nixos/pam: prioritize safer auth methods over fingerprints
Currently if fprintd is enabled, pam will ask for fingerprint regardless of other configured authentication modules (e.g. yubikey). This change make fingerprint the last resort of authentication before asking for password.
This commit is contained in:
parent
b76e884eb4
commit
e0adda4113
@ -397,8 +397,6 @@ let
|
||||
"auth required pam_faillock.so"}
|
||||
${optionalString (config.security.pam.enableSSHAgentAuth && cfg.sshAgentAuth)
|
||||
"auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=${lib.concatStringsSep ":" config.services.openssh.authorizedKeysFiles}"}
|
||||
${optionalString cfg.fprintAuth
|
||||
"auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so"}
|
||||
${let p11 = config.security.pam.p11; in optionalString cfg.p11Auth
|
||||
"auth ${p11.control} ${pkgs.pam_p11}/lib/security/pam_p11.so ${pkgs.opensc}/lib/opensc-pkcs11.so"}
|
||||
${let u2f = config.security.pam.u2f; in optionalString cfg.u2fAuth
|
||||
@ -409,6 +407,8 @@ let
|
||||
"auth requisite ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}"}
|
||||
${let yubi = config.security.pam.yubico; in optionalString cfg.yubicoAuth
|
||||
"auth ${yubi.control} ${pkgs.yubico-pam}/lib/security/pam_yubico.so mode=${toString yubi.mode} ${optionalString (yubi.mode == "client") "id=${toString yubi.id}"} ${optionalString yubi.debug "debug"}"}
|
||||
${optionalString cfg.fprintAuth
|
||||
"auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so"}
|
||||
'' +
|
||||
# Modules in this block require having the password set in PAM_AUTHTOK.
|
||||
# pam_unix is marked as 'sufficient' on NixOS which means nothing will run
|
||||
|
Loading…
Reference in New Issue
Block a user