mirrors/nixpkgs
1
0
Fork 1
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-17 19:21:04 +00:00
Code Issues Wiki Activity

nixos/pam: Strip config in documentation and messages (#341562)

Browse source
This commit is contained in:
Sefa Eyeoglu 2024-10-20 21:00:06 +02:00 committed by GitHub
parent e3f55158e7 7b3261b5a6
commit 99b100cc3a
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 3 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
nixos/modules/security/pam.nix
View file

@ -1168,8 +1168,7 @@ in
If set, users can authenticate with their Kerberos password.
This requires a valid Kerberos configuration
(`config.security.krb5.enable` should be set to
`true`).
(`security.krb5.enable` should be set to `true`).
Note that the Kerberos PAM modules are not necessary when using SSS
to handle Kerberos authentication.
@ -1587,8 +1586,8 @@ in
warnings = lib.optional
(with config.security.pam.sshAgentAuth;
enable && lib.any (s: lib.hasPrefix "%h" s || lib.hasPrefix "~" s) authorizedKeysFiles)
''config.security.pam.sshAgentAuth.authorizedKeysFiles contains files in the user's home directory.
enable && lib.any (s: lib.hasPrefix "%h" s || lib.hasPrefix "~" s) authorizedKeysFiles) ''
security.pam.sshAgentAuth.authorizedKeysFiles contains files in the user's home directory.
Specifying user-writeable files there result in an insecure configuration:
a malicious process can then edit such an authorized_keys file and bypass the ssh-agent-based authentication.