* Very basic PAM configuration. We now use Blowfish hashing for

/etc/shadow. svn path=/nixos/trunk/; revision=7306
2024-11-01 23:22:37 +00:00 · 2006-12-11 02:44:26 +00:00 · 2006-12-11 02:44:26 +00:00 · f327b072cb
commit f327b072cb
parent 06256e22d8
6 changed files with 61 additions and 1 deletions
--- a/configuration/boot-environment.nix
+++ b/configuration/boot-environment.nix
@ -234,7 +234,31 @@ rec {
        target = "event.d";
      }

-    ];
+      { # Configuration for passwd and friends (e.g., hash algorithm
+        # for /etc/passwd).
+        source = ./etc/default/passwd;
+        target = "default/passwd";
+      }
+
+    ]
+
+    # A bunch of PAM configuration files for various programs.
+    ++ (map
+      (program:
+        { source = pkgs.substituteAll {
+            src = ./etc/pam.d + ("/" + program);
+            inherit (pkgs) pam_unix2;
+          };
+          target = "pam.d/" + program;
+        }
+      )
+      [
+        "login"
+        "passwd"
+        "useradd"
+        "other"
+      ]
+    );
  };

  
--- a/configuration/etc/default/passwd
+++ b/configuration/etc/default/passwd
@ -0,0 +1,15 @@
+# Define default crypt hash
+# CRYPT={des,md5,blowfish}
+CRYPT=des
+
+# for local files, use a more secure hash. We
+# don't need to be portable here:
+CRYPT_FILES=blowfish
+
+# sometimes we need to specify special options for
+# a hash (variable is prepended by the name of the
+# crypt hash).
+BLOWFISH_CRYPT_FILES=10
+
+# For NIS, we should always use DES:
+CRYPT_YP=des
--- a/configuration/etc/pam.d/login
+++ b/configuration/etc/pam.d/login
@ -0,0 +1,4 @@
+auth     required       @pam_unix2@/lib/security/pam_unix2.so
+account  required       @pam_unix2@/lib/security/pam_unix2.so
+password required       @pam_unix2@/lib/security/pam_unix2.so nullok use_first_pass use_authtok
+session  required       @pam_unix2@/lib/security/pam_unix2.so
--- a/configuration/etc/pam.d/other
+++ b/configuration/etc/pam.d/other
@ -0,0 +1,8 @@
+auth     required       pam_warn.so
+auth     required       pam_deny.so
+account  required       pam_warn.so
+account  required       pam_deny.so
+password required       pam_warn.so
+password required       pam_deny.so
+session  required       pam_warn.so
+session  required       pam_deny.so
--- a/configuration/etc/pam.d/passwd
+++ b/configuration/etc/pam.d/passwd
@ -0,0 +1,4 @@
+auth     required       @pam_unix2@/lib/security/pam_unix2.so
+account  required       @pam_unix2@/lib/security/pam_unix2.so
+password required       @pam_unix2@/lib/security/pam_unix2.so nullok debug
+session  required       @pam_unix2@/lib/security/pam_unix2.so
--- a/configuration/etc/pam.d/useradd
+++ b/configuration/etc/pam.d/useradd
@ -0,0 +1,5 @@
+auth     sufficient     pam_rootok.so
+auth     required       pam_permit.so
+account  required       pam_permit.so
+password required       pam_permit.so
+session  required       pam_permit.so