mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-01 15:11:25 +00:00
sshd: Remove the usePAM option
Sshd *must* use PAM because we depend on it for proper session management. The original goal of this option (disabling password logins) can also be implemented by removing pam_auth authentication from sshd's PAM service.
This commit is contained in:
parent
a2c820c678
commit
ae74b0ae58
@ -17,6 +17,15 @@ let
|
||||
description = "Name of the PAM service.";
|
||||
};
|
||||
|
||||
unixAuth = mkOption {
|
||||
default = true;
|
||||
type = types.bool;
|
||||
description = ''
|
||||
Whether users can log in with passwords defined in
|
||||
<filename>/etc/shadow</filename>.
|
||||
'';
|
||||
};
|
||||
|
||||
rootOK = mkOption {
|
||||
default = false;
|
||||
type = types.bool;
|
||||
@ -154,7 +163,8 @@ let
|
||||
"auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=~/.ssh/authorized_keys:~/.ssh/authorized_keys2:/etc/ssh/authorized_keys.d/%u"}
|
||||
${optionalString cfg.usbAuth
|
||||
"auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so"}
|
||||
auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth
|
||||
${optionalString cfg.unixAuth
|
||||
"auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth"}
|
||||
${optionalString cfg.otpwAuth
|
||||
"auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so"}
|
||||
${optionalString config.users.ldap.enable
|
||||
|
@ -128,21 +128,10 @@ in
|
||||
'';
|
||||
};
|
||||
|
||||
usePAM = mkOption {
|
||||
default = true;
|
||||
description = ''
|
||||
Specifies whether the OpenSSH daemon uses PAM to authenticate
|
||||
login attempts.
|
||||
'';
|
||||
};
|
||||
|
||||
passwordAuthentication = mkOption {
|
||||
default = true;
|
||||
description = ''
|
||||
Specifies whether password authentication is allowed. Note
|
||||
that setting this value to <literal>false</literal> is most
|
||||
probably not going to have the desired effect unless
|
||||
<literal>usePAM</literal> is disabled as well.
|
||||
Specifies whether password authentication is allowed.
|
||||
'';
|
||||
};
|
||||
|
||||
@ -284,7 +273,11 @@ in
|
||||
|
||||
networking.firewall.allowedTCPPorts = cfg.ports;
|
||||
|
||||
security.pam.services = optional cfg.usePAM { name = "sshd"; startSession = true; showMotd = true; };
|
||||
security.pam.services.sshd =
|
||||
{ startSession = true;
|
||||
showMotd = true;
|
||||
unixAuth = cfg.passwordAuthentication;
|
||||
};
|
||||
|
||||
services.openssh.authorizedKeysFiles =
|
||||
[ ".ssh/authorized_keys" ".ssh/authorized_keys2" "/etc/ssh/authorized_keys.d/%u" ];
|
||||
@ -295,7 +288,7 @@ in
|
||||
|
||||
Protocol 2
|
||||
|
||||
UsePAM ${if cfg.usePAM then "yes" else "no"}
|
||||
UsePAM yes
|
||||
|
||||
AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"}
|
||||
${concatMapStrings (port: ''
|
||||
|
Loading…
Reference in New Issue
Block a user