@ -218,7 +218,7 @@ let
# Samba stuff to the Samba module. This requires that the PAM
# module provides the right hooks.
text = mkDefault
''
( ''
# Account management.
account sufficient pam_unix . so
$ { optionalString config . users . ldap . enable
@ -241,12 +241,22 @@ let
" a u t h s u f f i c i e n t ${ pkgs . pam_u2f } / l i b / s e c u r i t y / p a m _ u 2 f . s o " }
$ { optionalString cfg . usbAuth
" a u t h s u f f i c i e n t ${ pkgs . pam_usb } / l i b / s e c u r i t y / p a m _ u s b . s o " }
'' +
# Modules in this block require having the password set in PAM_AUTHTOK.
# pam_unix is marked as 'sufficient' on NixOS which means nothing will run
# after it succeeds. Certain modules need to run after pam_unix
# prompts the user for password so we run it once with 'required' at an
# earlier point and it will run again with 'sufficient' further down.
# We use try_first_pass the second time to avoid prompting password twice
( optionalString ( cfg . unixAuth && ( config . security . pam . enableEcryptfs || cfg . pamMount ) ) ''
auth required pam_unix . so $ { optionalString cfg . allowNullPassword " n u l l o k " } likeauth
$ { optionalString config . security . pam . enableEcryptfs
" a u t h o p t i o n a l ${ pkgs . ecryptfs } / l i b / s e c u r i t y / p a m _ e c r y p t f s . s o u n w r a p " }
$ { optionalString cfg . pamMount
" a u t h o p t i o n a l ${ pkgs . pam_mount } / l i b / s e c u r i t y / p a m _ m o u n t . s o " }
'' ) + ''
$ { optionalString cfg . unixAuth
" a u t h ${ if ( config . security . pam . enableEcryptfs || cfg . pamMount ) then " r e q u i r e d " else " s u f f i c i e n t " } p a m _ u n i x . s o ${ optionalString cfg . allowNullPassword " n u l l o k " } l i k e a u t h " }
$ { optionalString cfg . pamMount
" a u t h o p t i o n a l ${ pkgs . pam_mount } / l i b / s e c u r i t y / p a m _ m o u n t . s o " }
$ { optionalString config . security . pam . enableEcryptfs
" a u t h r e q u i r e d ${ pkgs . ecryptfs } / l i b / s e c u r i t y / p a m _ e c r y p t f s . s o u n w r a p " }
" a u t h s u f f i c i e n t p a m _ u n i x . s o ${ optionalString cfg . allowNullPassword " n u l l o k " } l i k e a u t h t r y _ f i r s t _ p a s s " }
$ { optionalString cfg . otpwAuth
" a u t h s u f f i c i e n t ${ pkgs . otpw } / l i b / s e c u r i t y / p a m _ o t p w . s o " }
$ { optionalString cfg . oathAuth
@ -258,7 +268,7 @@ let
auth [ default = die success = done ] $ { pam_ccreds } /lib/security/pam_ccreds.so action = validate use_first_pass
auth sufficient $ { pam_ccreds } /lib/security/pam_ccreds.so action = store use_first_pass
'' }
$ { optionalString ( ! ( config . security . pam . enableEcryptfs || cfg . pamMount ) ) " a u t h r e q u i r e d p a m _ d e n y . s o " }
auth required pam_deny . so
# Password management.
password requisite pam_unix . so nullok sha512
@ -306,7 +316,7 @@ let
" s e s s i o n o p t i o n a l ${ pkgs . pam_mount } / l i b / s e c u r i t y / p a m _ m o u n t . s o " }
$ { optionalString ( cfg . enableAppArmor && config . security . apparmor . enable )
" s e s s i o n o p t i o n a l ${ pkgs . apparmor-pam } / l i b / s e c u r i t y / p a m _ a p p a r m o r . s o o r d e r = u s e r , g r o u p , d e f a u l t d e b u g " }
'' ;
'' ) ;
} ;
} ;