diff options
author | nicoo <nicoo@mur.at> | 2023-12-29 21:35:46 +0000 |
---|---|---|
committer | nicoo <nicoo@mur.at> | 2024-01-04 17:30:09 +0000 |
commit | 9ed1423dcf61aa33e0192dd396b216cd02bd505c (patch) | |
tree | 8c596ad180965a4e37c228d9453575912c048bcc /nixos/tests | |
parent | 822c0a86bd3b3c877177e2284a5cfc9222b365cc (diff) | |
download | nixlib-9ed1423dcf61aa33e0192dd396b216cd02bd505c.tar nixlib-9ed1423dcf61aa33e0192dd396b216cd02bd505c.tar.gz nixlib-9ed1423dcf61aa33e0192dd396b216cd02bd505c.tar.bz2 nixlib-9ed1423dcf61aa33e0192dd396b216cd02bd505c.tar.lz nixlib-9ed1423dcf61aa33e0192dd396b216cd02bd505c.tar.xz nixlib-9ed1423dcf61aa33e0192dd396b216cd02bd505c.tar.zst nixlib-9ed1423dcf61aa33e0192dd396b216cd02bd505c.zip |
nixos/pam: Warn on insecure `sshAgentAuth` configurations
Diffstat (limited to 'nixos/tests')
-rw-r--r-- | nixos/tests/ssh-agent-auth.nix | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/nixos/tests/ssh-agent-auth.nix b/nixos/tests/ssh-agent-auth.nix index f4a282502cf3..fee40afd6153 100644 --- a/nixos/tests/ssh-agent-auth.nix +++ b/nixos/tests/ssh-agent-auth.nix @@ -15,7 +15,11 @@ import ./make-test-python.nix ({ lib, pkgs, ... }: foo.isNormalUser = true; }; - security.pam.sshAgentAuth.enable = true; + security.pam.sshAgentAuth = { + # Must be specified, as nixpkgs CI expects everything to eval without warning + authorizedKeysFiles = [ "/etc/ssh/authorized_keys.d/%u" ]; + enable = true; + }; security.${lib.replaceStrings [ "_" ] [ "-" ] n} = { enable = true; wheelNeedsPassword = true; # We are checking `pam_ssh_agent_auth(8)` works for a sudoer |