diff options
Diffstat (limited to 'nixos/modules/security/pam.nix')
| -rw-r--r-- | nixos/modules/security/pam.nix | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index b1b75a0068d4f..844a9da0eb461 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -126,12 +126,28 @@ let description = "Whether to show the message of the day."; }; + makeHomeDir = mkOption { + default = false; + type = types.bool; + description = '' + Whether to try to create home directories for users + with <literal>$HOME</literal>s pointing to nonexistent + locations on session login. + ''; + }; + updateWtmp = mkOption { default = false; type = types.bool; description = "Whether to update <filename>/var/log/wtmp</filename>."; }; + logFailures = mkOption { + default = false; + type = types.bool; + description = "Whether to log authentication failures in <filename>/var/log/faillog</filename>."; + }; + text = mkOption { type = types.nullOr types.lines; description = "Contents of the PAM service file."; @@ -159,6 +175,8 @@ let # Authentication management. ${optionalString cfg.rootOK "auth sufficient pam_rootok.so"} + ${optionalString cfg.logFailures + "auth required pam_tally.so"} ${optionalString (config.security.pam.enableSSHAgentAuth && cfg.sshAgentAuth) "auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=~/.ssh/authorized_keys:~/.ssh/authorized_keys2:/etc/ssh/authorized_keys.d/%u"} ${optionalString cfg.usbAuth @@ -192,6 +210,8 @@ let "session ${ if config.boot.isContainer then "optional" else "required" } pam_loginuid.so"} + ${optionalString cfg.makeHomeDir + "session required ${pkgs.pam}/lib/security/pam_mkhomedir.so silent skel=/etc/skel umask=0022"} ${optionalString cfg.updateWtmp "session required ${pkgs.pam}/lib/security/pam_lastlog.so silent"} ${optionalString config.users.ldap.enable |