Setting pam otpw *after* pam_unix, for dovecot failed auth messages.

I think it's nice that it first asks the usual password, and then offers the otpw one if enabled. That enables dovecot to show the last pam prompt. I also add the dovecot option for that.
2013-03-30 22:25:19 +01:00 · 2013-03-30 22:25:19 +01:00 · 86c1e10a43
commit 86c1e10a43
parent c53bd1b279
2 changed files with 6 additions and 2 deletions
--- a/modules/security/pam.nix
+++ b/modules/security/pam.nix
@ -87,9 +87,9 @@ let
              "auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=~/.ssh/authorized_keys:~/.ssh/authorized_keys2:/etc/ssh/authorized_keys.d/%u"}
          ${optionalString usbAuth
              "auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so"}
+          auth sufficient pam_unix.so ${optionalString allowNullPassword "nullok"} likeauth
          ${optionalString otpwAuth
              "auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so"}
-          auth sufficient pam_unix.so ${optionalString allowNullPassword "nullok"} likeauth
          ${optionalString config.users.ldap.enable
              "auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass"}
          ${optionalString config.krb5.enable ''
--- a/modules/services/mail/dovecot.nix
+++ b/modules/services/mail/dovecot.nix
@ -39,7 +39,7 @@ let
      }
      passdb {
        driver = pam
-        args = dovecot2
+        args = ${optionalString cfg.showPAMFailure "failure_show_msg=yes"} dovecot2
      }

      pop3_uidl_format = %08Xv%08Xu
@ -111,6 +111,10 @@ in
        description = "Server key.";
      };

+      showPAMFailure = mkOption {
+        default = false;
+        description = "Show the PAM failure message on authentication error (useful for OTPW).";
+      };
    };

  };