security.pam: make pam_unix.so required, not sufficient

Setting pam_unix set to sufficient means early-succeeding account management group, as soon as pam_unix.so is succeeding. This is not sufficient. For example, modules might install nss modules for user lookup, so pam_unix.so succeeds, and we end the stack successfully, even though other pam modules might want to do more extensive checks. Other distros set pam_unix.so to 'required', so if there are other pam modules in that management group, they get a chance to do some validation too. This broke SSSD, for which @PsyanticY added a workaround knob in NixOS#31969. This also breaks parts of Google OS Login, as the pam_oslogin_admin.so module doesn't get a chance to add a sudoers file for admins (while the NSS module fixes the lookup done in pam_unix.so) This changes the default of pam_unix.so to 'required' We don't drop the `security.pam.services.<name?>.sssdStrictAccess` option, as it's used some lines below to tweak error behaviour inside the pam sssd module.
flokli · Dec 12, 2018 · 7ca5056 · 7ca5056
1 parent 3eb0a46
commit 7ca5056
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix
@@ -293,7 +293,7 @@ let
       text = mkDefault
         (''
           # Account management.
-          account ${if cfg.sssdStrictAccess then "required" else "sufficient"} pam_unix.so
+          account required pam_unix.so audit
           ${optionalString use_ldap
               "account sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
           ${optionalString (config.services.sssd.enable && cfg.sssdStrictAccess==false)