diff options
author | Dan Callaghan <djc@djc.id.au> | 2022-07-16 15:38:42 +1000 |
---|---|---|
committer | Dan Callaghan <djc@djc.id.au> | 2022-08-01 21:28:05 +1000 |
commit | 43aab2f50bae4e9a7ed276c46f3623938e44dbed (patch) | |
tree | 121268b6e13bf029fbb7500573f6b2c7abfd4fb7 /nixos | |
parent | ecf0fd9462babdf99b01572b275cc3eb838cc3c7 (diff) |
nixos/pam: add an option to control Kerberos PAM modules
Instead of enabling the PAM modules based on config.krb5.enable, introduce a new option to control the PAM modules specifically. Users may want to turn on config.krb5.enable, to get a working Kerberos client config with tools like kinit, while letting pam_sss or something else handle Kerberos password lookups.
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/security/pam.nix | 32 |
1 files changed, 26 insertions, 6 deletions
diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index d9d072b36e6e6..16f4193d3bcec 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -453,7 +453,7 @@ let optionalString (config.services.sssd.enable && cfg.sssdStrictAccess) '' account [default=bad success=ok user_unknown=ignore] ${pkgs.sssd}/lib/security/pam_sss.so '' + - optionalString config.krb5.enable '' + optionalString config.security.pam.krb5.enable '' account sufficient ${pam_krb5}/lib/security/pam_krb5.so '' + optionalString cfg.googleOsLoginAccountVerification '' @@ -553,7 +553,7 @@ let optionalString config.services.sssd.enable '' auth sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_first_pass '' + - optionalString config.krb5.enable '' + optionalString config.security.pam.krb5.enable '' auth [default=ignore success=1 service_err=reset] ${pam_krb5}/lib/security/pam_krb5.so use_first_pass auth [default=die success=done] ${pam_ccreds}/lib/security/pam_ccreds.so action=validate use_first_pass auth sufficient ${pam_ccreds}/lib/security/pam_ccreds.so action=store use_first_pass @@ -576,7 +576,7 @@ let optionalString config.services.sssd.enable '' password sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_authtok '' + - optionalString config.krb5.enable '' + optionalString config.security.pam.krb5.enable '' password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass '' + optionalString cfg.enableGnomeKeyring '' @@ -619,7 +619,7 @@ let optionalString config.services.sssd.enable '' session optional ${pkgs.sssd}/lib/security/pam_sss.so '' + - optionalString config.krb5.enable '' + optionalString config.security.pam.krb5.enable '' session optional ${pam_krb5}/lib/security/pam_krb5.so '' + optionalString cfg.otpwAuth '' @@ -802,6 +802,26 @@ in security.pam.enableOTPW = mkEnableOption "the OTPW (one-time password) PAM module"; + security.pam.krb5 = { + enable = mkOption { + default = config.krb5.enable; + defaultText = literalExpression "config.krb5.enable"; + type = types.bool; + description = '' + Enables Kerberos PAM modules (<literal>pam-krb5</literal>, + <literal>pam-ccreds</literal>). + + If set, users can authenticate with their Kerberos password. + This requires a valid Kerberos configuration + (<literal>config.krb5.enable</literal> should be set to + <literal>true</literal>). + + Note that the Kerberos PAM modules are not necessary when using SSS + to handle Kerberos authentication. + ''; + }; + }; + security.pam.p11 = { enable = mkOption { default = false; @@ -1147,7 +1167,7 @@ in [ pkgs.pam ] ++ optional config.users.ldap.enable pam_ldap ++ optional config.services.sssd.enable pkgs.sssd - ++ optionals config.krb5.enable [pam_krb5 pam_ccreds] + ++ optionals config.security.pam.krb5.enable [pam_krb5 pam_ccreds] ++ optionals config.security.pam.enableOTPW [ pkgs.otpw ] ++ optionals config.security.pam.oath.enable [ pkgs.oath-toolkit ] ++ optionals config.security.pam.p11.enable [ pkgs.pam_p11 ] @@ -1211,7 +1231,7 @@ in optionalString config.services.sssd.enable '' mr ${pkgs.sssd}/lib/security/pam_sss.so, '' + - optionalString config.krb5.enable '' + optionalString config.security.pam.krb5.enable '' mr ${pam_krb5}/lib/security/pam_krb5.so, mr ${pam_ccreds}/lib/security/pam_ccreds.so, '' + |