PAM: Rename ownDevices to startSession

Logind sessions are more generally useful than for device ownership.
For instances, ssh logins can be put in their own session (and thus
their own cgroup).

modules/programs/shadow.nix

@@ -90,7 +90,7 @@ in
         { name = "groupmod"; rootOK = true; }
         { name = "groupmems"; rootOK = true; }
         { name = "groupdel"; rootOK = true; }
-        { name = "login"; ownDevices = true; allowNullPassword = true; }
+        { name = "login"; startSession = true; allowNullPassword = true; }
       ];
 
     security.setuidPrograms = [ "passwd" "chfn" "su" "newgrp" ];

modules/security/pam.nix

@@ -41,9 +41,10 @@ let
       # against the keys in the calling user's ~/.ssh/authorized_keys.
       # This is useful for "sudo" on password-less remote systems.
       sshAgentAuth ? false
-    , # If set, use systemd's PAM connector module to claim
-      # ownership of audio devices etc.
-      ownDevices ? false
+    , # If set, the service will register a new session with systemd's
+      # login manager.  If the service is running locally, this will
+      # give the user ownership of audio devices etc.
+      startSession ? false
     , # Whether to forward XAuth keys between users.  Mostly useful
       # for "su".
       forwardXAuth ? false
@@ -103,7 +104,7 @@ let
               "session optional ${pam_ldap}/lib/security/pam_ldap.so"}
           ${optionalString config.krb5.enable
               "session optional ${pam_krb5}/lib/security/pam_krb5.so"}
-          ${optionalString ownDevices
+          ${optionalString startSession
               "session optional ${pkgs.systemd}/lib/security/pam_systemd.so"}
           ${optionalString forwardXAuth
               "session optional pam_xauth.so xauthpath=${pkgs.xorg.xauth}/bin/xauth systemuser=99"}
@@ -150,7 +151,7 @@ in
       default = [];
       example = [
         { name = "chsh"; rootOK = true; }
-        { name = "login"; ownDevices = true; allowNullPassword = true;
+        { name = "login"; startSession = true; allowNullPassword = true;
           limits = [
             { domain = "ftp";
               type   = "hard";
@@ -171,13 +172,13 @@ in
           the name of the service.  The attribute
           <varname>rootOK</varname> specifies whether the root user is
           allowed to use this service without authentication.  The
-          attribute <varname>ownDevices</varname> specifies whether
-          ConsoleKit's PAM connector module should be used to give the
-          user ownership of devices such as audio and CD-ROM drives.
-          The attribute <varname>forwardXAuth</varname> specifies
-          whether X authentication keys should be passed from the
-          calling user to the target user (e.g. for
-          <command>su</command>).
+          attribute <varname>startSession</varname> specifies whether
+          systemd's PAM connector module should be used to start a new
+          session; for local sessions, this will give the user
+          ownership of devices such as audio and CD-ROM drives.  The
+          attribute <varname>forwardXAuth</varname> specifies whether
+          X authentication keys should be passed from the calling user
+          to the target user (e.g. for <command>su</command>).
 
           The attribute <varname>limits</varname> defines resource limits
           that should apply to users or groups for the service.  Each item in
@@ -235,7 +236,6 @@ in
         { name = "i3lock"; }
         { name = "lshd"; }
         { name = "samba"; }
-        { name = "sshd"; }
         { name = "vlock"; }
         { name = "xlock"; }
         { name = "xscreensaver"; }

modules/services/networking/ssh/sshd.nix

@@ -39,7 +39,7 @@ let
   );
 
   userOptions = {
-  
+
     openssh.authorizedKeys = {
 
       preserveExistingKeys = mkOption {
@@ -78,7 +78,7 @@ let
       };
 
     };
-    
+
   };
 
   mkAuthkeyScript =
@@ -256,11 +256,11 @@ in
           The set of system-wide known SSH hosts.
         '';
         example = [
-          { 
+          {
             hostNames = [ "myhost" "myhost.mydomain.com" "10.10.1.4" ];
             publicKeyFile = ./pubkeys/myhost_ssh_host_dsa_key.pub;
           }
-          { 
+          {
             hostNames = [ "myhost2" ];
             publicKeyFile = ./pubkeys/myhost2_ssh_host_dsa_key.pub;
           }
@@ -327,7 +327,7 @@ in
             RemainAfterExit=true
           '';
       };
-    
+
     boot.systemd.services."sshd.service" =
       { description = "SSH Daemon";
 
@@ -335,7 +335,7 @@ in
         after = [ "set-ssh-keys.service" ];
 
         path = [ pkgs.openssh ];
-        
+
         environment.LD_LIBRARY_PATH = nssModulesPath;
         environment.LOCALE_ARCHIVE = "/run/current-system/sw/lib/locale/locale-archive";
 
@@ -362,10 +362,12 @@ in
 
     networking.firewall.allowedTCPPorts = cfg.ports;
 
+    security.pam.services = optional cfg.usePAM { name = "sshd"; startSession = true; };
+
     services.openssh.extraConfig =
       ''
         PidFile /run/sshd.pid
-      
+
         Protocol 2
 
         UsePAM ${if cfg.usePAM then "yes" else "no"}

modules/services/x11/display-managers/kdm.nix

@@ -111,7 +111,7 @@ in
         logsXsession = true;
       };
 
-    security.pam.services = [ { name = "kde"; allowNullPassword = true; ownDevices = true; } ];
+    security.pam.services = [ { name = "kde"; allowNullPassword = true; startSession = true; } ];
 
     users.extraUsers = singleton
       { name = "kdm";

modules/services/x11/display-managers/slim.nix

@@ -106,7 +106,7 @@ in
 
     # Allow null passwords so that the user can login as root on the
     # installation CD.
-    security.pam.services = [ { name = "slim"; allowNullPassword = true; ownDevices = true; } ];
+    security.pam.services = [ { name = "slim"; allowNullPassword = true; startSession = true; } ];
 
   };