3
0
Fork 0
forked from mirrors/nixpkgs

Merge pull request #52488 from flokli/pam_account_unix_required

security.pam: make pam_unix.so required, not sufficient
This commit is contained in:
Florian Klink 2018-12-21 17:49:19 +01:00 committed by GitHub
commit 9c86e8faf5
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 17 additions and 1 deletions

View file

@ -318,6 +318,22 @@
case.
</para>
</listitem>
<listitem>
<para>
The <literal>pam_unix</literal> account module is now loaded with its
control field set to <literal>required</literal> instead of
<literal>sufficient</literal>, so that later pam account modules that
might do more extensive checks are being executed.
Previously, the whole account module verification was exited prematurely
in case a nss module provided the account name to
<literal>pam_unix</literal>.
The LDAP and SSSD NixOS modules already add their NSS modules when
enabled. In case your setup breaks due to some later pam account module
previosuly shadowed, or failing NSS lookups, please file a bug. You can
get back the old behaviour by manually setting
<literal><![CDATA[security.pam.services.<name?>.text]]></literal>.
</para>
</listitem>
</itemizedlist>
</section>

View file

@ -269,7 +269,7 @@ let
text = mkDefault
(''
# Account management.
account ${if cfg.sssdStrictAccess then "required" else "sufficient"} pam_unix.so
account required pam_unix.so
${optionalString use_ldap
"account sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
${optionalString (config.services.sssd.enable && cfg.sssdStrictAccess==false)