From 3b931f786128599b0b02eb04f7dba22a1d5a41a9 Mon Sep 17 00:00:00 2001
From: Eelco Dolstra <eelco.dolstra@logicblox.com>
Date: Sun, 16 Aug 2009 15:46:24 +0000
Subject: [PATCH] * We still need /etc/pam.d/other to keep usermod happy.

svn path=/nixos/trunk/; revision=16731
---
 modules/security/pam.nix | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/modules/security/pam.nix b/modules/security/pam.nix
index 291fe67b0441..2a36e7cece02 100644
--- a/modules/security/pam.nix
+++ b/modules/security/pam.nix
@@ -18,6 +18,18 @@ let
 
   pamConsolePerms = ./console.perms;
 
+  otherService = pkgs.writeText "other.pam"
+    ''
+      auth     required pam_warn.so
+      auth     required pam_deny.so
+      account  required pam_warn.so
+      account  required pam_deny.so
+      password required pam_warn.so
+      password required pam_deny.so
+      session  required pam_warn.so
+      session  required pam_deny.so
+    '';
+
   makePAMService =
     { name
     , # If set, root doesn't need to authenticate (e.g. for the "chsh"
@@ -111,7 +123,12 @@ in
       [ pkgs.pam pam_unix2 ]
       ++ optional config.users.ldap.enable pam_ldap;
 
-    environment.etc = map makePAMService config.security.pam.services;
+    environment.etc =
+      map makePAMService config.security.pam.services
+      ++ singleton
+        { source = otherService;
+          target = "pam.d/other";
+        };
 
     security.pam.services =
       # Most of these should be moved to specific modules.