mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-17 19:21:04 +00:00
nixos/pam: Strip config in documentation and messages (#341562)
This commit is contained in:
commit
99b100cc3a
|
@ -1168,8 +1168,7 @@ in
|
|||
|
||||
If set, users can authenticate with their Kerberos password.
|
||||
This requires a valid Kerberos configuration
|
||||
(`config.security.krb5.enable` should be set to
|
||||
`true`).
|
||||
(`security.krb5.enable` should be set to `true`).
|
||||
|
||||
Note that the Kerberos PAM modules are not necessary when using SSS
|
||||
to handle Kerberos authentication.
|
||||
|
@ -1587,8 +1586,8 @@ in
|
|||
|
||||
warnings = lib.optional
|
||||
(with config.security.pam.sshAgentAuth;
|
||||
enable && lib.any (s: lib.hasPrefix "%h" s || lib.hasPrefix "~" s) authorizedKeysFiles)
|
||||
''config.security.pam.sshAgentAuth.authorizedKeysFiles contains files in the user's home directory.
|
||||
enable && lib.any (s: lib.hasPrefix "%h" s || lib.hasPrefix "~" s) authorizedKeysFiles) ''
|
||||
security.pam.sshAgentAuth.authorizedKeysFiles contains files in the user's home directory.
|
||||
|
||||
Specifying user-writeable files there result in an insecure configuration:
|
||||
a malicious process can then edit such an authorized_keys file and bypass the ssh-agent-based authentication.
|
||||
|
|
Loading…
Reference in a new issue