pam: add pam_reattach support

LnL7 · Feb 20, 2025 · 4052178 · 4052178
1 parent b6b7804
commit 4052178
Showing 1 changed file with 18 additions and 1 deletion.
diff --git a/modules/security/pam.nix b/modules/security/pam.nix
@@ -20,13 +20,30 @@ in
           your Apple Watch.
         '';
       };
+
+      enableSudoPamReattach = lib.mkEnableOption "" // {
+        description = ''
+          Whether to enable reattaching a program to the user's bootstrap session.
+
+          This fixes Touch ID for sudo not working inside tmux and screen.
+
+          This allows programs like tmux and screen that run in the background to
+          survive across user sessions to work with PAM services that are tied to the
+          bootstrap session.
+        '';
+        default = cfg.enableSudoTouchIdAuth;
+        example = false;
+      };
     };
   };
 
   config = {
     environment.etc."pam.d/sudo_local" = {
       inherit (cfg) enable;
-      text = lib.optionalString cfg.enableSudoTouchIdAuth "auth       sufficient     pam_tid.so";
+      text = lib.concatLines (
+        (lib.optional cfg.enableSudoPamReattach "auth       optional       ${pkgs.pam-reattach}/lib/pam/pam_reattach.so")
+        ++ (lib.optional cfg.enableSudoTouchIdAuth "auth       sufficient     pam_tid.so")
+      );
     };
 
     system.activationScripts.pam.text =