| Commit message (Collapse) | Author | Age |
|
|
|
|
|
|
| |
Run pam_unix an additional time rather than switching it from sufficient
to required. This fixes a potential security issue for
ecryptfs/pam_mount users as with pam_deny gone, if cfg.unixAuth = False
then it is possible to login without a password.
|
| |
|
|\
| |
| | |
nixos: add AppArmor PAM support
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Enables attaching AppArmor profiles at the user/group level.
This is not intended to be used directly, but as part of a
role-based access control scheme. For now, profile attachment
is 'session optional', but should be changed to 'required' once
a more comprehensive solution is in place.
|
|/
|
|
|
|
|
|
| |
- upgrade 106 -> 108
- fix passphrase rewrapper (password changing should now work fine) as
discussed on https://bugs.launchpad.net/ecryptfs/+bug/1486470
- add lsof dependency so ecryptfs-migrate-home should work out of the
box
|
| |
|
|
|
|
|
| |
This adds support for authenticating using a U2F device such as a
yubikey neo.
|
|
|
|
|
|
|
| |
This allows for module arguments to be handled modularly, in particular
allowing the nixpkgs module to handle the nixpkgs import internally.
This creates the __internal option namespace, which should only be added
to by the module system itself.
|
| |
|
|
|
|
|
|
| |
the pam config was wrong.
Issue #6551
|
|
|
|
|
|
|
| |
(cherry picked from commit cb3cba54a1b87c376d0801238cb827eadb18e39e)
Conflicts:
nixos/modules/security/pam.nix
|
| |
|
| |
|
|\
| |
| | |
pam: Add logFailures option for adding pam_tally to su
|
| | |
|
| | |
|
| | |
|
| |
| |
| |
| | |
This reverts commit 491c088731022463978e595956427e72db6306a9.
|
| |
| |
| |
| | |
This reverts commit 18a0cdd86416a8cbc263cfa8cb96c460a53f7b5c.
|
|/ |
|
|
|
|
| |
As recommended by the pam_systemd manpage.
|
|
|
|
|
|
|
|
| |
Using pkgs.lib on the spine of module evaluation is problematic
because the pkgs argument depends on the result of module
evaluation. To prevent an infinite recursion, pkgs and some of the
modules are evaluated twice, which is inefficient. Using ‘with lib’
prevents this problem.
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
Sshd *must* use PAM because we depend on it for proper session
management. The original goal of this option (disabling password
logins) can also be implemented by removing pam_auth authentication
from sshd's PAM service.
|
|
|
|
|
|
|
|
|
|
|
|
| |
That is, you can say
security.pam.services.sshd = { options... };
instead of
security.pam.services = [ { name = "sshd"; options... } ];
making it easier to override PAM settings from other modules.
|
|
|