* Use pam_unix (from the PAM package) instead of pam_unix2. All the

functionality we needed from pam_unix2 (more secure hashes, and, uh...) has been merged into pam_unix. svn path=/nixos/trunk/; revision=22106
2024-12-29 14:57:28 +03:00 · 2010-06-02 19:59:44 +00:00 · 2010-06-02 19:59:44 +00:00 · 876954d15d
commit 876954d15d
parent 8b308272df
1 changed files with 7 additions and 7 deletions
--- a/modules/security/pam.nix
+++ b/modules/security/pam.nix
@ -7,7 +7,7 @@ with pkgs.lib;

 let

-  inherit (pkgs) pam_unix2 pam_usb pam_ldap;
+  inherit (pkgs) pam_usb pam_ldap;

  otherService = pkgs.writeText "other.pam"
    ''
@ -47,7 +47,7 @@ let
      # set (i.e., have an empty password field in /etc/passwd or
      # /etc/group).  This does not enable logging into disabled
      # accounts (i.e., that have the password field set to `!').
-      # Note that regardless of what the pam_unix2 documentation says,
+      # Note that regardless of what the pam_unix documentation says,
      # accounts with hashed empty passwords are always allowed to log
      # in.
      allowNullPassword ? false
@ -63,7 +63,7 @@ let
          # Account management.
          ${optionalString config.users.ldap.enable
              "account optional ${pam_ldap}/lib/security/pam_ldap.so"}
-          account required ${pam_unix2}/lib/security/pam_unix2.so
+          account required pam_unix.so

          # Authentication management.
          ${optionalString rootOK
@ -72,21 +72,21 @@ let
              "auth sufficient ${pam_usb}/lib/security/pam_usb.so"}
          ${optionalString config.users.ldap.enable
              "auth sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
-          auth sufficient ${pam_unix2}/lib/security/pam_unix2.so ${
+          auth sufficient pam_unix.so ${
            optionalString allowNullPassword "nullok"}
          auth required   pam_deny.so

          # Password management.
          ${optionalString config.users.ldap.enable
              "password sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
-          password requisite ${pam_unix2}/lib/security/pam_unix2.so nullok
+          password requisite pam_unix.so nullok sha512
          ${optionalString config.services.samba.syncPasswordsByPam
              "password optional ${pkgs.samba}/lib/security/pam_smbpass.so nullok use_authtok try_first_pass"}

          # Session management.
          ${optionalString config.users.ldap.enable
              "session optional ${pam_ldap}/lib/security/pam_ldap.so"}
-          session required ${pam_unix2}/lib/security/pam_unix2.so
+          session required pam_unix.so
          ${optionalString ownDevices
              "session optional ${pkgs.consolekit}/lib/security/pam_ck_connector.so"}
          ${optionalString forwardXAuth
@ -183,7 +183,7 @@ in
  
    environment.systemPackages =
      # Include the PAM modules in the system path mostly for the manpages.
-      [ pkgs.pam pam_unix2 ]
+      [ pkgs.pam ]
      ++ optional config.users.ldap.enable pam_ldap;

    environment.etc =