diff --git a/modules/programs/shadow.nix b/modules/programs/shadow.nix
index a3f837c7367c..4b9be4605487 100644
--- a/modules/programs/shadow.nix
+++ b/modules/programs/shadow.nix
@@ -90,7 +90,7 @@ in
{ name = "groupmod"; rootOK = true; }
{ name = "groupmems"; rootOK = true; }
{ name = "groupdel"; rootOK = true; }
- { name = "login"; ownDevices = true; allowNullPassword = true; }
+ { name = "login"; startSession = true; allowNullPassword = true; }
];
security.setuidPrograms = [ "passwd" "chfn" "su" "newgrp" ];
diff --git a/modules/security/pam.nix b/modules/security/pam.nix
index 9e8bc02ddf41..049df0f9958b 100644
--- a/modules/security/pam.nix
+++ b/modules/security/pam.nix
@@ -41,9 +41,10 @@ let
# against the keys in the calling user's ~/.ssh/authorized_keys.
# This is useful for "sudo" on password-less remote systems.
sshAgentAuth ? false
- , # If set, use systemd's PAM connector module to claim
- # ownership of audio devices etc.
- ownDevices ? false
+ , # If set, the service will register a new session with systemd's
+ # login manager. If the service is running locally, this will
+ # give the user ownership of audio devices etc.
+ startSession ? false
, # Whether to forward XAuth keys between users. Mostly useful
# for "su".
forwardXAuth ? false
@@ -103,7 +104,7 @@ let
"session optional ${pam_ldap}/lib/security/pam_ldap.so"}
${optionalString config.krb5.enable
"session optional ${pam_krb5}/lib/security/pam_krb5.so"}
- ${optionalString ownDevices
+ ${optionalString startSession
"session optional ${pkgs.systemd}/lib/security/pam_systemd.so"}
${optionalString forwardXAuth
"session optional pam_xauth.so xauthpath=${pkgs.xorg.xauth}/bin/xauth systemuser=99"}
@@ -150,7 +151,7 @@ in
default = [];
example = [
{ name = "chsh"; rootOK = true; }
- { name = "login"; ownDevices = true; allowNullPassword = true;
+ { name = "login"; startSession = true; allowNullPassword = true;
limits = [
{ domain = "ftp";
type = "hard";
@@ -171,13 +172,13 @@ in
the name of the service. The attribute
rootOK specifies whether the root user is
allowed to use this service without authentication. The
- attribute ownDevices specifies whether
- ConsoleKit's PAM connector module should be used to give the
- user ownership of devices such as audio and CD-ROM drives.
- The attribute forwardXAuth specifies
- whether X authentication keys should be passed from the
- calling user to the target user (e.g. for
- su).
+ attribute startSession specifies whether
+ systemd's PAM connector module should be used to start a new
+ session; for local sessions, this will give the user
+ ownership of devices such as audio and CD-ROM drives. The
+ attribute forwardXAuth specifies whether
+ X authentication keys should be passed from the calling user
+ to the target user (e.g. for su).
The attribute limits defines resource limits
that should apply to users or groups for the service. Each item in
@@ -235,7 +236,6 @@ in
{ name = "i3lock"; }
{ name = "lshd"; }
{ name = "samba"; }
- { name = "sshd"; }
{ name = "vlock"; }
{ name = "xlock"; }
{ name = "xscreensaver"; }
diff --git a/modules/services/networking/ssh/sshd.nix b/modules/services/networking/ssh/sshd.nix
index 76e35250a60a..6ad79ca72a82 100644
--- a/modules/services/networking/ssh/sshd.nix
+++ b/modules/services/networking/ssh/sshd.nix
@@ -39,7 +39,7 @@ let
);
userOptions = {
-
+
openssh.authorizedKeys = {
preserveExistingKeys = mkOption {
@@ -78,7 +78,7 @@ let
};
};
-
+
};
mkAuthkeyScript =
@@ -256,11 +256,11 @@ in
The set of system-wide known SSH hosts.
'';
example = [
- {
+ {
hostNames = [ "myhost" "myhost.mydomain.com" "10.10.1.4" ];
publicKeyFile = ./pubkeys/myhost_ssh_host_dsa_key.pub;
}
- {
+ {
hostNames = [ "myhost2" ];
publicKeyFile = ./pubkeys/myhost2_ssh_host_dsa_key.pub;
}
@@ -327,7 +327,7 @@ in
RemainAfterExit=true
'';
};
-
+
boot.systemd.services."sshd.service" =
{ description = "SSH Daemon";
@@ -335,7 +335,7 @@ in
after = [ "set-ssh-keys.service" ];
path = [ pkgs.openssh ];
-
+
environment.LD_LIBRARY_PATH = nssModulesPath;
environment.LOCALE_ARCHIVE = "/run/current-system/sw/lib/locale/locale-archive";
@@ -362,10 +362,12 @@ in
networking.firewall.allowedTCPPorts = cfg.ports;
+ security.pam.services = optional cfg.usePAM { name = "sshd"; startSession = true; };
+
services.openssh.extraConfig =
''
PidFile /run/sshd.pid
-
+
Protocol 2
UsePAM ${if cfg.usePAM then "yes" else "no"}
diff --git a/modules/services/x11/display-managers/kdm.nix b/modules/services/x11/display-managers/kdm.nix
index 1699ad6343d3..1699f6c65a75 100644
--- a/modules/services/x11/display-managers/kdm.nix
+++ b/modules/services/x11/display-managers/kdm.nix
@@ -111,7 +111,7 @@ in
logsXsession = true;
};
- security.pam.services = [ { name = "kde"; allowNullPassword = true; ownDevices = true; } ];
+ security.pam.services = [ { name = "kde"; allowNullPassword = true; startSession = true; } ];
users.extraUsers = singleton
{ name = "kdm";
diff --git a/modules/services/x11/display-managers/slim.nix b/modules/services/x11/display-managers/slim.nix
index 68d8c11f830f..bc9aef101c7d 100644
--- a/modules/services/x11/display-managers/slim.nix
+++ b/modules/services/x11/display-managers/slim.nix
@@ -106,7 +106,7 @@ in
# Allow null passwords so that the user can login as root on the
# installation CD.
- security.pam.services = [ { name = "slim"; allowNullPassword = true; ownDevices = true; } ];
+ security.pam.services = [ { name = "slim"; allowNullPassword = true; startSession = true; } ];
};