Skip to content

Pam

security.pam.dp9ik.authserver

This controls the hostname for the 9front authentication server that users will be authenticated against.

Type: null or string

Default

null

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.dp9ik.control

This option sets the pam "control" used for this module.

Type: string

Default

"sufficient"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.dp9ik.enable

Whether to enable the dp9ik pam module provided by tlsclient.

If set, users can be authenticated against the 9front authentication server given in {option}security.pam.dp9ik.authserver . Type: boolean

Default

false

Example

true

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.enableEcryptfs

Whether to enable eCryptfs PAM module (mounting ecryptfs home directory on login). Type: boolean

Default

false

Example

true

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.enableFscrypt

Whether to enable fscrypt, to automatically unlock directories with the user's login password.

This also enables a service at security.pam.services.fscrypt which is used by fscrypt to verify the user's password when setting up a new protector. If you use something other than pam_unix to verify user passwords, please remember to adjust this PAM service . Type: boolean

Default

false

Example

true

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.enableOTPW

Whether to enable the OTPW (one-time password) PAM module. Type: boolean

Default

false

Example

true

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.krb5.enable

Enables Kerberos PAM modules (pam-krb5, pam-ccreds).

If set, users can authenticate with their Kerberos password. This requires a valid Kerberos configuration (config.security.krb5.enable should be set to true).

Note that the Kerberos PAM modules are not necessary when using SSS to handle Kerberos authentication.

Type: boolean

Default

config.security.krb5.enable

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.loginLimits

Define resource limits that should apply to users or groups. Each item in the list should be an attribute set with a {var}domain, {var}type, {var}item, and {var}value attribute. The syntax and semantics of these attributes must be that described in {manpage}limits.conf(5).

Note that these limits do not apply to systemd services, whose limits can be changed via {option}systemd.extraConfig instead.

Type: list of (submodule)

Default

[ ]

Example

[{domain = "ftp";item = "nproc";type = "hard";value = "0";}{domain = "@student";item = "maxlogins";type = "-";value = "4";}]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.loginLimits.*.domain

Username, groupname, or wildcard this limit applies to Type: string

Example

"@wheel"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.loginLimits.*.item

Item this limit applies to Type: one of "core", "data", "fsize", "memlock", "nofile", "rss", "stack", "cpu", "nproc", "as", "maxlogins", "maxsyslogins", "priority", "locks", "sigpending", "msgqueue", "nice", "rtprio"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.loginLimits.*.type

Type of this limit Type: one of "-", "hard", "soft"

Default

"-"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.loginLimits.*.value

Value of this limit Type: string or signed integer

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.makeHomeDir.skelDirectory

Path to skeleton directory whose contents are copied to home directories newly created by pam_mkhomedir.

Type: string

Default

"/var/empty"

Example

"/etc/skel"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.makeHomeDir.umask

The user file mode creation mask to use on home directories newly created by pam_mkhomedir.

Type: string

Default

"0077"

Example

"0022"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.mount.additionalSearchPaths

Additional programs to include in the search path of pam_mount. Useful for example if you want to use some FUSE filesystems like bindfs.

Type: list of package

Default

[ ]

Example

[ pkgs.bindfs ]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam_mount.nix

security.pam.mount.createMountPoints

Create mountpoints for volumes if they do not exist.

Type: boolean

Default

true

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam_mount.nix

security.pam.mount.cryptMountOptions

Global mount options that apply to every crypt volume. You can define volume-specific options in the volume definitions.

Type: list of string

Default

[ ]

Example

[ "allow_discard" ]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam_mount.nix

security.pam.mount.debugLevel

Sets the Debug-Level. 0 disables debugging, 1 enables pam_mount tracing, and 2 additionally enables tracing in mount.crypt. The default is 0. For more information, visit https://pam-mount.sourceforge.net/pam_mount.conf.5.html.

Type: signed integer

Default

0

Example

1

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam_mount.nix

security.pam.mount.enable

Enable PAM mount system to mount filesystems on user login.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam_mount.nix

security.pam.mount.extraVolumes

List of volume definitions for pam_mount. For more information, visit https://pam-mount.sourceforge.net/pam_mount.conf.5.html.

Type: list of string

Default

[ ]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam_mount.nix

security.pam.mount.fuseMountOptions

Global mount options that apply to every FUSE volume. You can define volume-specific options in the volume definitions.

Type: list of string

Default

[ ]

Example

[ "nodev" "nosuid" "force-user=%(USER)" "gid=%(USERGID)" "perms=0700" "chmod-deny" "chown-deny" "chgrp-deny" ]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam_mount.nix

security.pam.mount.logoutHup

Kill remaining processes after logout by sending a SIGHUP.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam_mount.nix

security.pam.mount.logoutKill

Kill remaining processes after logout by sending a SIGKILL.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam_mount.nix

security.pam.mount.logoutTerm

Kill remaining processes after logout by sending a SIGTERM.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam_mount.nix

security.pam.mount.logoutWait

Amount of microseconds to wait until killing remaining processes after final logout. For more information, visit https://pam-mount.sourceforge.net/pam_mount.conf.5.html.

Type: signed integer

Default

0

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam_mount.nix

security.pam.mount.removeCreatedMountPoints

Remove mountpoints created by pam_mount after logout. This only affects mountpoints that have been created by pam_mount in the same session.

Type: boolean

Default

true

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam_mount.nix

security.pam.oath.digits

Specify the length of the one-time password in number of digits.

Type: one of 6, 7, 8

Default

6

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/oath.nix

security.pam.oath.enable

Enable the OATH (one-time password) PAM module.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/oath.nix

security.pam.oath.usersFile

Set the path to file where the user's credentials are stored. This file must not be world readable!

Type: path

Default

"/etc/users.oath"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/oath.nix

security.pam.oath.window

Specify the number of one-time passwords to check in order to accommodate for situations where the system and the client are slightly out of sync (iteration for HOTP or time steps for TOTP).

Type: signed integer

Default

5

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/oath.nix

security.pam.p11.control

This option sets pam "control". If you want to have multi factor authentication, use "required". If you want to use the PKCS#11 device instead of the regular password, use "sufficient".

Read {manpage}pam.conf(5) for better understanding of this option.

Type: one of "required", "requisite", "sufficient", "optional"

Default

"sufficient"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.p11.enable

Enables P11 PAM (pam_p11) module.

If set, users can log in with SSH keys and PKCS#11 tokens.

More information can be found here.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.services

This option defines the PAM services. A service typically corresponds to a program that uses PAM, e.g. {command}login or {command}passwd. Each attribute of this set defines a PAM service, with the attribute name defining the name of the service.

Type: attribute set of (submodule)

Default

{ }

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.services.<name>.allowNullPassword

Whether to allow logging into accounts that have no password set (i.e., have an empty password field in {file}/etc/passwd or {file}/etc/group). This does not enable logging into disabled accounts (i.e., that have the password field set to !). Note that regardless of what the pam_unix documentation says, accounts with hashed empty passwords are always allowed to log in.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.services.<name>.duoSecurity.enable

If set, use the Duo Security pam module pam_duo for authentication. Requires configuration of {option}security.duosec options.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.services.<name>.enableAppArmor

Enable support for attaching AppArmor profiles at the user/group level, e.g., as part of a role based access control scheme.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.services.<name>.enableGnomeKeyring

If enabled, pam_gnome_keyring will attempt to automatically unlock the user's default Gnome keyring upon login. If the user login password does not match their keyring password, Gnome Keyring will prompt separately after login.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.services.<name>.failDelay.delay

The delay time (in microseconds) on failure. Type: signed integer

Default

3000000

Example

1000000

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.services.<name>.failDelay.enable

If enabled, this will replace the FAIL_DELAY setting from login.defs. Change the delay on failure per-application.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.services.<name>.forwardXAuth

Whether X authentication keys should be passed from the calling user to the target user (e.g. for {command}su)

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.services.<name>.fprintAuth

If set, fingerprint reader will be used (if exists and your fingerprints are enrolled).

Type: boolean

Default

config.services.fprintd.enable

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.services.<name>.gnupg.enable

If enabled, pam_gnupg will attempt to automatically unlock the user's GPG keys with the login password via {command}gpg-agent. The keygrips of all keys to be unlocked should be written to {file}~/.pam-gnupg, and can be queried with {command}gpg -K --with-keygrip. Presetting passphrases must be enabled by adding allow-preset-passphrase in {file}~/.gnupg/gpg-agent.conf.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.services.<name>.gnupg.noAutostart

Don't start {command}gpg-agent if it is not running. Useful in conjunction with starting {command}gpg-agent as a systemd user service.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.services.<name>.gnupg.storeOnly

Don't send the password immediately after login, but store for PAM session.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.services.<name>.googleAuthenticator.enable

If set, users with enabled Google Authenticator (created {file}~/.google_authenticator) will be required to provide Google Authenticator token to log in.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.services.<name>.googleOsLoginAccountVerification

If set, will use the Google OS Login PAM modules (pam_oslogin_login, pam_oslogin_admin) to verify possible OS Login users and set sudoers configuration accordingly. This only makes sense to enable for the sshd PAM service.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.services.<name>.googleOsLoginAuthentication

If set, will use the pam_oslogin_login's user authentication methods to authenticate users using 2FA. This only makes sense to enable for the sshd PAM service.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.services.<name>.kwallet.enable

If enabled, pam_wallet will attempt to automatically unlock the user's default KDE wallet upon login. If the user has no wallet named "kdewallet", or the login password does not match their wallet password, KDE will prompt separately after login.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.services.<name>.kwallet.package

The kwallet-pam package to use. Type: package

Default

pkgs.plasma5Packages.kwallet-pam

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.services.<name>.limits

Attribute set describing resource limits. Defaults to the value of {option}security.pam.loginLimits. The meaning of the values is explained in {manpage}limits.conf(5).

Type: list of (submodule)

Default

[ ]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.services.<name>.limits.*.domain

Username, groupname, or wildcard this limit applies to Type: string

Example

"@wheel"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.services.<name>.limits.*.item

Item this limit applies to Type: one of "core", "data", "fsize", "memlock", "nofile", "rss", "stack", "cpu", "nproc", "as", "maxlogins", "maxsyslogins", "priority", "locks", "sigpending", "msgqueue", "nice", "rtprio"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.services.<name>.limits.*.type

Type of this limit Type: one of "-", "hard", "soft"

Default

"-"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.services.<name>.limits.*.value

Value of this limit Type: string or signed integer

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.services.<name>.logFailures

Whether to log authentication failures in {file}/var/log/faillog. Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.services.<name>.makeHomeDir

Whether to try to create home directories for users with $HOMEs pointing to nonexistent locations on session login.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.services.<name>.mysqlAuth

If set, the pam_mysql module will be used to authenticate users against a MySQL/MariaDB database.

Type: boolean

Default

config.users.mysql.enable

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.services.<name>.name

Name of the PAM service. Type: string

Example

"sshd"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.services.<name>.nodelay

Whether the delay after typing a wrong password should be disabled.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.services.<name>.oathAuth

If set, the OATH Toolkit will be used.

Type: boolean

Default

config.security.pam.oath.enable

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.services.<name>.otpwAuth

If set, the OTPW system will be used (if {file}~/.otpw exists).

Type: boolean

Default

config.security.pam.enableOTPW

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.services.<name>.p11Auth

If set, keys listed in {file}~/.ssh/authorized_keys and {file}~/.eid/authorized_certificates can be used to log in with the associated PKCS#11 tokens.

Type: boolean

Default

config.security.pam.p11.enable

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.services.<name>.pamMount

Enable PAM mount (pam_mount) system to mount filesystems on user login.

Type: boolean

Default

config.security.pam.mount.enable

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.services.<name>.requireWheel

Whether to permit root access only to members of group wheel.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.services.<name>.rootOK

If set, root doesn't need to authenticate (e.g. for the {command}useradd service).

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.services.<name>.setEnvironment

Whether the service should set the environment variables listed in {option}environment.sessionVariables using pam_env.so.

Type: boolean

Default

true

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.services.<name>.setLoginUid

Set the login uid of the process ({file}/proc/self/loginuid) for auditing purposes. The login uid is only set by ‘entry points’ like {command}login and {command}sshd, not by commands like {command}sudo.

Type: boolean

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.services.<name>.showMotd

Whether to show the message of the day. Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.services.<name>.sshAgentAuth

If set, the calling user's SSH agent is used to authenticate against the keys in the calling user's {file}~/.ssh/authorized_keys. This is useful for {command}sudo on password-less remote systems.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.services.<name>.sssdStrictAccess

enforce sssd access control Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.services.<name>.startSession

If set, the service will register a new session with systemd's login manager. For local sessions, this will give the user access to audio devices, CD-ROM drives. In the default PolicyKit configuration, it also allows the user to reboot the system.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.services.<name>.text

Contents of the PAM service file. Type: null or strings concatenated with "\n"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.services.<name>.ttyAudit.disablePattern

For each user matching one of comma-separated glob patterns, disable TTY auditing

Type: null or string

Default

null

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.services.<name>.ttyAudit.enable

Enable or disable TTY auditing for specified users

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.services.<name>.ttyAudit.enablePattern

For each user matching one of comma-separated glob patterns, enable TTY auditing

Type: null or string

Default

null

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.services.<name>.ttyAudit.openOnly

Set the TTY audit flag when opening the session, but do not restore it when closing the session. Using this option is necessary for some services that don't fork() to run the authenticated session, such as sudo.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.services.<name>.u2fAuth

If set, users listed in {file}$XDG_CONFIG_HOME/Yubico/u2f_keys (or {file}$HOME/.config/Yubico/u2f_keys if XDG variable is not set) are able to log in with the associated U2F key. Path can be changed using {option}security.pam.u2f.authFile option.

Type: boolean

Default

config.security.pam.u2f.enable

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.services.<name>.unixAuth

Whether users can log in with passwords defined in {file}/etc/shadow.

Type: boolean

Default

true

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.services.<name>.updateWtmp

Whether to update {file}/var/log/wtmp. Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.services.<name>.usshAuth

If set, users with an SSH certificate containing an authorized principal in their SSH agent are able to log in. Specific options are controlled using the {option}security.pam.ussh options.

Note that the {option}security.pam.ussh.enable must also be set for this option to take effect.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.services.<name>.yubicoAuth

If set, users listed in {file}~/.yubico/authorized_yubikeys are able to log in with the associated Yubikey tokens.

Type: boolean

Default

config.security.pam.yubico.enable

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.services.<name>.zfs

Enable unlocking and mounting of encrypted ZFS home dataset at login.

Type: boolean

Default

config.security.pam.zfs.enable

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.sshAgentAuth.authorizedKeysFiles

A list of paths to files in OpenSSH's authorized_keys format, containing the keys that will be trusted by the pam_ssh_agent_auth module.

The following patterns are expanded when interpreting the path: - %f and %H respectively expand to the fully-qualified and short hostname ; - %u expands to the username ; - ~ or %h expands to the user's home directory.

::: {.note} Specifying user-writeable files here result in an insecure configuration: a malicious process can then edit such an authorized_keys file and bypass the ssh-agent-based authentication.

See issue #31611 :::

Type: list of string

Default

["/etc/ssh/authorized_keys.d/%u"]

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.sshAgentAuth.enable

Whether to enable authenticating using a signature performed by the ssh-agent. This allows using SSH keys exclusively, instead of passwords, for instance on remote machines . Type: boolean

Default

false

Example

true

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.u2f.control

This option sets pam "control". If you want to have multi factor authentication, use "required". If you want to use U2F device instead of regular password, use "sufficient".

Read {manpage}pam.conf(5) for better understanding of this option.

Type: one of "required", "requisite", "sufficient", "optional"

Default

"sufficient"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.u2f.enable

Enables U2F PAM (pam-u2f) module.

If set, users listed in {file}$XDG_CONFIG_HOME/Yubico/u2f_keys (or {file}$HOME/.config/Yubico/u2f_keys if XDG variable is not set) are able to log in with the associated U2F key. The path can be changed using {option}security.pam.u2f.authFile option.

File format is: username:first_keyHandle,first_public_key: second_keyHandle,second_public_key This file can be generated using {command}pamu2fcfg command.

More information can be found here.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.u2f.settings

Options to pass to the PAM module.

Boolean values render just the key if true, and nothing if false. Null values are ignored. All other values are rendered as key-value pairs.

Type: attribute set of (null or boolean or string or signed integer or path in the Nix store)

Default

{ }

Example

{authfile = "/etc/u2f_keys";authpending_file = "";pinverification = 1;userpresence = 0;}

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.u2f.settings.appid

By default pam-u2f module sets the application ID to pam://$HOSTNAME.

When using {command}pamu2fcfg, you can specify your application ID with the -i flag.

More information can be found here

Type: null or string

Default

null

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.u2f.settings.authfile

By default pam-u2f module reads the keys from {file}$XDG_CONFIG_HOME/Yubico/u2f_keys (or {file}$HOME/.config/Yubico/u2f_keys if XDG variable is not set).

If you want to change auth file locations or centralize database (for example use {file}/etc/u2f-mappings) you can set this option.

File format is: username:first_keyHandle,first_public_key: second_keyHandle,second_public_key This file can be generated using {command}pamu2fcfg command.

More information can be found here.

Type: null or path

Default

null

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.u2f.settings.cue

By default pam-u2f module does not inform user that he needs to use the u2f device, it just waits without a prompt.

If you set this option to true, cue option is added to pam-u2f module and reminder message will be displayed.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.u2f.settings.debug

Debug output to stderr.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.u2f.settings.interactive

Set to prompt a message and wait before testing the presence of a U2F device. Recommended if your device doesn’t have a tactile trigger.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.u2f.settings.origin

By default pam-u2f module sets the origin to pam://$HOSTNAME. Setting origin to an host independent value will allow you to reuse credentials across machines

When using {command}pamu2fcfg, you can specify your application ID with the -o flag.

More information can be found here

Type: null or string

Default

null

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.ussh.authorizedPrincipals

Comma-separated list of authorized principals to permit; if the user presents a certificate with one of these principals, then they will be authorized.

Note that pam-ussh also requires that the certificate contain a principal matching the user's username. The principals from this list are in addition to those principals.

Mutually exclusive with authorizedPrincipalsFile.

Type: null or strings concatenated with ","

Default

null

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.ussh.authorizedPrincipalsFile

Path to a list of principals; if the user presents a certificate with one of these principals, then they will be authorized.

Note that pam-ussh also requires that the certificate contain a principal matching the user's username. The principals from this file are in addition to those principals.

Mutually exclusive with authorizedPrincipals.

Type: null or path

Default

null

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.ussh.caFile

By default pam-ussh reads the trusted user CA keys from {file}/etc/ssh/trusted_user_ca.

This should be set the same as your TrustedUserCAKeys option for sshd.

Type: null or path

Default

null

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.ussh.control

This option sets pam "control". If you want to have multi factor authentication, use "required". If you want to use the SSH certificate instead of the regular password, use "sufficient".

Read {manpage}pam.conf(5) for better understanding of this option.

Type: one of "required", "requisite", "sufficient", "optional"

Default

"sufficient"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.ussh.enable

Enables Uber's USSH PAM (pam-ussh) module.

This is similar to pam-ssh-agent, except that the presence of a CA-signed SSH key with a valid principal is checked instead.

Note that this module must both be enabled using this option and on a per-PAM-service level as well (using usshAuth).

More information can be found here.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.ussh.group

If set, then the authenticating user must be a member of this group to use this module.

Type: null or string

Default

null

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.yubico.challengeResponsePath

If not null, set the path used by yubico pam module where the challenge expected response is stored.

More information can be found here.

Type: null or path

Default

null

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.yubico.control

This option sets pam "control". If you want to have multi factor authentication, use "required". If you want to use Yubikey instead of regular password, use "sufficient".

Read {manpage}pam.conf(5) for better understanding of this option.

Type: one of "required", "requisite", "sufficient", "optional"

Default

"sufficient"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.yubico.debug

Debug output to stderr.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.yubico.enable

Enables Yubico PAM (yubico-pam) module.

If set, users listed in {file}~/.yubico/authorized_yubikeys are able to log in with the associated Yubikey tokens.

The file must have only one line: username:yubikey_token_id1:yubikey_token_id2 More information can be found here.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.yubico.id

client id Type: string

Example

"42"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.yubico.mode

Mode of operation.

Use "client" for online validation with a YubiKey validation service such as the YubiCloud.

Use "challenge-response" for offline validation using YubiKeys with HMAC-SHA-1 Challenge-Response configurations. See the man-page ykpamcfg(1) for further details on how to configure offline Challenge-Response validation.

More information can be found here.

Type: one of "client", "challenge-response"

Default

"client"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.zfs.enable

Enable unlocking and mounting of encrypted ZFS home dataset at login.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.zfs.homes

Prefix of home datasets. This value will be concatenated with "/" + <username> in order to determine the home dataset to unlock.

Type: string

Default

"rpool/home"

Example

"rpool/home"

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix

security.pam.zfs.noUnmount

Do not unmount home dataset on logout.

Type: boolean

Default

false

Declared by: https://github.com/nixos/nixpkgs/blob/master/nixos/modules/security/pam.nix