Merge pull request #55792 from sdier/fix/pam-update
Allow duosec to be used in nixos as a pam module.
This commit is contained in:
commit
02db11d369
3 changed files with 43 additions and 14 deletions
|
@ -106,6 +106,23 @@
|
|||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>
|
||||
<literal>./security/duosec.nix</literal>
|
||||
</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>
|
||||
The <link xlink:href="https://duo.com/docs/duounix">PAM module for Duo
|
||||
Security</link> has been enabled for use. One can configure it using
|
||||
the <option>security.duosec</option> options along with the
|
||||
corresponding PAM option in
|
||||
<option>security.pam.services.<name?>.duoSecurity.enable</option>.
|
||||
</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section xmlns="http://docbook.org/ns/docbook"
|
||||
|
|
|
@ -7,7 +7,7 @@ let
|
|||
|
||||
boolToStr = b: if b then "yes" else "no";
|
||||
|
||||
configFile = ''
|
||||
configFilePam = ''
|
||||
[duo]
|
||||
ikey=${cfg.ikey}
|
||||
skey=${cfg.skey}
|
||||
|
@ -16,21 +16,24 @@ let
|
|||
failmode=${cfg.failmode}
|
||||
pushinfo=${boolToStr cfg.pushinfo}
|
||||
autopush=${boolToStr cfg.autopush}
|
||||
motd=${boolToStr cfg.motd}
|
||||
prompts=${toString cfg.prompts}
|
||||
accept_env_factor=${boolToStr cfg.acceptEnvFactor}
|
||||
fallback_local_ip=${boolToStr cfg.fallbackLocalIP}
|
||||
'';
|
||||
|
||||
configFileLogin = configFilePam + ''
|
||||
motd=${boolToStr cfg.motd}
|
||||
accept_env_factor=${boolToStr cfg.acceptEnvFactor}
|
||||
'';
|
||||
|
||||
loginCfgFile = optional cfg.ssh.enable
|
||||
{ source = pkgs.writeText "login_duo.conf" configFile;
|
||||
{ source = pkgs.writeText "login_duo.conf" configFileLogin;
|
||||
mode = "0600";
|
||||
user = "sshd";
|
||||
target = "duo/login_duo.conf";
|
||||
};
|
||||
|
||||
pamCfgFile = optional cfg.pam.enable
|
||||
{ source = pkgs.writeText "pam_duo.conf" configFile;
|
||||
{ source = pkgs.writeText "pam_duo.conf" configFilePam;
|
||||
mode = "0600";
|
||||
user = "sshd";
|
||||
target = "duo/pam_duo.conf";
|
||||
|
@ -180,12 +183,6 @@ in
|
|||
};
|
||||
|
||||
config = mkIf (cfg.ssh.enable || cfg.pam.enable) {
|
||||
assertions =
|
||||
[ { assertion = !cfg.pam.enable;
|
||||
message = "PAM support is currently not implemented.";
|
||||
}
|
||||
];
|
||||
|
||||
environment.systemPackages = [ pkgs.duo-unix ];
|
||||
|
||||
security.wrappers.login_duo.source = "${pkgs.duo-unix.out}/bin/login_duo";
|
||||
|
|
|
@ -131,6 +131,18 @@ let
|
|||
'';
|
||||
};
|
||||
|
||||
duoSecurity = {
|
||||
enable = mkOption {
|
||||
default = false;
|
||||
type = types.bool;
|
||||
description = ''
|
||||
If set, use the Duo Security pam module
|
||||
<literal>pam_duo</literal> for authentication. Requires
|
||||
configuration of <option>security.duosec</option> options.
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
startSession = mkOption {
|
||||
default = false;
|
||||
type = types.bool;
|
||||
|
@ -340,7 +352,8 @@ let
|
|||
|| cfg.pamMount
|
||||
|| cfg.enableKwallet
|
||||
|| cfg.enableGnomeKeyring
|
||||
|| cfg.googleAuthenticator.enable)) ''
|
||||
|| cfg.googleAuthenticator.enable
|
||||
|| cfg.duoSecurity.enable)) ''
|
||||
auth required pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth
|
||||
${optionalString config.security.pam.enableEcryptfs
|
||||
"auth optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"}
|
||||
|
@ -350,9 +363,11 @@ let
|
|||
("auth optional ${pkgs.plasma5.kwallet-pam}/lib/security/pam_kwallet5.so" +
|
||||
" kwalletd=${pkgs.libsForQt5.kwallet.bin}/bin/kwalletd5")}
|
||||
${optionalString cfg.enableGnomeKeyring
|
||||
("auth optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so")}
|
||||
"auth optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so"}
|
||||
${optionalString cfg.googleAuthenticator.enable
|
||||
"auth required ${pkgs.googleAuthenticator}/lib/security/pam_google_authenticator.so no_increment_hotp"}
|
||||
"auth required ${pkgs.googleAuthenticator}/lib/security/pam_google_authenticator.so no_increment_hotp"}
|
||||
${optionalString cfg.duoSecurity.enable
|
||||
"auth required ${pkgs.duo-unix}/lib/security/pam_duo.so"}
|
||||
'') + ''
|
||||
${optionalString cfg.unixAuth
|
||||
"auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth try_first_pass"}
|
||||
|
|
Loading…
Reference in a new issue