From 43aab2f50bae4e9a7ed276c46f3623938e44dbed Mon Sep 17 00:00:00 2001 From: Dan Callaghan Date: Sat, 16 Jul 2022 15:38:42 +1000 Subject: nixos/pam: add an option to control Kerberos PAM modules Instead of enabling the PAM modules based on config.krb5.enable, introduce a new option to control the PAM modules specifically. Users may want to turn on config.krb5.enable, to get a working Kerberos client config with tools like kinit, while letting pam_sss or something else handle Kerberos password lookups. --- nixos/modules/security/pam.nix | 32 ++++++++++++++++++++++++++------ 1 file changed, 26 insertions(+), 6 deletions(-) (limited to 'nixos') diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index d9d072b36e6e6..16f4193d3bcec 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -453,7 +453,7 @@ let optionalString (config.services.sssd.enable && cfg.sssdStrictAccess) '' account [default=bad success=ok user_unknown=ignore] ${pkgs.sssd}/lib/security/pam_sss.so '' + - optionalString config.krb5.enable '' + optionalString config.security.pam.krb5.enable '' account sufficient ${pam_krb5}/lib/security/pam_krb5.so '' + optionalString cfg.googleOsLoginAccountVerification '' @@ -553,7 +553,7 @@ let optionalString config.services.sssd.enable '' auth sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_first_pass '' + - optionalString config.krb5.enable '' + optionalString config.security.pam.krb5.enable '' auth [default=ignore success=1 service_err=reset] ${pam_krb5}/lib/security/pam_krb5.so use_first_pass auth [default=die success=done] ${pam_ccreds}/lib/security/pam_ccreds.so action=validate use_first_pass auth sufficient ${pam_ccreds}/lib/security/pam_ccreds.so action=store use_first_pass @@ -576,7 +576,7 @@ let optionalString config.services.sssd.enable '' password sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_authtok '' + - optionalString config.krb5.enable '' + optionalString config.security.pam.krb5.enable '' password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass '' + optionalString cfg.enableGnomeKeyring '' @@ -619,7 +619,7 @@ let optionalString config.services.sssd.enable '' session optional ${pkgs.sssd}/lib/security/pam_sss.so '' + - optionalString config.krb5.enable '' + optionalString config.security.pam.krb5.enable '' session optional ${pam_krb5}/lib/security/pam_krb5.so '' + optionalString cfg.otpwAuth '' @@ -802,6 +802,26 @@ in security.pam.enableOTPW = mkEnableOption "the OTPW (one-time password) PAM module"; + security.pam.krb5 = { + enable = mkOption { + default = config.krb5.enable; + defaultText = literalExpression "config.krb5.enable"; + type = types.bool; + description = '' + Enables Kerberos PAM modules (pam-krb5, + pam-ccreds). + + If set, users can authenticate with their Kerberos password. + This requires a valid Kerberos configuration + (config.krb5.enable should be set to + true). + + Note that the Kerberos PAM modules are not necessary when using SSS + to handle Kerberos authentication. + ''; + }; + }; + security.pam.p11 = { enable = mkOption { default = false; @@ -1147,7 +1167,7 @@ in [ pkgs.pam ] ++ optional config.users.ldap.enable pam_ldap ++ optional config.services.sssd.enable pkgs.sssd - ++ optionals config.krb5.enable [pam_krb5 pam_ccreds] + ++ optionals config.security.pam.krb5.enable [pam_krb5 pam_ccreds] ++ optionals config.security.pam.enableOTPW [ pkgs.otpw ] ++ optionals config.security.pam.oath.enable [ pkgs.oath-toolkit ] ++ optionals config.security.pam.p11.enable [ pkgs.pam_p11 ] @@ -1211,7 +1231,7 @@ in optionalString config.services.sssd.enable '' mr ${pkgs.sssd}/lib/security/pam_sss.so, '' + - optionalString config.krb5.enable '' + optionalString config.security.pam.krb5.enable '' mr ${pam_krb5}/lib/security/pam_krb5.so, mr ${pam_ccreds}/lib/security/pam_ccreds.so, '' + -- cgit 1.4.1