Merge pull request #276499 from nbraud/nixos/pam/ssh-agent-auth

nixos/pam: Add assertion for SSH-agent auth
This commit is contained in:
Maciej Krüger 2024-01-07 13:54:27 +01:00 committed by GitHub
commit c931d73fba
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 10 additions and 0 deletions

View file

@ -95,6 +95,9 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m
- `systemd.oomd.enableUserServices` is renamed to `systemd.oomd.enableUserSlices`. - `systemd.oomd.enableUserServices` is renamed to `systemd.oomd.enableUserSlices`.
- `security.pam.enableSSHAgentAuth` now requires `services.openssh.authorizedKeysFiles` to be non-empty,
which is the case when `services.openssh.enable` is true. Previously, `pam_ssh_agent_auth` silently failed to work.
## Other Notable Changes {#sec-release-24.05-notable-changes} ## Other Notable Changes {#sec-release-24.05-notable-changes}
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

View file

@ -1456,6 +1456,13 @@ in
`security.pam.zfs.enable` requires enabling ZFS (`boot.zfs.enabled` or `boot.zfs.enableUnstable`). `security.pam.zfs.enable` requires enabling ZFS (`boot.zfs.enabled` or `boot.zfs.enableUnstable`).
''; '';
} }
{
assertion = config.security.pam.enableSSHAgentAuth -> config.services.openssh.authorizedKeysFiles != [];
message = ''
`security.pam.enableSSHAgentAuth` requires `services.openssh.authorizedKeysFiles` to be a non-empty list.
Did you forget to set `services.openssh.enable` ?
'';
}
]; ];
environment.systemPackages = environment.systemPackages =