3
0
Fork 0
forked from mirrors/nixpkgs

Compare commits

...

2 commits

Author SHA1 Message Date
Erin Shepherd 6053f1a68a pam_sduserdb: add support to security/pam 2024-03-27 20:36:11 +01:00
Erin Shepherd 53d4b5033a pam_sduserdb: init 2024-03-27 20:28:54 +01:00
3 changed files with 39 additions and 0 deletions

View file

@ -628,6 +628,7 @@ let
{ name = "oslogin_login"; enable = cfg.googleOsLoginAccountVerification; control = "[success=ok ignore=ignore default=die]"; modulePath = "${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so"; }
{ name = "oslogin_admin"; enable = cfg.googleOsLoginAccountVerification; control = "[success=ok default=ignore]"; modulePath = "${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_admin.so"; }
{ name = "systemd_home"; enable = config.services.homed.enable; control = "sufficient"; modulePath = "${config.systemd.package}/lib/security/pam_systemd_home.so"; }
{ name = "sd_userdb"; enable = config.security.pam.userdb.enable; control = "sufficient"; modulePath = "${pkgs.pam_sduserdb}/lib/security/pam_sduserdb.so"; }
# The required pam_unix.so module has to come after all the sufficient modules
# because otherwise, the account lookup will fail if the user does not exist
# locally, for example with MySQL- or LDAP-auth.
@ -702,6 +703,7 @@ let
inherit (cfg) nodelay;
likeauth = true;
}; }
{ name = "sd_userdb"; enable = config.security.pam.userdb.enable; control = "optional"; modulePath = "${pkgs.pam_sduserdb}/lib/security/pam_sduserdb.so"; }
{ name = "ecryptfs"; enable = config.security.pam.enableEcryptfs; control = "optional"; modulePath = "${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"; settings = {
unwrap = true;
}; }
@ -735,6 +737,7 @@ let
likeauth = true;
try_first_pass = true;
}; }
{ name = "sd_userdb"; enable = config.security.pam.userdb.enable; control = "sufficient"; modulePath = "${pkgs.pam_sduserdb}/lib/security/pam_sduserdb.so"; }
{ name = "otpw"; enable = cfg.otpwAuth; control = "sufficient"; modulePath = "${pkgs.otpw}/lib/security/pam_otpw.so"; }
{ name = "ldap"; enable = use_ldap; control = "sufficient"; modulePath = "${pam_ldap}/lib/security/pam_ldap.so"; settings = {
use_first_pass = true;
@ -1104,6 +1107,16 @@ in
};
};
security.pam.userdb = {
enable = mkOption {
type = types.bool;
default = false;
description = ''
Enable login using accounts defined in the systemd user database
'';
};
};
security.pam.p11 = {
enable = mkOption {
default = false;

View file

@ -0,0 +1,24 @@
{ lib, stdenv, fetchFromGitHub, pkg-config, meson, ninja, pam, libvarlink, libxcrypt }:
stdenv.mkDerivation rec {
pname = "pam_sduserdb";
version = "0.1338";
src = fetchFromGitHub {
owner = "erincandescent";
repo = "pam_sduserdb";
rev = "babf7a88caac817ffbef7f7da3893fc96ea03a38";
hash = "sha256-PU8VsYri6DiIniWaVCQj8ACBYHLnA10NeRN0N2SMCHc=";
};
nativeBuildInputs = [ pkg-config meson ninja ];
buildInputs = [ pam libvarlink libxcrypt ];
meta = with lib; {
homepage = "https://github.com/erincandescent/pam_sduserdb";
description = "A PAM module for doing account management using the systemd user database";
license = licenses.bsd2;
platforms = platforms.unix;
maintainers = with maintainers; [ ];
};
}

View file

@ -28354,6 +28354,8 @@ with pkgs;
pam_rssh = callPackage ../os-specific/linux/pam_rssh { };
pam_sduserdb = callPackage ../os-specific/linux/pam_sduserdb { };
pam_ssh_agent_auth = callPackage ../os-specific/linux/pam_ssh_agent_auth { };
pam_tmpdir = callPackage ../os-specific/linux/pam_tmpdir { };