Why is pam_unix required, even if unixAuth = false #104346
Conversation
|
Our whole PAM situation is in dire need of a refactor, and much more tests. See #90490 (comment) for pointers and #90640 for details. I'm pretty sure there are some interesting corner cases not handled properly. |
|
@flokli what would you suggest? I'm not sure how exactly to help, as it apparently the tests didn't like what I tried to do |
|
I marked this as stale due to inactivity. → More info |
stale
bot
added
the
2.status: stale
stale
bot
removed
the
2.status: stale
There was a problem hiding this comment.
@Rudi9719 are you still interested in fixing this and getting it merged? I will close it in a few weeks if you aren't anymore.
|
I'll close this since @Rudi9719 seems to be mostly inactive. Feel free to reopen it or do a new one as soon as you have to again :D Still thank you for your contribution |
|
I had to switch to a more stable distro and haven't had time to circle back and test updates- this branch is probably outdated |
|
as I said feel free to reopen as soon as you have time to work on it again :D |
This is more of a proposal/question than an actual pull request. Not sure how to actually test it!
Motivation for this change
I was unable to set security.pam.services.sshd.unixAuth to false, and was having issues with SDDM/SSSD previously #94744 then I noticed no matter what, pam_unix.so was marked as required. Even if unixAuth = false.
Things done
Wrapped all * required pam_unix.so in optionalString's based on other lines I saw in this file. Not sure if that would fix my problem or not, hoping someone who knows more about NixOS could weigh in. I'd also like to note that SSSD worked with SSH/Console log in out of the box when I opened #94744 and are now both borked for some reason.
sandboxinnix.confon non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"./result/bin/)nix path-info -Sbefore and after)