New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/pam: ability to calls an external command #90490
Conversation
@@ -463,6 +505,9 @@ let | |||
"session optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start"} | |||
${optionalString (config.virtualisation.lxc.lxcfs.enable) | |||
"session optional ${pkgs.lxc}/lib/security/pam_cgfs.so -c all"} | |||
|
|||
${optionalString (cfg.externalCommand != null) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wonder if we should move this to a separate file. However there might be a reason we have a monolith here because the order matters?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I do not think the order matters.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We really shouldn't add more to this monolith IMHO. Please see #90640.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In PAM, order very much matters. Especially when using enterprise solutions such as AD/SSSD etc. @flokli pointed me here from my issue #104346 where having pam_unix.so as required, and before pam_sss.so causes some major porblems. pam_unix.so will always fail a non-local account, so by requiring pam_unix.so all network/SSSD accounts will fail.
I hope that #105319 gets ready soon. Than this module becomes easier to integrate. |
Haha yes! It still needs a lot of review though. |
I marked this as stale due to inactivity. → More info |
Considering this has been stale for over a year, and the pam rework PR was closed: is there any interest in a version of this being merged, at least while the pam rework stuff is being sorted out? |
No, thank you |
As indicated in #90488, I would appreciate feedback on this.
Motivation for this change
See #90488
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)