diff options
| author | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2013-10-15 15:05:49 +0200 |
|---|---|---|
| committer | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2013-10-15 15:05:49 +0200 |
| commit | ae74b0ae587df0750843da2d7cfc6e1e24e63bf2 (patch) | |
| tree | 31efd260cb816303e6e7f7f14459849915ae9545 /nixos | |
| parent | a2c820c6786ef8275213838ad0bdd77b970a4168 (diff) | |
| download | nixlib-ae74b0ae587df0750843da2d7cfc6e1e24e63bf2.tar nixlib-ae74b0ae587df0750843da2d7cfc6e1e24e63bf2.tar.gz nixlib-ae74b0ae587df0750843da2d7cfc6e1e24e63bf2.tar.bz2 nixlib-ae74b0ae587df0750843da2d7cfc6e1e24e63bf2.tar.lz nixlib-ae74b0ae587df0750843da2d7cfc6e1e24e63bf2.tar.xz nixlib-ae74b0ae587df0750843da2d7cfc6e1e24e63bf2.tar.zst nixlib-ae74b0ae587df0750843da2d7cfc6e1e24e63bf2.zip | |
sshd: Remove the usePAM option
Sshd *must* use PAM because we depend on it for proper session management. The original goal of this option (disabling password logins) can also be implemented by removing pam_auth authentication from sshd's PAM service.
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/security/pam.nix | 12 | ||||
| -rw-r--r-- | nixos/modules/services/networking/ssh/sshd.nix | 21 |
2 files changed, 18 insertions, 15 deletions
diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index d078ed1e1bbf..a30945cc9233 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -17,6 +17,15 @@ let description = "Name of the PAM service."; }; + unixAuth = mkOption { + default = true; + type = types.bool; + description = '' + Whether users can log in with passwords defined in + <filename>/etc/shadow</filename>. + ''; + }; + rootOK = mkOption { default = false; type = types.bool; @@ -154,7 +163,8 @@ let "auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=~/.ssh/authorized_keys:~/.ssh/authorized_keys2:/etc/ssh/authorized_keys.d/%u"} ${optionalString cfg.usbAuth "auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so"} - auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth + ${optionalString cfg.unixAuth + "auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth"} ${optionalString cfg.otpwAuth "auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so"} ${optionalString config.users.ldap.enable diff --git a/nixos/modules/services/networking/ssh/sshd.nix b/nixos/modules/services/networking/ssh/sshd.nix index d57eef860d28..c85c9307e3e4 100644 --- a/nixos/modules/services/networking/ssh/sshd.nix +++ b/nixos/modules/services/networking/ssh/sshd.nix @@ -128,21 +128,10 @@ in ''; }; - usePAM = mkOption { - default = true; - description = '' - Specifies whether the OpenSSH daemon uses PAM to authenticate - login attempts. - ''; - }; - passwordAuthentication = mkOption { default = true; description = '' - Specifies whether password authentication is allowed. Note - that setting this value to <literal>false</literal> is most - probably not going to have the desired effect unless - <literal>usePAM</literal> is disabled as well. + Specifies whether password authentication is allowed. ''; }; @@ -284,7 +273,11 @@ in networking.firewall.allowedTCPPorts = cfg.ports; - security.pam.services = optional cfg.usePAM { name = "sshd"; startSession = true; showMotd = true; }; + security.pam.services.sshd = + { startSession = true; + showMotd = true; + unixAuth = cfg.passwordAuthentication; + }; services.openssh.authorizedKeysFiles = [ ".ssh/authorized_keys" ".ssh/authorized_keys2" "/etc/ssh/authorized_keys.d/%u" ]; @@ -295,7 +288,7 @@ in Protocol 2 - UsePAM ${if cfg.usePAM then "yes" else "no"} + UsePAM yes AddressFamily ${if config.networking.enableIPv6 then "any" else "inet"} ${concatMapStrings (port: '' |