Merge pull request #55792 from sdier/fix/pam-update

Allow duosec to be used in nixos as a pam module.
This commit is contained in:
Silvan Mosberger 2019-02-25 01:38:51 +01:00 committed by GitHub
commit 02db11d369
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 43 additions and 14 deletions

View file

@ -106,6 +106,23 @@
</para>
</listitem>
</itemizedlist>
<itemizedlist>
<listitem>
<para>
<literal>./security/duosec.nix</literal>
</para>
</listitem>
<listitem>
<para>
The <link xlink:href="https://duo.com/docs/duounix">PAM module for Duo
Security</link> has been enabled for use. One can configure it using
the <option>security.duosec</option> options along with the
corresponding PAM option in
<option>security.pam.services.&lt;name?&gt;.duoSecurity.enable</option>.
</para>
</listitem>
</itemizedlist>
</section>
<section xmlns="http://docbook.org/ns/docbook"

View file

@ -7,7 +7,7 @@ let
boolToStr = b: if b then "yes" else "no";
configFile = ''
configFilePam = ''
[duo]
ikey=${cfg.ikey}
skey=${cfg.skey}
@ -16,21 +16,24 @@ let
failmode=${cfg.failmode}
pushinfo=${boolToStr cfg.pushinfo}
autopush=${boolToStr cfg.autopush}
motd=${boolToStr cfg.motd}
prompts=${toString cfg.prompts}
accept_env_factor=${boolToStr cfg.acceptEnvFactor}
fallback_local_ip=${boolToStr cfg.fallbackLocalIP}
'';
configFileLogin = configFilePam + ''
motd=${boolToStr cfg.motd}
accept_env_factor=${boolToStr cfg.acceptEnvFactor}
'';
loginCfgFile = optional cfg.ssh.enable
{ source = pkgs.writeText "login_duo.conf" configFile;
{ source = pkgs.writeText "login_duo.conf" configFileLogin;
mode = "0600";
user = "sshd";
target = "duo/login_duo.conf";
};
pamCfgFile = optional cfg.pam.enable
{ source = pkgs.writeText "pam_duo.conf" configFile;
{ source = pkgs.writeText "pam_duo.conf" configFilePam;
mode = "0600";
user = "sshd";
target = "duo/pam_duo.conf";
@ -180,12 +183,6 @@ in
};
config = mkIf (cfg.ssh.enable || cfg.pam.enable) {
assertions =
[ { assertion = !cfg.pam.enable;
message = "PAM support is currently not implemented.";
}
];
environment.systemPackages = [ pkgs.duo-unix ];
security.wrappers.login_duo.source = "${pkgs.duo-unix.out}/bin/login_duo";

View file

@ -131,6 +131,18 @@ let
'';
};
duoSecurity = {
enable = mkOption {
default = false;
type = types.bool;
description = ''
If set, use the Duo Security pam module
<literal>pam_duo</literal> for authentication. Requires
configuration of <option>security.duosec</option> options.
'';
};
};
startSession = mkOption {
default = false;
type = types.bool;
@ -340,7 +352,8 @@ let
|| cfg.pamMount
|| cfg.enableKwallet
|| cfg.enableGnomeKeyring
|| cfg.googleAuthenticator.enable)) ''
|| cfg.googleAuthenticator.enable
|| cfg.duoSecurity.enable)) ''
auth required pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth
${optionalString config.security.pam.enableEcryptfs
"auth optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"}
@ -350,9 +363,11 @@ let
("auth optional ${pkgs.plasma5.kwallet-pam}/lib/security/pam_kwallet5.so" +
" kwalletd=${pkgs.libsForQt5.kwallet.bin}/bin/kwalletd5")}
${optionalString cfg.enableGnomeKeyring
("auth optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so")}
"auth optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so"}
${optionalString cfg.googleAuthenticator.enable
"auth required ${pkgs.googleAuthenticator}/lib/security/pam_google_authenticator.so no_increment_hotp"}
"auth required ${pkgs.googleAuthenticator}/lib/security/pam_google_authenticator.so no_increment_hotp"}
${optionalString cfg.duoSecurity.enable
"auth required ${pkgs.duo-unix}/lib/security/pam_duo.so"}
'') + ''
${optionalString cfg.unixAuth
"auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth try_first_pass"}