};
|
2009-08-16 15:49:14 +01:00
|
|
|
|
|
2020-10-18 14:36:24 +01:00
|
|
|
|
security.apparmor.includes."abstractions/pam" = let
|
|
|
|
|
isEnabled = test: fold or false (map test (attrValues config.security.pam.services));
|
2021-02-27 20:26:47 +00:00
|
|
|
|
in
|
2021-11-21 22:04:38 +00:00
|
|
|
|
lib.concatMapStrings
|
|
|
|
|
(name: "r ${config.environment.etc."pam.d/${name}".source},\n")
|
2021-02-27 20:26:47 +00:00
|
|
|
|
(attrNames config.security.pam.services) +
|
|
|
|
|
''
|
2020-10-18 14:36:24 +01:00
|
|
|
|
mr ${getLib pkgs.pam}/lib/security/pam_filter/*,
|
|
|
|
|
mr ${getLib pkgs.pam}/lib/security/pam_*.so,
|
|
|
|
|
r ${getLib pkgs.pam}/lib/security/,
|
2021-02-27 20:26:47 +00:00
|
|
|
|
'' +
|
|
|
|
|
optionalString use_ldap ''
|
|
|
|
|
mr ${pam_ldap}/lib/security/pam_ldap.so,
|
|
|
|
|
'' +
|
|
|
|
|
optionalString config.services.sssd.enable ''
|
|
|
|
|
mr ${pkgs.sssd}/lib/security/pam_sss.so,
|
|
|
|
|
'' +
|
|
|
|
|
optionalString config.krb5.enable ''
|
2020-10-18 14:36:24 +01:00
|
|
|
|
mr ${pam_krb5}/lib/security/pam_krb5.so,
|
|
|
|
|
mr ${pam_ccreds}/lib/security/pam_ccreds.so,
|
2021-02-27 20:26:47 +00:00
|
|
|
|
'' +
|
|
|
|
|
optionalString (isEnabled (cfg: cfg.googleOsLoginAccountVerification)) ''
|
2021-03-18 17:02:07 +00:00
|
|
|
|
mr ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so,
|
|
|
|
|
mr ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_admin.so,
|
2021-02-27 20:26:47 +00:00
|
|
|
|
'' +
|
|
|
|
|
optionalString (isEnabled (cfg: cfg.googleOsLoginAuthentication)) ''
|
2021-03-18 17:02:07 +00:00
|
|
|
|
mr ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so,
|
2021-02-27 20:26:47 +00:00
|
|
|
|
'' +
|
|
|
|
|
optionalString (config.security.pam.enableSSHAgentAuth
|
|
|
|
|
&& isEnabled (cfg: cfg.sshAgentAuth)) ''
|
|
|
|
|
mr ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so,
|
|
|
|
|
'' +
|
|
|
|
|
optionalString (isEnabled (cfg: cfg.fprintAuth)) ''
|
|
|
|
|
mr ${pkgs.fprintd}/lib/security/pam_fprintd.so,
|
|
|
|
|
'' +
|
|
|
|
|
optionalString (isEnabled (cfg: cfg.u2fAuth)) ''
|
|
|
|
|
mr ${pkgs.pam_u2f}/lib/security/pam_u2f.so,
|
|
|
|
|
'' +
|
|
|
|
|
optionalString (isEnabled (cfg: cfg.usbAuth)) ''
|
|
|
|
|
mr ${pkgs.pam_usb}/lib/security/pam_usb.so,
|
|
|
|
|
'' +
|
|
|
|
|
optionalString (isEnabled (cfg: cfg.oathAuth)) ''
|
|
|
|
|
"mr ${pkgs.oathToolkit}/lib/security/pam_oath.so,
|
|
|
|
|
'' +
|
|
|
|
|
optionalString (isEnabled (cfg: cfg.yubicoAuth)) ''
|
|
|
|
|
mr ${pkgs.yubico-pam}/lib/security/pam_yubico.so,
|
|
|
|
|
'' +
|
|
|
|
|
optionalString (isEnabled (cfg: cfg.duoSecurity.enable)) ''
|
|
|
|
|
mr ${pkgs.duo-unix}/lib/security/pam_duo.so,
|
|
|
|
|
'' +
|
|
|
|
|
optionalString (isEnabled (cfg: cfg.otpwAuth)) ''
|
|
|
|
|
mr ${pkgs.otpw}/lib/security/pam_otpw.so,
|
|
|
|
|
'' +
|
|
|
|
|
optionalString config.security.pam.enableEcryptfs ''
|
|
|
|
|
mr ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so,
|
|
|
|
|
'' +
|
|
|
|
|
optionalString (isEnabled (cfg: cfg.pamMount)) ''
|
|
|
|
|
mr ${pkgs.pam_mount}/lib/security/pam_mount.so,
|
|
|
|
|
'' +
|
|
|
|
|
optionalString (isEnabled (cfg: cfg.enableGnomeKeyring)) ''
|
|
|
|
|
mr ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so,
|
|
|
|
|
'' +
|
|
|
|
|
optionalString (isEnabled (cfg: cfg.startSession)) ''
|
|
|
|
|
mr ${pkgs.systemd}/lib/security/pam_systemd.so,
|
|
|
|
|
'' +
|
|
|
|
|
optionalString (isEnabled (cfg: cfg.enableAppArmor)
|
|
|
|
|
&& config.security.apparmor.enable) ''
|
|
|
|
|
mr ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so,
|
|
|
|
|
'' +
|
|
|
|
|
optionalString (isEnabled (cfg: cfg.enableKwallet)) ''
|
2021-05-30 20:42:39 +01:00
|
|
|
|
mr ${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so,
|
2021-02-27 20:26:47 +00:00
|
|
|
|
'' +
|
|
|
|
|
optionalString config.virtualisation.lxc.lxcfs.enable ''
|
|
|
|
|
mr ${pkgs.lxc}/lib/security/pam_cgfs.so
|
|
|
|
|
'';
|
2009-08-16 15:49:14 +01:00
|
|
|
|
};
|
2010-08-13 15:07:34 +01:00
|
|
|
|
|
2009-05-28 14:10:02 +01:00
|
|
|
|
}
|