From 1d5d7fdee2e85460e44b9931f3259254c2092806 Mon Sep 17 00:00:00 2001 From: Luca Bruno Date: Wed, 14 May 2014 17:53:58 +0200 Subject: [PATCH] pam: Add logFailures option for adding pam_tally to su --- nixos/modules/programs/shadow.nix | 2 +- nixos/modules/security/pam.nix | 8 ++++++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/nixos/modules/programs/shadow.nix b/nixos/modules/programs/shadow.nix index 27a18c726a3a..9763332ed978 100644 --- a/nixos/modules/programs/shadow.nix +++ b/nixos/modules/programs/shadow.nix @@ -82,7 +82,7 @@ in security.pam.services = { chsh = { rootOK = true; }; chfn = { rootOK = true; }; - su = { rootOK = true; forwardXAuth = true; }; + su = { rootOK = true; forwardXAuth = true; logFailures = true; }; passwd = {}; # Note: useradd, groupadd etc. aren't setuid root, so it # doesn't really matter what the PAM config says as long as it diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 6a5eb4c720f8..76fbd9b671f4 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -132,6 +132,12 @@ let description = "Whether to update /var/log/wtmp."; }; + logFailures = mkOption { + default = false; + type = types.bool; + description = "Whether to log authentication failures in /var/log/faillog."; + }; + text = mkOption { type = types.nullOr types.lines; description = "Contents of the PAM service file."; @@ -159,6 +165,8 @@ let # Authentication management. ${optionalString cfg.rootOK "auth sufficient pam_rootok.so"} + ${optionalString cfg.logFailures + "auth required pam_tally.so"} ${optionalString (config.security.pam.enableSSHAgentAuth && cfg.sshAgentAuth) "auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=~/.ssh/authorized_keys:~/.ssh/authorized_keys2:/etc/ssh/authorized_keys.d/%u"} ${optionalString cfg.usbAuth