nixos/pam: ability to calls an external command #90490
Conversation
| @@ -463,6 +505,9 @@ let | |||
| "session optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start"} | |||
| ${optionalString (config.virtualisation.lxc.lxcfs.enable) | |||
| "session optional ${pkgs.lxc}/lib/security/pam_cgfs.so -c all"} | |||
|
|
|||
| ${optionalString (cfg.externalCommand != null) | |||
There was a problem hiding this comment.
I wonder if we should move this to a separate file. However there might be a reason we have a monolith here because the order matters?
There was a problem hiding this comment.
I do not think the order matters.
There was a problem hiding this comment.
We really shouldn't add more to this monolith IMHO. Please see #90640.
There was a problem hiding this comment.
In PAM, order very much matters. Especially when using enterprise solutions such as AD/SSSD etc. @flokli pointed me here from my issue #104346 where having pam_unix.so as required, and before pam_sss.so causes some major porblems. pam_unix.so will always fail a non-local account, so by requiring pam_unix.so all network/SSSD accounts will fail.
|
I hope that #105319 gets ready soon. Than this module becomes easier to integrate. |
Haha yes! It still needs a lot of review though. |
|
I marked this as stale due to inactivity. → More info |
stale
bot
added
the
2.status: stale
|
Considering this has been stale for over a year, and the pam rework PR was closed: is there any interest in a version of this being merged, at least while the pam rework stuff is being sorted out? |
stale
bot
removed
the
2.status: stale
No, thank you |
As indicated in #90488, I would appreciate feedback on this.
Motivation for this change
See #90488
Things done
sandboxinnix.confon non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"./result/bin/)nix path-info -Sbefore and after)