sshd: Remove the usePAM option

Sshd *must* use PAM because we depend on it for proper session management. The original goal of this option (disabling password logins) can also be implemented by removing pam_auth authentication from sshd's PAM service.
2024-11-01 15:11:25 +00:00 · 2013-10-15 15:05:49 +02:00 · 2013-10-15 15:05:49 +02:00 · ae74b0ae58
commit ae74b0ae58
parent a2c820c678
2 changed files with 18 additions and 15 deletions
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@ -17,6 +17,15 @@ let
        description = "Name of the PAM service.";
      };

+      unixAuth = mkOption {
+        default = true;
+        type = types.bool;
+        description = ''
+          Whether users can log in with passwords defined in
+          <filename>/etc/shadow</filename>.
+        '';
+      };
+
      rootOK = mkOption {
        default = false;
        type = types.bool;
@ -154,7 +163,8 @@ let
              "auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=~/.ssh/authorized_keys:~/.ssh/authorized_keys2:/etc/ssh/authorized_keys.d/%u"}
          ${optionalString cfg.usbAuth
              "auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so"}
-          auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth
+          ${optionalString cfg.unixAuth
+              "auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth"}
          ${optionalString cfg.otpwAuth
              "auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so"}
          ${optionalString config.users.ldap.enable
--- a/nixos/modules/services/networking/ssh/sshd.nix
+++ b/nixos/modules/services/networking/ssh/sshd.nix
@ -128,21 +128,10 @@ in
        '';
      };

-      usePAM = mkOption {
-        default = true;
-        description = ''
-          Specifies whether the OpenSSH daemon uses PAM to authenticate
-          login attempts.
-        '';
-      };
-
      passwordAuthentication = mkOption {
        default = true;
        description = ''
-          Specifies whether password authentication is allowed. Note
-          that setting this value to <literal>false</literal> is most
-          probably not going to have the desired effect unless
-          <literal>usePAM</literal> is disabled as well.
+          Specifies whether password authentication is allowed.
        '';
      };

@ -284,7 +273,11 @@ in

    networking.firewall.allowedTCPPorts = cfg.ports;

-    security.pam.services = optional cfg.usePAM { name = "sshd"; startSession = true; showMotd = true; };
+    security.pam.services.sshd =
+      { startSession = true;
+        showMotd = true;
+        unixAuth = cfg.passwordAuthentication;
+      };

    services.openssh.authorizedKeysFiles =
      [ ".ssh/authorized_keys" ".ssh/authorized_keys2" "/etc/ssh/authorized_keys.d/%u" ];
@ -295,7 +288,7 @@ in

        Protocol 2

-        UsePAM ${if cfg.usePAM then "yes" else "no"}
+        UsePAM yes

        AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"}
        ${concatMapStrings (port: ''