diff options
author | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2013-10-15 15:05:49 +0200 |
---|---|---|
committer | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2013-10-15 15:05:49 +0200 |
commit | ae74b0ae587df0750843da2d7cfc6e1e24e63bf2 (patch) | |
tree | 31efd260cb816303e6e7f7f14459849915ae9545 /nixos/modules/services/networking | |
parent | a2c820c6786ef8275213838ad0bdd77b970a4168 (diff) | |
download | nixlib-ae74b0ae587df0750843da2d7cfc6e1e24e63bf2.tar nixlib-ae74b0ae587df0750843da2d7cfc6e1e24e63bf2.tar.gz nixlib-ae74b0ae587df0750843da2d7cfc6e1e24e63bf2.tar.bz2 nixlib-ae74b0ae587df0750843da2d7cfc6e1e24e63bf2.tar.lz nixlib-ae74b0ae587df0750843da2d7cfc6e1e24e63bf2.tar.xz nixlib-ae74b0ae587df0750843da2d7cfc6e1e24e63bf2.tar.zst nixlib-ae74b0ae587df0750843da2d7cfc6e1e24e63bf2.zip |
sshd: Remove the usePAM option
Sshd *must* use PAM because we depend on it for proper session management. The original goal of this option (disabling password logins) can also be implemented by removing pam_auth authentication from sshd's PAM service.
Diffstat (limited to 'nixos/modules/services/networking')
-rw-r--r-- | nixos/modules/services/networking/ssh/sshd.nix | 21 |
1 files changed, 7 insertions, 14 deletions
diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index d57eef860d28..c85c9307e3e4 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -128,21 +128,10 @@ in ''; }; - usePAM = mkOption { - default = true; - description = '' - Specifies whether the OpenSSH daemon uses PAM to authenticate - login attempts. - ''; - }; - passwordAuthentication = mkOption { default = true; description = '' - Specifies whether password authentication is allowed. Note - that setting this value to <literal>false</literal> is most - probably not going to have the desired effect unless - <literal>usePAM</literal> is disabled as well. + Specifies whether password authentication is allowed. ''; }; @@ -284,7 +273,11 @@ in networking.firewall.allowedTCPPorts = cfg.ports; - security.pam.services = optional cfg.usePAM { name = "sshd"; startSession = true; showMotd = true; }; + security.pam.services.sshd = + { startSession = true; + showMotd = true; + unixAuth = cfg.passwordAuthentication; + }; services.openssh.authorizedKeysFiles = [ ".ssh/authorized_keys" ".ssh/authorized_keys2" "/etc/ssh/authorized_keys.d/%u" ]; @@ -295,7 +288,7 @@ in Protocol 2 - UsePAM ${if cfg.usePAM then "yes" else "no"} + UsePAM yes AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"} ${concatMapStrings (port: '' |