[Tracking] Pam

[Artturin]

for conversation on improving the pam situation

a large rework was attempted in #105319

[Artturin]

i think moving to the arch style of pam files would be good https://archlinux.org/packages/core/any/pambase/ -> download from mirror in the sidebar

https://wiki.archlinux.org/title/PAM#PAM_base-stack

.
./system-auth
#%PAM-1.0

auth       required                    pam_faillock.so      preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
auth       [success=2 default=ignore]  pam_unix.so          try_first_pass nullok
-auth      [success=1 default=ignore]  pam_systemd_home.so
auth       [default=die]               pam_faillock.so      authfail
auth       optional                    pam_permit.so
auth       required                    pam_env.so
auth       required                    pam_faillock.so      authsucc
# If you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures.

-account   [success=1 default=ignore]  pam_systemd_home.so
account    required                    pam_unix.so
account    optional                    pam_permit.so
account    required                    pam_time.so

-password  [success=1 default=ignore]  pam_systemd_home.so
password   required                    pam_unix.so          try_first_pass nullok shadow sha512
password   optional                    pam_permit.so

session    required                    pam_limits.so
session    required                    pam_unix.so
session    optional                    pam_permit.so

./system-services
#%PAM-1.0

auth      sufficient  pam_permit.so

account   include     system-auth

session   optional    pam_loginuid.so
session   required    pam_limits.so
session   required    pam_unix.so
session   optional    pam_permit.so
session   required    pam_env.so

./other
#%PAM-1.0
auth      required   pam_deny.so
auth      required   pam_warn.so
account   required   pam_deny.so
account   required   pam_warn.so
password  required   pam_deny.so
password  required   pam_warn.so
session   required   pam_deny.so
session   required   pam_warn.so

./system-local-login
#%PAM-1.0

auth      include   system-login
account   include   system-login
password  include   system-login
session   include   system-login

./system-login
#%PAM-1.0

auth       required   pam_shells.so
auth       requisite  pam_nologin.so
auth       include    system-auth

account    required   pam_access.so
account    required   pam_nologin.so
account    include    system-auth

password   include    system-auth

session    optional   pam_loginuid.so
session    optional   pam_keyinit.so       force revoke
session    include    system-auth
session    optional   pam_motd.so
session    optional   pam_mail.so          dir=/var/spool/mail standard quiet
-session   optional   pam_systemd.so
session    required   pam_env.so           user_readenv=1

./system-remote-login
#%PAM-1.0

auth      include   system-login
account   include   system-login
password  include   system-login
session   include   system-login

the polkit-1 pam file for example

#%PAM-1.0

auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    include      system-auth

[arianvp]

Thanks for opening this discussion. Looking forward to your findings and suggestions. Pam really requires a bit of love in nixos

[aanderse]

Getting close to 2 years since the last comment on this thread. The situation is still not good. Just thought I'd ping in case anyone has any interest or thoughts.

[nixos-discourse]

This issue has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/what-do-you-want-from-pam-security-pam-in-nixos/33265/2

[lf-]

Probably fixed by #255547?

[samueldr]

Please open a new issue with actionable problems/suggestions if there is still something to do (and cross-reference).

I'll assumed (as per the previous comment) that this is fixed.