nixos/sudo-rs: Move support for pam_ssh_agent_auth(8) to PAM's NixOS module

Similar to delroth's suggestion in #262790.
2023-09-04 21:06:12 +00:00 · 2023-09-04 21:06:12 +00:00 · bcc2d1238a
commit bcc2d1238a
parent f5d059b1f5
2 changed files with 8 additions and 9 deletions
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@ -943,6 +943,11 @@ let
      value.source = pkgs.writeText "${name}.pam" service.text;
    };

+  optionalSudoConfigForSSHAgentAuth = optionalString config.security.pam.enableSSHAgentAuth ''
+    # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.
+    Defaults env_keep+=SSH_AUTH_SOCK
+  '';
+
 in

 {
@ -1532,9 +1537,7 @@ in
        concatLines
      ]);

-    security.sudo.extraConfig = optionalString config.security.pam.enableSSHAgentAuth ''
-      # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.
-      Defaults env_keep+=SSH_AUTH_SOCK
-    '';
-    };
+    security.sudo.extraConfig = optionalSudoConfigForSSHAgentAuth;
+    security.sudo-rs.extraConfig = optionalSudoConfigForSSHAgentAuth;
+  };
 }
--- a/nixos/modules/security/sudo-rs.nix
+++ b/nixos/modules/security/sudo-rs.nix
@ -220,10 +220,6 @@ in
        # Don't edit this file. Set the NixOS options ‘security.sudo-rs.configFile’
        # or ‘security.sudo-rs.extraRules’ instead.
      ''
-      (optionalString enableSSHAgentAuth ''
-        # Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.
-        Defaults env_keep+=SSH_AUTH_SOCK
-      '')
      (pipe cfg.extraRules [
        (filter (rule: length rule.commands != 0))
        (map (rule: [