mirrors/nixpkgs
1
0
Fork 1
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-17 19:21:04 +00:00
Code Issues Wiki Activity

nixos/pam: Strip config in documentation and messages (#341562)

Browse source
This commit is contained in:
Sefa Eyeoglu 2024-10-20 21:00:06 +02:00 committed by GitHub
parent e3f55158e7 7b3261b5a6
commit 99b100cc3a
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 3 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
nixos/modules/security/pam.nix
View file

@ -1168,8 +1168,7 @@ in
If set, users can authenticate with their Kerberos password. If set, users can authenticate with their Kerberos password.
This requires a valid Kerberos configuration This requires a valid Kerberos configuration
(`config.security.krb5.enable` should be set to (`security.krb5.enable` should be set to `true`).
`true`).
Note that the Kerberos PAM modules are not necessary when using SSS Note that the Kerberos PAM modules are not necessary when using SSS
to handle Kerberos authentication. to handle Kerberos authentication.
@ -1587,8 +1586,8 @@ in
warnings = lib.optional warnings = lib.optional
(with config.security.pam.sshAgentAuth; (with config.security.pam.sshAgentAuth;
enable && lib.any (s: lib.hasPrefix "%h" s || lib.hasPrefix "~" s) authorizedKeysFiles) enable && lib.any (s: lib.hasPrefix "%h" s || lib.hasPrefix "~" s) authorizedKeysFiles) ''
''config.security.pam.sshAgentAuth.authorizedKeysFiles contains files in the user's home directory. security.pam.sshAgentAuth.authorizedKeysFiles contains files in the user's home directory.
Specifying user-writeable files there result in an insecure configuration: Specifying user-writeable files there result in an insecure configuration:
a malicious process can then edit such an authorized_keys file and bypass the ssh-agent-based authentication. a malicious process can then edit such an authorized_keys file and bypass the ssh-agent-based authentication.