From ab0ae8f5e11bacdf249c27c49f1fe30a3bf8b77f Mon Sep 17 00:00:00 2001 From: ocfox Date: Mon, 7 Nov 2022 19:16:35 +0800 Subject: [PATCH] nixos/pam: add option failDelay Co-authored-by: Bobby Rong --- nixos/modules/security/pam.nix | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 9a1acba00d0e..3980ffab7c12 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -383,6 +383,24 @@ let ''; }; + failDelay = { + enable = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + If enabled, this will replace the `FAIL_DELAY` setting from `login.defs`. + Change the delay on failure per-application. + ''; + }; + + delay = mkOption { + default = 3000000; + type = types.int; + example = 1000000; + description = lib.mdDoc "The delay time (in microseconds) on failure."; + }; + }; + gnupg = { enable = mkOption { type = types.bool; @@ -513,6 +531,7 @@ let || cfg.enableGnomeKeyring || cfg.googleAuthenticator.enable || cfg.gnupg.enable + || cfg.failDelay.enable || cfg.duoSecurity.enable)) ( '' @@ -533,6 +552,9 @@ let optionalString cfg.gnupg.enable '' auth optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so ${optionalString cfg.gnupg.storeOnly " store-only"} '' + + optionalString cfg.failDelay.enable '' + auth optional ${pkgs.pam}/lib/security/pam_faildelay.so delay=${toString cfg.failDelay.delay} + '' + optionalString cfg.googleAuthenticator.enable '' auth required ${pkgs.google-authenticator}/lib/security/pam_google_authenticator.so no_increment_hotp '' +