config.security.oath: new module
Add a module to make options to pam_oath module configurable. These are: - enable - enable the OATH pam module - window - number of OTPs to check - digits - length of the OTP (adds support for two-factor auth) - usersFile - filename to store OATH credentials in
This commit is contained in:
parent
bd9f128cc2
commit
d09c7986de
3 changed files with 55 additions and 13 deletions
|
@ -93,6 +93,7 @@
|
|||
./security/ca.nix
|
||||
./security/duosec.nix
|
||||
./security/grsecurity.nix
|
||||
./security/oath.nix
|
||||
./security/pam.nix
|
||||
./security/pam_usb.nix
|
||||
./security/pam_mount.nix
|
||||
|
|
50
nixos/modules/security/oath.nix
Normal file
50
nixos/modules/security/oath.nix
Normal file
|
@ -0,0 +1,50 @@
|
|||
# This module provides configuration for the OATH PAM modules.
|
||||
|
||||
{ config, lib, pkgs, ... }:
|
||||
|
||||
with lib;
|
||||
|
||||
{
|
||||
options = {
|
||||
|
||||
security.pam.oath = {
|
||||
enable = mkOption {
|
||||
type = types.bool;
|
||||
default = false;
|
||||
description = ''
|
||||
Enable the OATH (one-time password) PAM module.
|
||||
'';
|
||||
};
|
||||
|
||||
digits = mkOption {
|
||||
type = types.enum [ 6 7 8 ];
|
||||
default = 6;
|
||||
description = ''
|
||||
Specify the length of the one-time password in number of
|
||||
digits.
|
||||
'';
|
||||
};
|
||||
|
||||
window = mkOption {
|
||||
type = types.int;
|
||||
default = 5;
|
||||
description = ''
|
||||
Specify the number of one-time passwords to check in order
|
||||
to accommodate for situations where the system and the
|
||||
client are slightly out of sync (iteration for HOTP or time
|
||||
steps for TOTP).
|
||||
'';
|
||||
};
|
||||
|
||||
usersFile = mkOption {
|
||||
type = types.path;
|
||||
default = "/etc/users.oath";
|
||||
description = ''
|
||||
Set the path to file where the user's credentials are
|
||||
stored. This file must not be world readable!
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
}
|
|
@ -75,7 +75,7 @@ let
|
|||
};
|
||||
|
||||
oathAuth = mkOption {
|
||||
default = config.security.pam.enableOATH;
|
||||
default = config.security.pam.oath.enable;
|
||||
type = types.bool;
|
||||
description = ''
|
||||
If set, the OATH Toolkit will be used.
|
||||
|
@ -259,8 +259,8 @@ let
|
|||
"auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth try_first_pass"}
|
||||
${optionalString cfg.otpwAuth
|
||||
"auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so"}
|
||||
${optionalString cfg.oathAuth
|
||||
"auth sufficient ${pkgs.oathToolkit}/lib/security/pam_oath.so window=5 usersfile=/etc/users.oath"}
|
||||
${let oath = config.security.pam.oath; in optionalString cfg.oathAuth
|
||||
"auth sufficient ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}"}
|
||||
${optionalString config.users.ldap.enable
|
||||
"auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass"}
|
||||
${optionalString config.krb5.enable ''
|
||||
|
@ -302,8 +302,6 @@ let
|
|||
"session optional ${pam_krb5}/lib/security/pam_krb5.so"}
|
||||
${optionalString cfg.otpwAuth
|
||||
"session optional ${pkgs.otpw}/lib/security/pam_otpw.so"}
|
||||
${optionalString cfg.oathAuth
|
||||
"session optional ${pkgs.oathToolkit}/lib/security/pam_oath.so window=5 usersfile=/etc/users.oath"}
|
||||
${optionalString cfg.startSession
|
||||
"session optional ${pkgs.systemd}/lib/security/pam_systemd.so"}
|
||||
${optionalString cfg.forwardXAuth
|
||||
|
@ -405,13 +403,6 @@ in
|
|||
'';
|
||||
};
|
||||
|
||||
security.pam.enableOATH = mkOption {
|
||||
default = false;
|
||||
description = ''
|
||||
Enable the OATH (one-time password) PAM module.
|
||||
'';
|
||||
};
|
||||
|
||||
security.pam.enableU2F = mkOption {
|
||||
default = false;
|
||||
description = ''
|
||||
|
@ -446,7 +437,7 @@ in
|
|||
++ optional config.users.ldap.enable pam_ldap
|
||||
++ optionals config.krb5.enable [pam_krb5 pam_ccreds]
|
||||
++ optionals config.security.pam.enableOTPW [ pkgs.otpw ]
|
||||
++ optionals config.security.pam.enableOATH [ pkgs.oathToolkit ]
|
||||
++ optionals config.security.pam.oath.enable [ pkgs.oathToolkit ]
|
||||
++ optionals config.security.pam.enableU2F [ pkgs.pam_u2f ]
|
||||
++ optionals config.security.pam.enableEcryptfs [ pkgs.ecryptfs ];
|
||||
|
||||
|
|
Loading…
Reference in a new issue