qbit/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/pam: Strip config in documentation and messages

Browse Source 
config can be assumed as the options root and is therefore redundant.
This commit is contained in:
Mikael Voss 2024-10-10 16:07:36 +02:00
parent 6c843e1137
commit 7b3261b5a6
No known key found for this signature in database
1 changed files with 3 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
nixos/modules/security/pam.nix
View File

@ -1168,8 +1168,7 @@ in
If set, users can authenticate with their Kerberos password.
This requires a valid Kerberos configuration
(`config.security.krb5.enable` should be set to
`true`).
(`security.krb5.enable` should be set to `true`).
Note that the Kerberos PAM modules are not necessary when using SSS
to handle Kerberos authentication.
@ -1587,8 +1586,8 @@ in
warnings = lib.optional
(with config.security.pam.sshAgentAuth;
enable && lib.any (s: lib.hasPrefix "%h" s || lib.hasPrefix "~" s) authorizedKeysFiles)
''config.security.pam.sshAgentAuth.authorizedKeysFiles contains files in the user's home directory.
enable && lib.any (s: lib.hasPrefix "%h" s || lib.hasPrefix "~" s) authorizedKeysFiles) ''
security.pam.sshAgentAuth.authorizedKeysFiles contains files in the user's home directory.
Specifying user-writeable files there result in an insecure configuration:
a malicious process can then edit such an authorized_keys file and bypass the ssh-agent-based authentication.