diff options
| author | Silvan Mosberger <contact@infinisil.com> | 2023-10-16 19:41:00 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-10-16 19:41:00 +0200 |
| commit | e0b3b074fb4ba6f7775577bf197bf9993fc85bfc (patch) | |
| tree | bc50b95dfc1c4ac4e72dbbdad55dd7064d999c0f /nixos/modules/security | |
| parent | 232473893c3d367e7161dfa7b33424fc07b6582b (diff) | |
| parent | 9d6e6e18bccb8e4dbcc5d68263cdcac16ce51973 (diff) | |
Merge pull request #255547 from Majiir/pam-modular-rules
nixos/pam: assemble rules from modular configuration
Diffstat (limited to 'nixos/modules/security')
| -rw-r--r-- | nixos/modules/security/pam.nix | 748 |
1 files changed, 392 insertions, 356 deletions
diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index d83259ccbebc1..709bb8b94a659 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -6,6 +6,92 @@ with lib; let + + mkRulesTypeOption = type: mkOption { + # These options are experimental and subject to breaking changes without notice. + description = lib.mdDoc '' + PAM `${type}` rules for this service. + + Attribute keys are the name of each rule. + ''; + type = types.attrsOf (types.submodule ({ name, config, ... }: { + options = { + name = mkOption { + type = types.str; + description = lib.mdDoc '' + Name of this rule. + ''; + internal = true; + readOnly = true; + }; + enable = mkOption { + type = types.bool; + default = true; + description = lib.mdDoc '' + Whether this rule is added to the PAM service config file. + ''; + }; + order = mkOption { + type = types.int; + description = lib.mdDoc '' + Order of this rule in the service file. Rules are arranged in ascending order of this value. + + ::: {.warning} + The `order` values for the built-in rules are subject to change. If you assign a constant value to this option, a system update could silently reorder your rule. You could be locked out of your system, or your system could be left wide open. When using this option, set it to a relative offset from another rule's `order` value: + + ```nix + { + security.pam.services.login.rules.auth.foo.order = + config.security.pam.services.login.rules.auth.unix.order + 10; + } + ``` + ::: + ''; + }; + control = mkOption { + type = types.str; + description = lib.mdDoc '' + Indicates the behavior of the PAM-API should the module fail to succeed in its authentication task. See `control` in {manpage}`pam.conf(5)` for details. + ''; + }; + modulePath = mkOption { + type = types.str; + description = lib.mdDoc '' + Either the full filename of the PAM to be used by the application (it begins with a '/'), or a relative pathname from the default module location. See `module-path` in {manpage}`pam.conf(5)` for details. + ''; + }; + args = mkOption { + type = types.listOf types.str; + description = lib.mdDoc '' + Tokens that can be used to modify the specific behavior of the given PAM. Such arguments will be documented for each individual module. See `module-arguments` in {manpage}`pam.conf(5)` for details. + + Escaping rules for spaces and square brackets are automatically applied. + + {option}`settings` are automatically added as {option}`args`. It's recommended to use the {option}`settings` option whenever possible so that arguments can be overridden. + ''; + }; + settings = mkOption { + type = with types; attrsOf (nullOr (oneOf [ bool str int pathInStore ])); + default = {}; + description = lib.mdDoc '' + Settings to add as `module-arguments`. + + Boolean values render just the key if true, and nothing if false. Null values are ignored. All other values are rendered as key-value pairs. + ''; + }; + }; + config = { + inherit name; + # Formats an attrset of settings as args for use as `module-arguments`. + args = concatLists (flip mapAttrsToList config.settings (name: value: + if isBool value + then optional value name + else optional (value != null) "${name}=${toString value}" + )); + }; + })); + }; + parentConfig = config; pamOpts = { config, name, ... }: let cfg = config; in let config = parentConfig; in { @@ -18,6 +104,28 @@ let description = lib.mdDoc "Name of the PAM service."; }; + rules = mkOption { + # This option is experimental and subject to breaking changes without notice. + visible = false; + + description = lib.mdDoc '' + PAM rules for this service. + + ::: {.warning} + This option and its suboptions are experimental and subject to breaking changes without notice. + + If you use this option in your system configuration, you will need to manually monitor this module for any changes. Otherwise, failure to adjust your configuration properly could lead to you being locked out of your system, or worse, your system could be left wide open to attackers. + + If you share configuration examples that use this option, you MUST include this warning so that users are informed. + + You may freely use this option within `nixpkgs`, and future changes will account for those use sites. + ::: + ''; + type = types.submodule { + options = genAttrs [ "account" "auth" "password" "session" ] mkRulesTypeOption; + }; + }; + unixAuth = mkOption { default = true; type = types.bool; @@ -470,90 +578,114 @@ let setLoginUid = mkDefault cfg.startSession; limits = mkDefault config.security.pam.loginLimits; + text = let + ensureUniqueOrder = type: rules: + let + checkPair = a: b: assert assertMsg (a.order != b.order) "security.pam.services.${name}.rules.${type}: rules '${a.name}' and '${b.name}' cannot have the same order value (${toString a.order})"; b; + checked = zipListsWith checkPair rules (drop 1 rules); + in take 1 rules ++ checked; + # Formats a string for use in `module-arguments`. See `man pam.conf`. + formatModuleArgument = token: + if hasInfix " " token + then "[${replaceStrings ["]"] ["\\]"] token}]" + else token; + formatRules = type: pipe cfg.rules.${type} [ + attrValues + (filter (rule: rule.enable)) + (sort (a: b: a.order < b.order)) + (ensureUniqueOrder type) + (map (rule: concatStringsSep " " ( + [ type rule.control rule.modulePath ] + ++ map formatModuleArgument rule.args + ++ [ "# ${rule.name} (order ${toString rule.order})" ] + ))) + (concatStringsSep "\n") + ]; + in mkDefault '' + # Account management. + ${formatRules "account"} + + # Authentication management. + ${formatRules "auth"} + + # Password management. + ${formatRules "password"} + + # Session management. + ${formatRules "session"} + ''; + # !!! TODO: move the LDAP stuff to the LDAP module, and the # Samba stuff to the Samba module. This requires that the PAM # module provides the right hooks. - text = mkDefault - ( - '' - # Account management. - '' + - optionalString use_ldap '' - account sufficient ${pam_ldap}/lib/security/pam_ldap.so - '' + - optionalString cfg.mysqlAuth '' - account sufficient ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf - '' + - optionalString (config.services.kanidm.enablePam) '' - account sufficient ${pkgs.kanidm}/lib/pam_kanidm.so ignore_unknown_user - '' + - optionalString (config.services.sssd.enable && cfg.sssdStrictAccess==false) '' - account sufficient ${pkgs.sssd}/lib/security/pam_sss.so - '' + - optionalString (config.services.sssd.enable && cfg.sssdStrictAccess) '' - account [default=bad success=ok user_unknown=ignore] ${pkgs.sssd}/lib/security/pam_sss.so - '' + - optionalString config.security.pam.krb5.enable '' - account sufficient ${pam_krb5}/lib/security/pam_krb5.so - '' + - optionalString cfg.googleOsLoginAccountVerification '' - account [success=ok ignore=ignore default=die] ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so - account [success=ok default=ignore] ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_admin.so - '' + - optionalString config.services.homed.enable '' - account sufficient ${config.systemd.package}/lib/security/pam_systemd_home.so - '' + + rules = let + autoOrderRules = flip pipe [ + (imap1 (index: rule: rule // { order = mkDefault (10000 + index * 100); } )) + (map (rule: nameValuePair rule.name (removeAttrs rule [ "name" ]))) + listToAttrs + ]; + in { + account = autoOrderRules [ + { name = "ldap"; enable = use_ldap; control = "sufficient"; modulePath = "${pam_ldap}/lib/security/pam_ldap.so"; } + { name = "mysql"; enable = cfg.mysqlAuth; control = "sufficient"; modulePath = "${pkgs.pam_mysql}/lib/security/pam_mysql.so"; settings = { + config_file = "/etc/security/pam_mysql.conf"; + }; } + { name = "kanidm"; enable = config.services.kanidm.enablePam; control = "sufficient"; modulePath = "${pkgs.kanidm}/lib/pam_kanidm.so"; settings = { + ignore_unknown_user = true; + }; } + { name = "sss"; enable = config.services.sssd.enable; control = if cfg.sssdStrictAccess then "[default=bad success=ok user_unknown=ignore]" else "sufficient"; modulePath = "${pkgs.sssd}/lib/security/pam_sss.so"; } + { name = "krb5"; enable = config.security.pam.krb5.enable; control = "sufficient"; modulePath = "${pam_krb5}/lib/security/pam_krb5.so"; } + { name = "oslogin_login"; enable = cfg.googleOsLoginAccountVerification; control = "[success=ok ignore=ignore default=die]"; modulePath = "${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so"; } + { name = "oslogin_admin"; enable = cfg.googleOsLoginAccountVerification; control = "[success=ok default=ignore]"; modulePath = "${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_admin.so"; } + { name = "systemd_home"; enable = config.services.homed.enable; control = "sufficient"; modulePath = "${config.systemd.package}/lib/security/pam_systemd_home.so"; } # The required pam_unix.so module has to come after all the sufficient modules # because otherwise, the account lookup will fail if the user does not exist # locally, for example with MySQL- or LDAP-auth. - '' - account required pam_unix.so - - # Authentication management. - '' + - optionalString cfg.googleOsLoginAuthentication '' - auth [success=done perm_denied=die default=ignore] ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so - '' + - optionalString cfg.rootOK '' - auth sufficient pam_rootok.so - '' + - optionalString cfg.requireWheel '' - auth required pam_wheel.so use_uid - '' + - optionalString cfg.logFailures '' - auth required pam_faillock.so - '' + - optionalString cfg.mysqlAuth '' - auth sufficient ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf - '' + - optionalString (config.security.pam.enableSSHAgentAuth && cfg.sshAgentAuth) '' - auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=${lib.concatStringsSep ":" config.services.openssh.authorizedKeysFiles} - '' + - (let p11 = config.security.pam.p11; in optionalString cfg.p11Auth '' - auth ${p11.control} ${pkgs.pam_p11}/lib/security/pam_p11.so ${pkgs.opensc}/lib/opensc-pkcs11.so - '') + - (let u2f = config.security.pam.u2f; in optionalString cfg.u2fAuth ('' - auth ${u2f.control} ${pkgs.pam_u2f}/lib/security/pam_u2f.so ${optionalString u2f.debug "debug"} ${optionalString (u2f.authFile != null) "authfile=${u2f.authFile}"} '' - + ''${optionalString u2f.interactive "interactive"} ${optionalString u2f.cue "cue"} ${optionalString (u2f.appId != null) "appid=${u2f.appId}"} ${optionalString (u2f.origin != null) "origin=${u2f.origin}"} - '')) + - optionalString cfg.usbAuth '' - auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so - '' + - (let ussh = config.security.pam.ussh; in optionalString (config.security.pam.ussh.enable && cfg.usshAuth) '' - auth ${ussh.control} ${pkgs.pam_ussh}/lib/security/pam_ussh.so ${optionalString (ussh.caFile != null) "ca_file=${ussh.caFile}"} ${optionalString (ussh.authorizedPrincipals != null) "authorized_principals=${ussh.authorizedPrincipals}"} ${optionalString (ussh.authorizedPrincipalsFile != null) "authorized_principals_file=${ussh.authorizedPrincipalsFile}"} ${optionalString (ussh.group != null) "group=${ussh.group}"} - '') + - (let oath = config.security.pam.oath; in optionalString cfg.oathAuth '' - auth requisite ${pkgs.oath-toolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits} - '') + - (let yubi = config.security.pam.yubico; in optionalString cfg.yubicoAuth '' - auth ${yubi.control} ${pkgs.yubico-pam}/lib/security/pam_yubico.so mode=${toString yubi.mode} ${optionalString (yubi.challengeResponsePath != null) "chalresp_path=${yubi.challengeResponsePath}"} ${optionalString (yubi.mode == "client") "id=${toString yubi.id}"} ${optionalString yubi.debug "debug"} - '') + - (let dp9ik = config.security.pam.dp9ik; in optionalString dp9ik.enable '' - auth ${dp9ik.control} ${pkgs.pam_dp9ik}/lib/security/pam_p9.so ${dp9ik.authserver} - '') + - optionalString cfg.fprintAuth '' - auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so - '' + + { name = "unix"; control = "required"; modulePath = "pam_unix.so"; } + ]; + + auth = autoOrderRules ([ + { name = "oslogin_login"; enable = cfg.googleOsLoginAuthentication; control = "[success=done perm_denied=die default=ignore]"; modulePath = "${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so"; } + { name = "rootok"; enable = cfg.rootOK; control = "sufficient"; modulePath = "pam_rootok.so"; } + { name = "wheel"; enable = cfg.requireWheel; control = "required"; modulePath = "pam_wheel.so"; settings = { + use_uid = true; + }; } + { name = "faillock"; enable = cfg.logFailures; control = "required"; modulePath = "pam_faillock.so"; } + { name = "mysql"; enable = cfg.mysqlAuth; control = "sufficient"; modulePath = "${pkgs.pam_mysql}/lib/security/pam_mysql.so"; settings = { + config_file = "/etc/security/pam_mysql.conf"; + }; } + { name = "ssh_agent_auth"; enable = config.security.pam.enableSSHAgentAuth && cfg.sshAgentAuth; control = "sufficient"; modulePath = "${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so"; settings = { + file = lib.concatStringsSep ":" config.services.openssh.authorizedKeysFiles; + }; } + (let p11 = config.security.pam.p11; in { name = "p11"; enable = cfg.p11Auth; control = p11.control; modulePath = "${pkgs.pam_p11}/lib/security/pam_p11.so"; args = [ + "${pkgs.opensc}/lib/opensc-pkcs11.so" + ]; }) + (let u2f = config.security.pam.u2f; in { name = "u2f"; enable = cfg.u2fAuth; control = u2f.control; modulePath = "${pkgs.pam_u2f}/lib/security/pam_u2f.so"; settings = { + inherit (u2f) debug interactive cue origin; + authfile = u2f.authFile; + appid = u2f.appId; + }; }) + { name = "usb"; enable = cfg.usbAuth; control = "sufficient"; modulePath = "${pkgs.pam_usb}/lib/security/pam_usb.so"; } + (let ussh = config.security.pam.ussh; in { name = "ussh"; enable = config.security.pam.ussh.enable && cfg.usshAuth; control = ussh.control; modulePath = "${pkgs.pam_ussh}/lib/security/pam_ussh.so"; settings = { + ca_file = ussh.caFile; + authorized_principals = ussh.authorizedPrincipals; + authorized_principals_file = ussh.authorizedPrincipalsFile; + inherit (ussh) group; + }; }) + (let oath = config.security.pam.oath; in { name = "oath"; enable = cfg.oathAuth; control = "requisite"; modulePath = "${pkgs.oath-toolkit}/lib/security/pam_oath.so"; settings = { + inherit (oath) window digits; + usersfile = oath.usersFile; + }; }) + (let yubi = config.security.pam.yubico; in { name = "yubico"; enable = cfg.yubicoAuth; control = yubi.control; modulePath = "${pkgs.yubico-pam}/lib/security/pam_yubico.so"; settings = { + inherit (yubi) mode debug; + chalresp_path = yubi.challengeResponsePath; + id = mkIf (yubi.mode == "client") yubi.id; + }; }) + (let dp9ik = config.security.pam.dp9ik; in { name = "p9"; enable = dp9ik.enable; control = dp9ik.control; modulePath = "${pkgs.pam_dp9ik}/lib/security/pam_p9.so"; args = [ + dp9ik.authserver + ]; }) + { name = "fprintd"; enable = cfg.fprintAuth; control = "sufficient"; modulePath = "${pkgs.fprintd}/lib/security/pam_fprintd.so"; } + ] ++ # Modules in this block require having the password set in PAM_AUTHTOK. # pam_unix is marked as 'sufficient' on NixOS which means nothing will run # after it succeeds. Certain modules need to run after pam_unix @@ -562,7 +694,7 @@ let # We use try_first_pass the second time to avoid prompting password twice. # # The same principle applies to systemd-homed - (optionalString ((cfg.unixAuth || config.services.homed.enable) && + (optionals ((cfg.unixAuth || config.services.homed.enable) && (config.security.pam.enableEcryptfs || config.security.pam.enableFscrypt || cfg.pamMount @@ -573,199 +705,173 @@ let || cfg.failDelay.enable || cfg.duoSecurity.enable || cfg.zfs)) - ( - optionalString config.services.homed.enable '' - auth optional ${config.systemd.package}/lib/security/pam_systemd_home.so - '' + - optionalString cfg.unixAuth '' - auth optional pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth - '' + - optionalString config.security.pam.enableEcryptfs '' - auth optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap - '' + - optionalString config.security.pam.enableFscrypt '' - auth optional ${pkgs.fscrypt-experimental}/lib/security/pam_fscrypt.so - '' + - optionalString cfg.zfs '' - auth optional ${config.boot.zfs.package}/lib/security/pam_zfs_key.so homes=${config.security.pam.zfs.homes} - '' + - optionalString cfg.pamMount '' - auth optional ${pkgs.pam_mount}/lib/security/pam_mount.so disable_interactive - '' + - optionalString cfg.enableKwallet '' - auth optional ${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so kwalletd=${pkgs.plasma5Packages.kwallet.bin}/bin/kwalletd5 - '' + - optionalString cfg.enableGnomeKeyring '' - auth optional ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so - '' + - optionalString cfg.gnupg.enable '' - auth optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so ${optionalString cfg.gnupg.storeOnly " store-only"} - '' + - optionalString cfg.failDelay.enable '' - auth optional ${pkgs.pam}/lib/security/pam_faildelay.so delay=${toString cfg.failDelay.delay} - '' + - optionalString cfg.googleAuthenticator.enable '' - auth required ${pkgs.google-authenticator}/lib/security/pam_google_authenticator.so no_increment_hotp - '' + - optionalString cfg.duoSecurity.enable '' - auth required ${pkgs.duo-unix}/lib/security/pam_duo.so - '' - )) + - optionalString config.services.homed.enable '' - auth sufficient ${config.systemd.package}/lib/security/pam_systemd_home.so - '' + - optionalString cfg.unixAuth '' - auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth try_first_pass - '' + - optionalString cfg.otpwAuth '' - auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so - '' + - optionalString use_ldap '' - auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass - '' + - optionalString config.services.kanidm.enablePam '' - auth sufficient ${pkgs.kanidm}/lib/pam_kanidm.so ignore_unknown_user use_first_pass - '' + - optionalString config.services.sssd.enable '' - auth sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_first_pass - '' + - optionalString config.security.pam.krb5.enable '' - auth [default=ignore success=1 service_err=reset] ${pam_krb5}/lib/security/pam_krb5.so use_first_pass - auth [default=die success=done] ${pam_ccreds}/lib/security/pam_ccreds.so action=validate use_first_pass - auth sufficient ${pam_ccreds}/lib/security/pam_ccreds.so action=store use_first_pass - '' + - '' - auth required pam_deny.so - - # Password management. - '' + - optionalString config.services.homed.enable '' - password sufficient ${config.systemd.package}/lib/security/pam_systemd_home.so - '' + '' - password sufficient pam_unix.so nullok yescrypt - '' + - optionalString config.security.pam.enableEcryptfs '' - password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so - '' + - optionalString config.security.pam.enableFscrypt '' - password optional ${pkgs.fscrypt-experimental}/lib/security/pam_fscrypt.so - '' + - optionalString cfg.zfs '' - password optional ${config.boot.zfs.package}/lib/security/pam_zfs_key.so homes=${config.security.pam.zfs.homes} - '' + - optionalString cfg.pamMount '' - password optional ${pkgs.pam_mount}/lib/security/pam_mount.so - '' + - optionalString use_ldap '' - password sufficient ${pam_ldap}/lib/security/pam_ldap.so - '' + - optionalString cfg.mysqlAuth '' - password sufficient ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf - '' + - optionalString config.services.kanidm.enablePam '' - password sufficient ${pkgs.kanidm}/lib/pam_kanidm.so - '' + - optionalString config.services.sssd.enable '' - password sufficient ${pkgs.sssd}/lib/security/pam_sss.so - '' + - optionalString config.security.pam.krb5.enable '' - password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass - '' + - optionalString cfg.enableGnomeKeyring '' - password optional ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so use_authtok - '' + - '' + [ + { name = "systemd_home-early"; enable = config.services.homed.enable; control = "optional"; modulePath = "${config.systemd.package}/lib/security/pam_systemd_home.so"; } + { name = "unix-early"; enable = cfg.unixAuth; control = "optional"; modulePath = "pam_unix.so"; settings = { + nullok = cfg.allowNullPassword; + inherit (cfg) nodelay; + likeauth = true; + }; } + { name = "ecryptfs"; enable = config.security.pam.enableEcryptfs; control = "optional"; modulePath = "${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"; settings = { + unwrap = true; + }; } + { name = "fscrypt"; enable = config.security.pam.enableFscrypt; control = "optional"; modulePath = "${pkgs.fscrypt-experimental}/lib/security/pam_fscrypt.so"; } + { name = "zfs_key"; enable = cfg.zfs; control = "optional"; modulePath = "${config.boot.zfs.package}/lib/security/pam_zfs_key.so"; settings = { + inherit (config.security.pam.zfs) homes; + }; } + { name = "mount"; enable = cfg.pamMount; control = "optional"; modulePath = "${pkgs.pam_mount}/lib/security/pam_mount.so"; settings = { + disable_interactive = true; + }; } + { name = "kwallet5"; enable = cfg.enableKwallet; control = "optional"; modulePath = "${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so"; settings = { + kwalletd = "${pkgs.plasma5Packages.kwallet.bin}/bin/kwalletd5"; + }; } + { name = "gnome_keyring"; enable = cfg.enableGnomeKeyring; control = "optional"; modulePath = "${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so"; } + { name = "gnupg"; enable = cfg.gnupg.enable; control = "optional"; modulePath = "${pkgs.pam_gnupg}/lib/security/pam_gnupg.so"; settings = { + store-only = cfg.gnupg.storeOnly; + }; } + { name = "faildelay"; enable = cfg.failDelay.enable; control = "optional"; modulePath = "${pkgs.pam}/lib/security/pam_faildelay.so"; settings = { + inherit (cfg.failDelay) delay; + }; } + { name = "google_authenticator"; enable = cfg.googleAuthenticator.enable; control = "required"; modulePath = "${pkgs.google-authenticator}/lib/security/pam_google_authenticator.so"; settings = { + no_increment_hotp = true; + }; } + { name = "duo"; enable = cfg.duoSecurity.enable; control = "required"; modulePath = "${pkgs.duo-unix}/lib/security/pam_duo.so"; } + ]) ++ [ + { name = "systemd_home"; enable = config.services.homed.enable; control = "sufficient"; modulePath = "${config.systemd.package}/lib/security/pam_systemd_home.so"; } + { name = "unix"; enable = cfg.unixAuth; control = "sufficient"; modulePath = "pam_unix.so"; settings = { + nullok = cfg.allowNullPassword; + inherit (cfg) nodelay; + likeauth = true; + try_first_pass = true; + }; } + { name = "otpw"; enable = cfg.otpwAuth; control = "sufficient"; modulePath = "${pkgs.otpw}/lib/security/pam_otpw.so"; } + { name = "ldap"; enable = use_ldap; control = "sufficient"; modulePath = "${pam_ldap}/lib/security/pam_ldap.so"; settings = { + use_first_pass = true; + }; } + { name = "kanidm"; enable = config.services.kanidm.enablePam; control = "sufficient"; modulePath = "${pkgs.kanidm}/lib/pam_kanidm.so"; settings = { + ignore_unknown_user = true; + use_first_pass = true; + }; } + { name = "sss"; enable = config.services.sssd.enable; control = "sufficient"; modulePath = "${pkgs.sssd}/lib/security/pam_sss.so"; settings = { + use_first_pass = true; + }; } + { name = "krb5"; enable = config.security.pam.krb5.enable; control = "[default=ignore success=1 service_err=reset]"; modulePath = "${pam_krb5}/lib/security/pam_krb5.so"; settings = { + use_first_pass = true; + }; } + { name = "ccreds-validate"; enable = config.security.pam.krb5.enable; control = "[default=die success=done]"; modulePath = "${pam_ccreds}/lib/security/pam_ccreds.so"; settings = { + action = "validate"; + use_first_pass = true; + }; } + { name = "ccreds-store"; enable = config.security.pam.krb5.enable; control = "sufficient"; modulePath = "${pam_ccreds}/lib/security/pam_ccreds.so"; settings = { + action = "store"; + use_first_pass = true; + }; } + { name = "deny"; control = "required"; modulePath = "pam_deny.so"; } + ]); + + password = autoOrderRules [ + { name = "systemd_home"; enable = config.services.homed.enable; control = "sufficient"; modulePath = "${config.systemd.package}/lib/security/pam_systemd_home.so"; } + { name = "unix"; control = "sufficient"; modulePath = "pam_unix.so"; settings = { + nullok = true; + yescrypt = true; + }; } + { name = "ecryptfs"; enable = config.security.pam.enableEcryptfs; control = "optional"; modulePath = "${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"; } + { name = "fscrypt"; enable = config.security.pam.enableFscrypt; control = "optional"; modulePath = "${pkgs.fscrypt-experimental}/lib/security/pam_fscrypt.so"; } + { name = "zfs_key"; enable = cfg.zfs; control = "optional"; modulePath = "${config.boot.zfs.package}/lib/security/pam_zfs_key.so"; settings = { + inherit (config.security.pam.zfs) homes; + }; } + { name = "mount"; enable = cfg.pamMount; control = "optional"; modulePath = "${pkgs.pam_mount}/lib/security/pam_mount.so"; } + { name = "ldap"; enable = use_ldap; control = "sufficient"; modulePath = "${pam_ldap}/lib/security/pam_ldap.so"; } + { name = "mysql"; enable = cfg.mysqlAuth; control = "sufficient"; modulePath = "${pkgs.pam_mysql}/lib/security/pam_mysql.so"; settings = { + config_file = "/etc/security/pam_mysql.conf"; + }; } + { name = "kanidm"; enable = config.services.kanidm.enablePam; control = "sufficient"; modulePath = "${pkgs.kanidm}/lib/pam_kanidm.so"; } + { name = "sss"; enable = config.services.sssd.enable; control = "sufficient"; modulePath = "${pkgs.sssd}/lib/security/pam_sss.so"; } + { name = "krb5"; enable = config.security.pam.krb5.enable; control = "sufficient"; modulePath = "${pam_krb5}/lib/security/pam_krb5.so"; settings = { + use_first_pass = true; + }; } + { name = "gnome_keyring"; enable = cfg.enableGnomeKeyring; control = "optional"; modulePath = "${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so"; settings = { + use_authtok = true; + }; } + ]; - # Session management. - '' + - optionalString cfg.setEnvironment '' - session required pam_env.so conffile=/etc/pam/environment readenv=0 - '' + - '' - session required pam_unix.so - '' + - optionalString cfg.setLoginUid '' - session ${if config.boot.isContainer then "optional" else "required"} pam_loginuid.so - '' + - optionalString cfg.ttyAudit.enable (concatStringsSep " \\\n " ([ - "session required ${pkgs.pam}/lib/security/pam_tty_audit.so" - ] ++ optional cfg.ttyAudit.openOnly "open_only" - ++ optional (cfg.ttyAudit.enablePattern != null) "enable=${cfg.ttyAudit.enablePattern}" - ++ optional (cfg.ttyAudit.disablePattern != null) "disable=${cfg.ttyAudit.disablePattern}" - )) + - optionalString config.services.homed.enable '' - session required ${config.systemd.package}/lib/security/pam_systemd_home.so - '' + - optionalString cfg.makeHomeDir '' - session required ${pkgs.pam}/lib/security/pam_mkhomedir.so silent skel=${config.security.pam.makeHomeDir.skelDirectory} umask=${config.security.pam.makeHomeDir.umask} - '' + - optionalString cfg.updateWtmp '' - session required ${pkgs.pam}/lib/security/pam_lastlog.so silent - '' + - optionalString config.security.pam.enableEcryptfs '' - session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so - '' + - optionalString config.security.pam.enableFscrypt '' - # Work around https://github.com/systemd/systemd/issues/8598 - # Skips the pam_fscrypt module for systemd-user sessions which do not have a password - # anyways. - # See also https://github.com/google/fscrypt/issues/95 - session [success=1 default=ignore] pam_succeed_if.so service = systemd-user - session optional ${pkgs.fscrypt-experimental}/lib/security/pam_fscrypt.so - '' + - optionalString cfg.zfs '' - session [success=1 default=ignore] pam_succeed_if.so service = systemd-user - session optional ${config.boot.zfs.package}/lib/security/pam_zfs_key.so homes=${config.security.pam.zfs.homes} ${optionalString config.security.pam.zfs.noUnmount "nounmount"} - '' + - optionalString cfg.pamMount '' - session optional ${pkgs.pam_mount}/lib/security/pam_mount.so disable_interactive - '' + - optionalString use_ldap '' - session optional ${pam_ldap}/lib/security/pam_ldap.so - '' + - optionalString cfg.mysqlAuth '' - session optional ${pkgs.pam_mysql}/lib/security/pam_mysql.so config_file=/etc/security/pam_mysql.conf - '' + - optionalString config.services.kanidm.enablePam '' - session optional ${pkgs.kanidm}/lib/pam_kanidm.so - '' + - optionalString config.services.sssd.enable '' - session optional ${pkgs.sssd}/lib/security/pam_sss.so - '' + - optionalString config.security.pam.krb5.enable '' - session optional ${pam_krb5}/lib/security/pam_krb5.so - '' + - optionalString cfg.otpwAuth '' - session optional ${pkgs.otpw}/lib/security/pam_otpw.so - '' + - optionalString cfg.startSession '' - session optional ${config.systemd.package}/lib/security/pam_systemd.so - '' + - optionalString cfg.forwardXAuth '' - session optional pam_xauth.so xauthpath=${pkgs.xorg.xauth}/bin/xauth systemuser=99 - '' + - optionalString (cfg.limits != []) '' - session required ${pkgs.pam}/lib/security/pam_limits.so conf=${makeLimitsConf cfg.limits} - '' + - optionalString (cfg.showMotd && (config.users.motd != null || config.users.motdFile != null)) '' - session optional ${pkgs.pam}/lib/security/pam_motd.so motd=${motd} - '' + - optionalString (cfg.enableAppArmor && config.security.apparmor.enable) '' - session optional ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so order=user,group,default debug - '' + - optionalString (cfg.enableKwallet) '' - session optional ${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so kwalletd=${pkgs.plasma5Packages.kwallet.bin}/bin/kwalletd5 - '' + - optionalString (cfg.enableGnomeKeyring) '' - session optional ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start - '' + - optionalString cfg.gnupg.enable '' - session optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so ${optionalString cfg.gnupg.noAutostart " no-autostart"} - '' + - optionalString (config.virtualisation.lxc.lxcfs.enable) '' - session optional ${pkgs.lxc}/lib/security/pam_cgfs.so -c all - '' - ); + session = autoOrderRules [ + { name = "env"; enable = cfg.setEnvironment; control = "required"; modulePath = "pam_env.so"; settings = { + conffile = "/etc/pam/environment"; + readenv = 0; + }; } + { name = "unix"; control = "required"; modulePath = "pam_unix.so"; } + { name = "loginuid"; enable = cfg.setLoginUid; control = if config.boot.isContainer then "optional" else "required"; modulePath = "pam_loginuid.so"; } + { name = "tty_audit"; enable = cfg.ttyAudit.enable; control = "required"; modulePath = "${pkgs.pam}/lib/security/pam_tty_audit.so"; settings = { + open_only = cfg.ttyAudit.openOnly; + enable = cfg.ttyAudit.enablePattern; + disable = cfg.ttyAudit.disablePattern; + }; } + { name = "systemd_home"; enable = config.services.homed.enable; control = "required"; modulePath = "${config.systemd.package}/lib/security/pam_systemd_home.so"; } + { name = "mkhomedir"; enable = cfg.makeHomeDir; control = "required"; modulePath = "${pkgs.pam}/lib/security/pam_mkhomedir.so"; settings = { + silent = true; + skel = config.security.pam.makeHomeDir.skelDirectory; + inherit (config.security.pam.makeHomeDir) umask; + }; } + { name = "lastlog"; enable = cfg.updateWtmp; control = "required"; modulePath = "${pkgs.pam}/lib/security/pam_lastlog.so"; settings = { + silent = true; + }; } + { name = "ecryptfs"; enable = config.security.pam.enableEcryptfs; control = "optional"; modulePath = "${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"; } + # Work around https://github.com/systemd/systemd/issues/8598 + # Skips the pam_fscrypt module for systemd-user sessions which do not have a password + # anyways. + # See also https://github.com/google/fscrypt/issues/95 + { name = "fscrypt-skip-systemd"; enable = config.security.pam.enableFscrypt; control = "[success=1 default=ignore]"; modulePath = "pam_succeed_if.so"; args = [ + "service" "=" "systemd-user" + ]; } + { name = "fscrypt"; enable = config.security.pam.enableFscrypt; control = "optional"; modulePath = "${pkgs.fscrypt-experimental}/lib/security/pam_fscrypt.so"; } + { name = "zfs_key-skip-systemd"; enable = cfg.zfs; control = "[success=1 default=ignore]"; modulePath = "pam_succeed_if.so"; args = [ + "service" "=" "systemd-user" + ]; } + { name = "zfs_key"; enable = cfg.zfs; control = "optional"; modulePath = "${config.boot.zfs.package}/lib/security/pam_zfs_key.so"; settings = { + inherit (config.security.pam.zfs) homes; + nounmount = config.security.pam.zfs.noUnmount; + }; } + { name = "mount"; enable = cfg.pamMount; control = "optional"; modulePath = "${pkgs.pam_mount}/lib/security/pam_mount.so"; settings = { + disable_interactive = true; + }; } + { name = "ldap"; enable = use_ldap; control = "optional"; modulePath = "${pam_ldap}/lib/security/pam_ldap.so"; } + { name = "mysql"; enable = cfg.mysqlAuth; control = "optional"; modulePath = "${pkgs.pam_mysql}/lib/security/pam_mysql.so"; settings = { + config_file = "/etc/security/pam_mysql.conf"; + }; } + { name = "kanidm"; enable = config.services.kanidm.enablePam; control = "optional"; modulePath = "${pkgs.kanidm}/lib/pam_kanidm.so"; } + { name = "sss"; enable = config.services.sssd.enable; control = "optional"; modulePath = "${pkgs.sssd}/lib/security/pam_sss.so"; } + { name = "krb5"; enable = config.security.pam.krb5.enable; control = "optional"; modulePath = "${pam_krb5}/lib/security/pam_krb5.so"; } + { name = "otpw"; enable = cfg.otpwAuth; control = "optional"; modulePath = "${pkgs.otpw}/lib/security/pam_otpw.so"; } + { name = "systemd"; enable = cfg.startSession; control = "optional"; modulePath = "${config.systemd.package}/lib/security/pam_systemd.so"; } + { name = "xauth"; enable = cfg.forwardXAuth; control = "optional"; modulePath = "pam_xauth.so"; settings = { + xauthpath = "${pkgs.xorg.xauth}/bin/xauth"; + systemuser = 99; + }; } + { name = "limits"; enable = cfg.limits != []; control = "required"; modulePath = "${pkgs.pam}/lib/security/pam_limits.so"; settings = { + conf = "${makeLimitsConf cfg.limits}"; + }; } + { name = "motd"; enable = cfg.showMotd && (config.users.motd != null || config.users.motdFile != null); control = "optional"; modulePath = "${pkgs.pam}/lib/security/pam_motd.so"; settings = { + inherit motd; + }; } + { name = "apparmor"; enable = cfg.enableAppArmor && config.security.apparmor.enable; control = "optional"; modulePath = "${pkgs.apparmor-pam}/lib/security/pam_apparmor.so"; settings = { + order = "user,group,default"; + debug = true; + }; } + { name = "kwallet5"; enable = cfg.enableKwallet; control = "optional"; modulePath = "${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so"; settings = { + kwalletd = "${pkgs.plasma5Packages.kwallet.bin}/bin/kwalletd5"; + }; } + { name = "gnome_keyring"; enable = cfg.enableGnomeKeyring; control = "optional"; modulePath = "${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so"; settings = { + auto_start = true; + }; } + { name = "gnupg"; enable = cfg.gnupg.enable; control = "optional"; modulePath = "${pkgs.pam_gnupg}/lib/security/pam_gnupg.so"; settings = { + no-autostart = cfg.gnupg.noAutostart; + }; } + { name = "cgfs"; enable = config.virtualisation.lxc.lxcfs.enable; control = "optional"; modulePath = "${pkgs.lxc}/lib/security/pam_cgfs.so"; args = [ + "-c" "all" + ]; } + ]; + }; }; }; @@ -841,6 +947,8 @@ in { + meta.maintainers = [ maintainers.majiir ]; + imports = [ (mkRenamedOptionModule [ "security" "pam" "enableU2F" ] [ "security" "pam" "u2f" "enable" ]) ]; @@ -1402,9 +1510,7 @@ in fscrypt = {}; }; - security.apparmor.includes."abstractions/pam" = let - isEnabled = test: fold or false (map test (attrValues config.security.pam.services)); - in + security.apparmor.includes."abstractions/pam" = lib.concatMapStrings (name: "r ${config.environment.etc."pam.d/${name}".source},\n") (attrNames config.security.pam.services) + @@ -1413,88 +1519,18 @@ in mr ${getLib pkgs.pam}/lib/security/pam_*.so, r ${getLib pkgs.pam}/lib/security/, '' + - optionalString use_ldap '' - mr ${pam_ldap}/lib/security/pam_ldap.so, - '' + - optionalString config.services.kanidm.enablePam '' - mr ${pkgs.kanidm}/lib/pam_kanidm.so, - '' + - optionalString config.services.sssd.enable '' - mr ${pkgs.sssd}/lib/security/pam_sss.so, - '' + - optionalString config.security.pam.krb5.enable '' - mr ${pam_krb5}/lib/security/pam_krb5.so, - mr ${pam_ccreds}/lib/security/pam_ccreds.so, - '' + - optionalString (isEnabled (cfg: cfg.googleOsLoginAccountVerification)) '' - mr ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so, - mr ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_admin.so, - '' + - optionalString (isEnabled (cfg: cfg.googleOsLoginAuthentication)) '' - mr ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so, - '' + - optionalString (config.security.pam.enableSSHAgentAuth - && isEnabled (cfg: cfg.sshAgentAuth)) '' - mr ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so, - '' + - optionalString (isEnabled (cfg: cfg.fprintAuth)) '' - mr ${pkgs.fprintd}/lib/security/pam_fprintd.so, - '' + - optionalString (isEnabled (cfg: cfg.u2fAuth)) '' - mr ${pkgs.pam_u2f}/lib/security/pam_u2f.so, - '' + - optionalString (isEnabled (cfg: cfg.usbAuth)) '' - mr ${pkgs.pam_usb}/lib/security/pam_usb.so, - '' + - optionalString (isEnabled (cfg: cfg.usshAuth)) '' - mr ${pkgs.pam_ussh}/lib/security/pam_ussh.so, - '' + - optionalString (isEnabled (cfg: cfg.oathAuth)) '' - "mr ${pkgs.oath-toolkit}/lib/security/pam_oath.so, - '' + - optionalString (isEnabled (cfg: cfg.mysqlAuth)) '' - mr ${pkgs.pam_mysql}/lib/security/pam_mysql.so, - '' + - optionalString (isEnabled (cfg: cfg.yubicoAuth)) '' - mr ${pkgs.yubico-pam}/lib/security/pam_yubico.so, - '' + - optionalString (isEnabled (cfg: cfg.duoSecurity.enable)) '' - mr ${pkgs.duo-unix}/lib/security/pam_duo.so, - '' + - optionalString (isEnabled (cfg: cfg.otpwAuth)) '' - mr ${pkgs.otpw}/lib/security/pam_otpw.so, - '' + - optionalString config.security.pam.enableEcryptfs '' - mr ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so, - '' + - optionalString config.security.pam.enableFscrypt '' - mr ${pkgs.fscrypt-experimental}/lib/security/pam_fscrypt.so, - '' + - optionalString (isEnabled (cfg: cfg.pamMount)) '' - mr ${pkgs.pam_mount}/lib/security/pam_mount.so, - '' + - optionalString (isEnabled (cfg: cfg.enableGnomeKeyring)) '' - mr ${pkgs.gnome.gnome-keyring}/lib/security/pam_gnome_keyring.so, - '' + - optionalString (isEnabled (cfg: cfg.startSession)) '' - mr ${config.systemd.package}/lib/security/pam_systemd.so, - '' + - optionalString (isEnabled (cfg: cfg.enableAppArmor) - && config.security.apparmor.enable) '' - mr ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so, - '' + - optionalString (isEnabled (cfg: cfg.enableKwallet)) '' - mr ${pkgs.plasma5Packages.kwallet-pam}/lib/security/pam_kwallet5.so, - '' + - optionalString config.virtualisation.lxc.lxcfs.enable '' - mr ${pkgs.lxc}/lib/security/pam_cgfs.so, - '' + - optionalString (isEnabled (cfg: cfg.zfs)) '' - mr ${config.boot.zfs.package}/lib/security/pam_zfs_key.so, - '' + - optionalString config.services.homed.enable '' - mr ${config.systemd.package}/lib/security/pam_systemd_home.so - ''; + (with lib; pipe config.security.pam.services [ + attrValues + (catAttrs "rules") + (concatMap attrValues) + (concatMap attrValues) + (filter (rule: rule.enable)) + (catAttrs "modulePath") + (filter (hasPrefix "/")) + unique + (map (module: "mr ${module},")) + concatLines + ]); }; } |