1 files changed, 24 insertions, 14 deletions

diff --git a/lass/3modules/usershadow.nix b/lass/3modules/usershadow.nix
index cb289096..c3d4de84 100644
--- a/lass/3modules/usershadow.nix
+++ b/lass/3modules/usershadow.nix
@@ -22,22 +22,30 @@
     environment.systemPackages = [ usershadow ];
     lass.usershadow.path = "${usershadow}";
     security.pam.services.sshd.text = ''
-      account required pam_permit.so
-      auth required pam_env.so envfile=${config.system.build.pamEnvironment}
-      auth sufficient pam_exec.so quiet expose_authtok ${usershadow}/bin/verify_pam ${cfg.pattern}
-      auth sufficient pam_unix.so likeauth try_first_pass
-      session required pam_env.so envfile=${config.system.build.pamEnvironment}
-      session required pam_permit.so
-      session required pam_loginuid.so
-    '';
-
-    security.pam.services.dovecot2.text = ''
-      auth required pam_exec.so expose_authtok ${usershadow}/bin/verify_pam ${cfg.pattern}
+      auth required pam_exec.so expose_authtok /run/wrappers/bin/shadow_verify_pam ${cfg.pattern}
       auth required pam_permit.so
       account required pam_permit.so
       session required pam_permit.so
-      session required pam_env.so envfile=${config.system.build.pamEnvironment}
     '';
+
+    security.pam.services.dovecot2 = {
+      text = ''
+        auth required pam_exec.so expose_authtok /run/wrappers/bin/shadow_verify_pam ${cfg.pattern}
+        auth required pam_permit.so
+        account required pam_permit.so
+        session required pam_permit.so
+        session required pam_env.so envfile=${config.system.build.pamEnvironment}
+      '';
+    };
+
+    security.wrappers.shadow_verify_pam = {
+      source = "${usershadow}/bin/verify_pam";
+      owner = "root";
+    };
+    security.wrappers.shadow_verify_arg = {
+      source = "${usershadow}/bin/verify_arg";
+      owner = "root";
+    };
   };
 
   usershadow = let {
@@ -46,10 +54,13 @@
       "bytestring"
     ];
     body = pkgs.writeHaskellPackage "passwords" {
+      ghc-options = [
+        "-rtsopts"
+        "-Wall"
+      ];
       executables.verify_pam = {
         extra-depends = deps;
         text = ''
-          import Data.Monoid
           import System.IO
           import Data.Char (chr)
           import System.Environment (getEnv, getArgs)
@@ -72,7 +83,6 @@
       executables.verify_arg = {
         extra-depends = deps;
         text = ''
-          import Data.Monoid
           import System.Environment (getArgs)
           import Crypto.PasswordStore (verifyPasswordWith, pbkdf2)
           import qualified Data.ByteString.Char8 as BS8