* Move PAM configuration to modules/security/pam.nix.

svn path=/nixos/branches/modular-nixos/; revision=15766
This commit is contained in:
Eelco Dolstra 2009-05-28 13:10:02 +00:00
parent de7aae5d5e
commit 14f1c81822
20 changed files with 59 additions and 54 deletions

View File

@ -37,59 +37,6 @@ in
let
optional = pkgs.lib.optional;
# !!! ugh, these files shouldn't be created here.
pamConsoleHandlers = pkgs.writeText "console.handlers" ''
console consoledevs /dev/tty[0-9][0-9]* :[0-9]\.[0-9] :[0-9]
${pkgs.pam_console}/sbin/pam_console_apply lock logfail wait -t tty -s -c ${pamConsolePerms}
${pkgs.pam_console}/sbin/pam_console_apply unlock logfail wait -r -t tty -s -c ${pamConsolePerms}
'';
pamConsolePerms = ./security/console.perms;
configFiles =
# A bunch of PAM configuration files for various programs.
(map
(program:
let isLDAPEnabled = config.users.ldap.enable; in
{ source = pkgs.substituteAll {
src = ./pam.d + ("/" + program);
inherit (pkgs) pam_unix2 pam_console;
pam_ldap =
if isLDAPEnabled
then pkgs.pam_ldap
else "/no-such-path";
inherit (pkgs.xorg) xauth;
inherit pamConsoleHandlers;
isLDAPEnabled = if isLDAPEnabled then "" else "#";
syncSambaPasswords = if config.services.samba.syncPasswordsByPam
then "password optional ${pkgs.samba}/lib/security/pam_smbpass.so nullok use_authtok try_first_pass"
else "# change samba configuration options to make passwd sync the samba auth database as well here..";
};
target = "pam.d/" + program;
}
)
[
"login"
"su"
"other"
"passwd"
"shadow"
"sshd"
"lshd"
"useradd"
"chsh"
"xlock"
"samba"
"cups"
"ftp"
"ejabberd"
"common"
"common-console" # shared stuff for interactive local sessions
]
);
in
let
@ -109,7 +56,7 @@ let
makeEtc = import ../helpers/make-etc.nix {
inherit (pkgs) stdenv;
configFiles = configFiles ++ config.environment.etc;
configFiles = config.environment.etc;
};
in

View File

@ -13,6 +13,7 @@
./programs/pwdutils/pwdutils.nix
./programs/ssh.nix
./programs/ssmtp.nix
./security/pam.nix
./security/setuid-wrappers.nix
./security/sudo.nix
./services/audio/alsa.nix

57
modules/security/pam.nix Normal file
View File

@ -0,0 +1,57 @@
# This module provides configuration for the PAM (Pluggable
# Authentication Modules) system.
{config, pkgs, ...}:
let
# !!! ugh, these files shouldn't be created here.
pamConsoleHandlers = pkgs.writeText "console.handlers" ''
console consoledevs /dev/tty[0-9][0-9]* :[0-9]\.[0-9] :[0-9]
${pkgs.pam_console}/sbin/pam_console_apply lock logfail wait -t tty -s -c ${pamConsolePerms}
${pkgs.pam_console}/sbin/pam_console_apply unlock logfail wait -r -t tty -s -c ${pamConsolePerms}
'';
pamConsolePerms = ./console.perms;
generatePAMConfig = program:
let isLDAPEnabled = config.users.ldap.enable; in
{ source = pkgs.substituteAll {
src = ./pam.d + ("/" + program);
inherit (pkgs) pam_unix2 pam_console;
pam_ldap =
if isLDAPEnabled
then pkgs.pam_ldap
else "/no-such-path";
inherit (pkgs.xorg) xauth;
inherit pamConsoleHandlers;
isLDAPEnabled = if isLDAPEnabled then "" else "#";
syncSambaPasswords = if config.services.samba.syncPasswordsByPam
then "password optional ${pkgs.samba}/lib/security/pam_smbpass.so nullok use_authtok try_first_pass"
else "# change samba configuration options to make passwd sync the samba auth database as well here..";
};
target = "pam.d/" + program;
};
in
{
environment.etc = map generatePAMConfig
[ "login"
"su"
"other"
"passwd"
"shadow"
"sshd"
"lshd"
"useradd"
"chsh"
"xlock"
"samba"
"cups"
"ftp"
"ejabberd"
"common"
"common-console" # shared stuff for interactive local sessions
];
}