From 4283a9df9d6522d05733eb0ba98e0db7235df63e Mon Sep 17 00:00:00 2001 From: Gregory Rudolph Date: Thu, 19 Nov 2020 22:18:33 -0500 Subject: [PATCH] Why is pam_unix required, even if unixAuth = false --- nixos/modules/security/pam.nix | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index a517f9e51ce17..a45b8d2058c80 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -372,7 +372,8 @@ let text = mkDefault ('' # Account management. - account required pam_unix.so + ${optionalString unixAuth + "account required pam_unix.so"} ${optionalString use_ldap "account sufficient ${pam_ldap}/lib/security/pam_ldap.so"} ${optionalString (config.services.sssd.enable && cfg.sssdStrictAccess==false) @@ -424,7 +425,8 @@ let || cfg.googleAuthenticator.enable || cfg.gnupg.enable || cfg.duoSecurity.enable)) '' - auth required pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth + ${optionalString unixAuth + "auth required pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth"} ${optionalString config.security.pam.enableEcryptfs "auth optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"} ${optionalString cfg.pamMount @@ -477,7 +479,8 @@ let ${optionalString cfg.setEnvironment '' session required pam_env.so conffile=${config.system.build.pamEnvironment} readenv=0 ''} - session required pam_unix.so + ${optionalString unixAuth + "session required pam_unix.so"} ${optionalString cfg.setLoginUid "session ${ if config.boot.isContainer then "optional" else "required"