Merge pull request #276499 from nbraud/nixos/pam/ssh-agent-auth

nixos/pam: Add assertion for SSH-agent auth
2024-01-07 13:54:27 +01:00 · 2024-01-07 13:54:27 +01:00 · c931d73fba
commit c931d73fba
parent c7efe762fe 607679c6d3
2 changed files with 10 additions and 0 deletions
--- a/nixos/doc/manual/release-notes/rl-2405.section.md
+++ b/nixos/doc/manual/release-notes/rl-2405.section.md
@ -95,6 +95,9 @@ The pre-existing [services.ankisyncd](#opt-services.ankisyncd.enable) has been m

  - `systemd.oomd.enableUserServices` is renamed to `systemd.oomd.enableUserSlices`.

+- `security.pam.enableSSHAgentAuth` now requires `services.openssh.authorizedKeysFiles` to be non-empty,
+  which is the case when `services.openssh.enable` is true. Previously, `pam_ssh_agent_auth` silently failed to work.
+
 ## Other Notable Changes {#sec-release-24.05-notable-changes}

 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@ -1456,6 +1456,13 @@ in
          `security.pam.zfs.enable` requires enabling ZFS (`boot.zfs.enabled` or `boot.zfs.enableUnstable`).
        '';
      }
+      {
+        assertion = config.security.pam.enableSSHAgentAuth -> config.services.openssh.authorizedKeysFiles != [];
+        message = ''
+          `security.pam.enableSSHAgentAuth` requires `services.openssh.authorizedKeysFiles` to be a non-empty list.
+          Did you forget to set `services.openssh.enable` ?
+        '';
+      }
    ];

    environment.systemPackages =