nixos/pam: Strip config in documentation and messages (#341562)

          If set, users can authenticate with their Kerberos password.

          This requires a valid Kerberos configuration

          (`config.security.krb5.enable` should be set to

          `true`).

          (`security.krb5.enable` should be set to `true`).

          Note that the Kerberos PAM modules are not necessary when using SSS

          to handle Kerberos authentication.

    warnings = lib.optional

      (with config.security.pam.sshAgentAuth;

        enable && lib.any (s: lib.hasPrefix "%h" s || lib.hasPrefix "~" s) authorizedKeysFiles)

      ''config.security.pam.sshAgentAuth.authorizedKeysFiles contains files in the user's home directory.

        enable && lib.any (s: lib.hasPrefix "%h" s || lib.hasPrefix "~" s) authorizedKeysFiles) ''

        security.pam.sshAgentAuth.authorizedKeysFiles contains files in the user's home directory.

        Specifying user-writeable files there result in an insecure configuration:

        a malicious process can then edit such an authorized_keys file and bypass the ssh-agent-based authentication.