diff options
| author | Maximilian Bosch <maximilian@mbosch.me> | 2022-08-16 20:30:16 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-08-16 20:30:16 +0200 |
| commit | 9e8ea1b855566d1d4cc8608d6bf291b53700d253 (patch) | |
| tree | 8ad17c2db64f0a26be80c473ada2bd416c3cb2b2 /nixos/modules/security/pam.nix | |
| parent | 5cd5de601e8375dae145938e66d5a300b644712f (diff) | |
| parent | e23ace62686fb974353e86299c7003e089f323dd (diff) | |
Merge pull request #183717 from NetaliDev/mysql-auth
nixos: add mysql/mariadb user authentication module
Diffstat (limited to 'nixos/modules/security/pam.nix')
| -rw-r--r-- | nixos/modules/security/pam.nix | 30 |
1 files changed, 29 insertions, 1 deletions
diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 9a1acba00d0ea..9f89508bd1fe5 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -142,6 +142,16 @@ let ''; }; + mysqlAuth = mkOption { + default = config.users.mysql.enable; + defaultText = literalExpression "config.users.mysql.enable"; + type = types.bool; + description = '' + If set, the <literal>pam_mysql</literal> module will be used to + authenticate users against a MySQL/MariaDB database. + ''; + }; + fprintAuth = mkOption { default = config.services.fprintd.enable; defaultText = literalExpression "config.services.fprintd.enable"; @@ -441,11 +451,13 @@ let ( '' # Account management. - account required pam_unix.so '' + optionalString use_ldap '' account sufficient ${pam_ldap}/lib/security/pam_ldap.so '' + + optionalString cfg.mysqlAuth '' + account sufficient ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf + '' + optionalString (config.services.sssd.enable && cfg.sssdStrictAccess==false) '' account sufficient ${pkgs.sssd}/lib/security/pam_sss.so '' + @@ -459,7 +471,11 @@ let account [success=ok ignore=ignore default=die] ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so account [success=ok default=ignore] ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_admin.so '' + + # The required pam_unix.so module has to come after all the sufficient modules + # because otherwise, the account lookup will fail if the user does not exist + # locally, for example with MySQL- or LDAP-auth. '' + account required pam_unix.so # Authentication management. '' + @@ -475,6 +491,9 @@ let optionalString cfg.logFailures '' auth required pam_faillock.so '' + + optionalString cfg.mysqlAuth '' + auth sufficient ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf + '' + optionalString (config.security.pam.enableSSHAgentAuth && cfg.sshAgentAuth) '' auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=${lib.concatStringsSep ":" config.services.openssh.authorizedKeysFiles} '' + @@ -572,6 +591,9 @@ let optionalString use_ldap '' password sufficient ${pam_ldap}/lib/security/pam_ldap.so '' + + optionalString cfg.mysqlAuth '' + password sufficient ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf + '' + optionalString config.services.sssd.enable '' password sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_authtok '' + @@ -615,6 +637,9 @@ let optionalString use_ldap '' session optional ${pam_ldap}/lib/security/pam_ldap.so '' + + optionalString cfg.mysqlAuth '' + session optional ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf + '' + optionalString config.services.sssd.enable '' session optional ${pkgs.sssd}/lib/security/pam_sss.so '' + @@ -1236,6 +1261,9 @@ in optionalString (isEnabled (cfg: cfg.oathAuth)) '' "mr ${pkgs.oath-toolkit}/lib/security/pam_oath.so, '' + + optionalString (isEnabled (cfg: cfg.mysqlAuth)) '' + mr ${pkgs.pam_mysql}/lib/security/pam_mysql.so, + '' + optionalString (isEnabled (cfg: cfg.yubicoAuth)) '' mr ${pkgs.yubico-pam}/lib/security/pam_yubico.so, '' + |