colin/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/pam: move pam_unix to the end of the account chain

Browse Source
This commit is contained in:
Netali 2022-07-31 23:37:33 +02:00
parent f23a1e6a54
commit 1a35b5aacb
No known key found for this signature in database
GPG Key ID: 9C55E636426B40A9
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
nixos/modules/security/pam.nix
View File

@ -452,7 +452,6 @@ let
(
''
# Account management.
account required pam_unix.so
'' +
optionalString use_ldap ''
account sufficient ${pam_ldap}/lib/security/pam_ldap.so
@ -473,7 +472,11 @@ let
account [success=ok ignore=ignore default=die] ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_login.so
account [success=ok default=ignore] ${pkgs.google-guest-oslogin}/lib/security/pam_oslogin_admin.so
'' +
# The required pam_unix.so module has to come after all the sufficient modules
# because otherwise, the account lookup will fail if the user does not exist
# locally, for example with MySQL- or LDAP-auth.
''
account required pam_unix.so
# Authentication management.
'' +