Commit graph

35 commits

Author SHA1 Message Date
Lluís Batlle i Rossell
86c1e10a43 Setting pam otpw *after* pam_unix, for dovecot failed auth messages.
I think it's nice that it first asks the usual password, and then offers the
otpw one if enabled. That enables dovecot to show the last pam prompt.

I also add the dovecot option for that.
2013-03-30 22:25:19 +01:00
Lluís Batlle i Rossell
c53bd1b279 pam: adding otpw optional, default false 2013-03-30 21:06:23 +01:00
Eelco Dolstra
251f8546c9 pam_ssh_agent_auth: Use /etc/ssh/authorized_keys.d 2012-12-17 21:14:09 +01:00
Eelco Dolstra
b1da38f564 Merge remote-tracking branch 'origin/master' into systemd 2012-11-30 16:12:04 +01:00
Rickard Nilsson
6099451662 Add support for nslcd (nss-pam-ldapd) as users.ldap.daemon option 2012-11-20 16:39:45 +01:00
aszlig
1c28b86749
pam: Douchebag commit, fix alphabetical order.
Yes, I'm going to get back to school and learn the alphabet. I promise!

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2012-11-05 09:41:24 +01:00
aszlig
6e6ee3278c
pam: Add default configuration for GNU screen.
This is needed in order to properly lock your screen using the C-a C-x
(lockscreen) command _and_ being back to re-login, because the "other" PAM
service/fallback is to deny authentication.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
2012-11-05 09:40:15 +01:00
Eelco Dolstra
224c825a36 Add option ‘users.motd’ for setting a message of the day shown on login
Note that this uses pam_motd.
2012-10-23 09:10:48 -04:00
Eelco Dolstra
490ce3a230 PAM: Rename ownDevices to startSession
Logind sessions are more generally useful than for device ownership.
For instances, ssh logins can be put in their own session (and thus
their own cgroup).
2012-08-17 13:48:22 -04:00
Eelco Dolstra
d4fec178fd Merge remote-tracking branch 'origin/master' into systemd 2012-08-02 13:44:16 -04:00
Peter Simons
4553a27a92 modules/security/pam.nix: add xscreensaver to the list of services 2012-07-17 13:01:09 +02:00
Eelco Dolstra
66f4d10843 Use pam_systemd.so to set up device ownership
This removes the need for ConsoleKit, so it's gone.
2012-06-15 14:51:48 -04:00
Eelco Dolstra
63517eca1b * Actually use the security.pam.enableSSHAgentAuth option.
http://hydra.nixos.org/build/2698800

svn path=/nixos/trunk/; revision=34483
2012-06-12 20:21:15 +00:00
Eelco Dolstra
03653d43eb * Add support for sudo authentication using the SSH agent. This
allows password-less servers.

svn path=/nixos/trunk/; revision=34474
2012-06-11 22:41:07 +00:00
Peter Simons
51b5da4023 modules/security/pam.nix: sort security.pam.services alphabetically
svn path=/nixos/trunk/; revision=34437
2012-06-11 07:12:41 +00:00
Peter Simons
5c3593be46 Add PAM configuration for vlock.
svn path=/nixos/trunk/; revision=34436
2012-06-11 07:12:39 +00:00
Peter Simons
4c54fcaf45 pam security for i3lock
svn path=/nixos/trunk/; revision=34435
2012-06-11 07:10:25 +00:00
Eelco Dolstra
44725e50f0 * Apply the resource limits set by security.pam.loginLimits to all PAM
services (rather than just login(1)).  It's rather unexpected if
  resource limits are not applied to (say) users logged in via SSH or
  X11.

svn path=/nixos/trunk/; revision=28105
2011-08-01 10:17:18 +00:00
Lluís Batlle i Rossell
84bea7a351 I change the ldap settings so pam_unix and 'files' always go in front of ldap,
instead of the opposite. Thus, /etc/passwd has priority over ldap.


svn path=/nixos/trunk/; revision=26834
2011-04-13 20:48:50 +00:00
Yury G. Kudryashov
f0eb823a34 Add unix_chkpwd suid wrapper
svn path=/nixos/trunk/; revision=23165
2010-08-13 14:07:34 +00:00
David Guibert
6c8c1f935a nixos: authenticate through kerberos
config.krb5.enable needs to be set as true.
Also use pam_ccreds to cache Kerberos credentials for offline logins.

svn path=/nixos/trunk/; revision=22986
2010-08-06 08:50:48 +00:00
Eelco Dolstra
c089738bdc * Use the shadow' package instead of pwdutils', `pam_login' and
`su'.
* The `usermod' from `shadow' allows setting a supplementary group
  equal to the user's primary group, so the special hack for the
  `nixbld' group is no longer needed.
* Removed /etc/default/passwd since it's not used by the new passwd.
  The hash is configured in pam_unix.
* Move some values for `security.setuidPrograms' and
  `security.pam.services' to the appropriate modules.

svn path=/nixos/trunk/; revision=22107
2010-06-02 21:10:48 +00:00
Eelco Dolstra
876954d15d * Use pam_unix (from the PAM package) instead of pam_unix2. All the
functionality we needed from pam_unix2 (more secure hashes, and,
  uh...) has been merged into pam_unix.

svn path=/nixos/trunk/; revision=22106
2010-06-02 19:59:44 +00:00
Eelco Dolstra
540c673364 * Enable the `chfn' program. Note that by default non-root users are
still not permitted to change their account information, as
  specified in login.defs.

svn path=/nixos/trunk/; revision=22049
2010-05-28 14:59:34 +00:00
Ludovic Courtès
c68f5fbae4 Add support for pam_limits.
svn path=/nixos/trunk/; revision=19370
2010-01-12 11:02:23 +00:00
Nicolas Pierron
d2901e979d * Add support for pam_usb.
svn path=/nixos/trunk/; revision=19185
2010-01-03 11:59:08 +00:00
Eelco Dolstra
5dfaf565bf * On the CD or on a newly installed system, create the root account
with an empty password, rather than with a hashed empty password.
  The latter is a security risk, because it allows remote root logins
  if a user enables sshd before setting a proper root password.
* Allow empty passwords for login and slim, but nothing else.

svn path=/nixos/trunk/; revision=17833
2009-10-15 14:41:59 +00:00
Eelco Dolstra
3e5912833d * For consistency with Nixpkgs.
svn path=/nixos/trunk/; revision=17427
2009-09-25 20:12:35 +00:00
Eelco Dolstra
379778c385 * For X logins, don't use pam_ck_connector since it doesn't really
work for X logins.  (The documentation also says so.)  Instead just
  call ck-launch-session from the xsession script.

svn path=/nixos/trunk/; revision=17090
2009-09-13 14:05:21 +00:00
Eelco Dolstra
447c1ac34a * SLiM / ConsoleKit compatibility hack.
svn path=/nixos/trunk/; revision=16744
2009-08-17 01:35:48 +00:00
Eelco Dolstra
7ab616f659 * Added support for ConsoleKit.
* Let ConsoleKit track the current logins instead of pam_console.
  Udev now takes care of setting the device permissions to the active
  user.  This works much better, since pam_console wouldn't apply
  permissions to new (hot-plugged) devices.  Also, the udev+ConsoleKit
  approach supports user switching.  (We don't have that for X yet,
  but it already works for logins on virtual consoles: if you switch
  between different users on differents VCs with Alt+Fn, the device
  ownership will be changed automatically.)

svn path=/nixos/trunk/; revision=16743
2009-08-17 01:16:38 +00:00
Eelco Dolstra
3b931f7861 * We still need /etc/pam.d/other to keep usermod happy.
svn path=/nixos/trunk/; revision=16731
2009-08-16 15:46:24 +00:00
Eelco Dolstra
39bffdb34c * Make the generation of /etc/pam.d more declarative. There now is an
option security.pam.services containing the list of PAM services.
  For instance, the SLiM module simply declares:

    security.pam.services = [ { name = "slim"; localLogin = true; } ];

svn path=/nixos/trunk/; revision=16729
2009-08-16 14:49:14 +00:00
Eelco Dolstra
720d51179e * kdm needs the "kde" PAM module, but you only get it when KDE is
enabled as a session type.  Since I'm lazy, provide it
  unconditionally.  Also have it include "common-console" to set
  device ownership when logging in.

svn path=/nixos/branches/modular-nixos/; revision=15800
2009-05-29 14:57:31 +00:00
Eelco Dolstra
14f1c81822 * Move PAM configuration to modules/security/pam.nix.
svn path=/nixos/branches/modular-nixos/; revision=15766
2009-05-28 13:10:02 +00:00