sshd: Remove the usePAM option

Sshd *must* use PAM because we depend on it for proper session
management.  The original goal of this option (disabling password
logins) can also be implemented by removing pam_auth authentication
from sshd's PAM service.
This commit is contained in:
Eelco Dolstra 2013-10-15 15:05:49 +02:00
parent a2c820c678
commit ae74b0ae58
2 changed files with 18 additions and 15 deletions

View File

@ -17,6 +17,15 @@ let
description = "Name of the PAM service.";
};
unixAuth = mkOption {
default = true;
type = types.bool;
description = ''
Whether users can log in with passwords defined in
<filename>/etc/shadow</filename>.
'';
};
rootOK = mkOption {
default = false;
type = types.bool;
@ -154,7 +163,8 @@ let
"auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=~/.ssh/authorized_keys:~/.ssh/authorized_keys2:/etc/ssh/authorized_keys.d/%u"}
${optionalString cfg.usbAuth
"auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so"}
auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth
${optionalString cfg.unixAuth
"auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth"}
${optionalString cfg.otpwAuth
"auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so"}
${optionalString config.users.ldap.enable

View File

@ -128,21 +128,10 @@ in
'';
};
usePAM = mkOption {
default = true;
description = ''
Specifies whether the OpenSSH daemon uses PAM to authenticate
login attempts.
'';
};
passwordAuthentication = mkOption {
default = true;
description = ''
Specifies whether password authentication is allowed. Note
that setting this value to <literal>false</literal> is most
probably not going to have the desired effect unless
<literal>usePAM</literal> is disabled as well.
Specifies whether password authentication is allowed.
'';
};
@ -284,7 +273,11 @@ in
networking.firewall.allowedTCPPorts = cfg.ports;
security.pam.services = optional cfg.usePAM { name = "sshd"; startSession = true; showMotd = true; };
security.pam.services.sshd =
{ startSession = true;
showMotd = true;
unixAuth = cfg.passwordAuthentication;
};
services.openssh.authorizedKeysFiles =
[ ".ssh/authorized_keys" ".ssh/authorized_keys2" "/etc/ssh/authorized_keys.d/%u" ];
@ -295,7 +288,7 @@ in
Protocol 2
UsePAM ${if cfg.usePAM then "yes" else "no"}
UsePAM yes
AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"}
${concatMapStrings (port: ''