diff options
author | nicoo <nicoo@mur.at> | 2023-09-04 21:06:12 +0000 |
---|---|---|
committer | nicoo <nicoo@mur.at> | 2023-11-08 19:41:37 +0000 |
commit | 19e1420e138b5a89f00eb3d7adbdf99f97ad4d57 (patch) | |
tree | f432940a09ac632a58828792a3c9e58078ab913d /nixos/modules | |
parent | ad9295157901e218f9e27b0cb14a9cb791d139d4 (diff) | |
download | nixlib-19e1420e138b5a89f00eb3d7adbdf99f97ad4d57.tar nixlib-19e1420e138b5a89f00eb3d7adbdf99f97ad4d57.tar.gz nixlib-19e1420e138b5a89f00eb3d7adbdf99f97ad4d57.tar.bz2 nixlib-19e1420e138b5a89f00eb3d7adbdf99f97ad4d57.tar.lz nixlib-19e1420e138b5a89f00eb3d7adbdf99f97ad4d57.tar.xz nixlib-19e1420e138b5a89f00eb3d7adbdf99f97ad4d57.tar.zst nixlib-19e1420e138b5a89f00eb3d7adbdf99f97ad4d57.zip |
nixos/sudo: Move support for `pam_ssh_agent_auth(8)` to PAM's NixOS module
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/security/pam.nix | 6 | ||||
-rw-r--r-- | nixos/modules/security/sudo.nix | 8 |
2 files changed, 9 insertions, 5 deletions
diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 709bb8b94a65..b7e1ea526535 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -1531,6 +1531,10 @@ in (map (module: "mr ${module},")) concatLines ]); - }; + security.sudo.extraConfig = optionalString config.security.pam.enableSSHAgentAuth '' + # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic. + Defaults env_keep+=SSH_AUTH_SOCK + ''; + }; } diff --git a/nixos/modules/security/sudo.nix b/nixos/modules/security/sudo.nix index 4728a697de86..75dc2b52a52c 100644 --- a/nixos/modules/security/sudo.nix +++ b/nixos/modules/security/sudo.nix @@ -6,6 +6,8 @@ let cfg = config.security.sudo; + inherit (config.security.pam) enableSSHAgentAuth; + toUserString = user: if (isInt user) then "#${toString user}" else "${user}"; toGroupString = group: if (isInt group) then "%#${toString group}" else "%${group}"; @@ -207,10 +209,8 @@ in '' # Don't edit this file. Set the NixOS options ‘security.sudo.configFile’ # or ‘security.sudo.extraRules’ instead. - - # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic. - Defaults env_keep+=SSH_AUTH_SOCK - + '' + '' # "root" is allowed to do anything. root ALL=(ALL:ALL) SETENV: ALL '' |