forked from mirrors/nixpkgs
* Add support for pam_usb.
svn path=/nixos/trunk/; revision=19185
This commit is contained in:
parent
64c75274e1
commit
d2901e979d
|
@ -33,6 +33,7 @@
|
|||
./rename.nix
|
||||
./security/consolekit.nix
|
||||
./security/pam.nix
|
||||
./security/pam_usb.nix
|
||||
./security/policykit.nix
|
||||
#./security/polkit.nix # Currently disabled; using the old policykit.
|
||||
./security/setuid-wrappers.nix
|
||||
|
|
|
@ -7,7 +7,7 @@ with pkgs.lib;
|
|||
|
||||
let
|
||||
|
||||
inherit (pkgs) pam_unix2 pam_ldap;
|
||||
inherit (pkgs) pam_unix2 pam_usb pam_ldap;
|
||||
|
||||
otherService = pkgs.writeText "other.pam"
|
||||
''
|
||||
|
@ -26,6 +26,9 @@ let
|
|||
, # If set, root doesn't need to authenticate (e.g. for the "chsh"
|
||||
# service).
|
||||
rootOK ? false
|
||||
, # If set, user listed in /etc/pamusb.conf are able to log in with
|
||||
# the associated usb key.
|
||||
usbAuth ? config.security.pam.usb.enable
|
||||
, # If set, use ConsoleKit's PAM connector module to claim
|
||||
# ownership of audio devices etc.
|
||||
ownDevices ? false
|
||||
|
@ -55,6 +58,8 @@ let
|
|||
# Authentication management.
|
||||
${optionalString rootOK
|
||||
"auth sufficient pam_rootok.so"}
|
||||
${optionalString usbAuth
|
||||
"auth sufficient ${pam_usb}/lib/security/pam_usb.so"}
|
||||
${optionalString config.users.ldap.enable
|
||||
"auth sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
|
||||
auth sufficient ${pam_unix2}/lib/security/pam_unix2.so ${
|
||||
|
|
41
modules/security/pam_usb.nix
Normal file
41
modules/security/pam_usb.nix
Normal file
|
@ -0,0 +1,41 @@
|
|||
{config, pkgs, ...}:
|
||||
|
||||
with pkgs.lib;
|
||||
|
||||
let
|
||||
|
||||
inherit (pkgs) pam_usb;
|
||||
|
||||
cfg = config.security.pam.usb;
|
||||
|
||||
anyUsbAuth = any (attrByPath ["usbAuth"] false) config.security.pam.services;
|
||||
|
||||
in
|
||||
|
||||
{
|
||||
options = {
|
||||
|
||||
security.pam.usb = {
|
||||
enable = mkOption {
|
||||
default = false;
|
||||
description = ''
|
||||
Enable USB login for all login system unless the service disabled
|
||||
it. For more information, visit <link
|
||||
xlink:href="http://pamusb.org/doc/quickstart#setting_up" />.
|
||||
'';
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
config = mkIf (cfg.enable || anyUsbAuth) {
|
||||
|
||||
# pmount need to have a set-uid bit to make pam_usb works in user
|
||||
# environment. (like su, sudo)
|
||||
|
||||
security.setuidPrograms = [ "pmount" "pumount" ];
|
||||
environment.systemPackages = [ pkgs.pmount ];
|
||||
|
||||
};
|
||||
}
|
Loading…
Reference in a new issue