Merge pull request #13434 from spacefrogg/oath-module

pyrox.dev / nixpkgs

fork atom

lol

fork atom

config.security.oath: new module

zimbatm.tngl.sh 10 years ago 2c7e5a6d c183117a

+55 -13

3 changed files

expand all

unified split

nixos

modules

module-list.nix

security

oath.nix

pam.nix

nixos/modules/module-list.nix

··· 93 93 ./security/ca.nix 94 94 ./security/duosec.nix 95 95 ./security/grsecurity.nix 96 + ./security/oath.nix 96 97 ./security/pam.nix 97 98 ./security/pam_usb.nix 98 99 ./security/pam_mount.nix

+50

nixos/modules/security/oath.nix

··· 1 + # This module provides configuration for the OATH PAM modules. 2 + 3 + { config, lib, pkgs, ... }: 4 + 5 + with lib; 6 + 7 + { 8 + options = { 9 + 10 + security.pam.oath = { 11 + enable = mkOption { 12 + type = types.bool; 13 + default = false; 14 + description = '' 15 + Enable the OATH (one-time password) PAM module. 16 + ''; 17 + }; 18 + 19 + digits = mkOption { 20 + type = types.enum [ 6 7 8 ]; 21 + default = 6; 22 + description = '' 23 + Specify the length of the one-time password in number of 24 + digits. 25 + ''; 26 + }; 27 + 28 + window = mkOption { 29 + type = types.int; 30 + default = 5; 31 + description = '' 32 + Specify the number of one-time passwords to check in order 33 + to accommodate for situations where the system and the 34 + client are slightly out of sync (iteration for HOTP or time 35 + steps for TOTP). 36 + ''; 37 + }; 38 + 39 + usersFile = mkOption { 40 + type = types.path; 41 + default = "/etc/users.oath"; 42 + description = '' 43 + Set the path to file where the user's credentials are 44 + stored. This file must not be world readable! 45 + ''; 46 + }; 47 + }; 48 + 49 + }; 50 + }

+4 -13

nixos/modules/security/pam.nix

··· 75 75 }; 76 76 77 77 oathAuth = mkOption { 78 - default = config.security.pam.enableOATH; 78 + default = config.security.pam.oath.enable; 79 79 type = types.bool; 80 80 description = '' 81 81 If set, the OATH Toolkit will be used. ··· 259 259 "auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth try_first_pass"} 260 260 ${optionalString cfg.otpwAuth 261 261 "auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so"} 262 - ${optionalString cfg.oathAuth 263 - "auth sufficient ${pkgs.oathToolkit}/lib/security/pam_oath.so window=5 usersfile=/etc/users.oath"} 262 + ${let oath = config.security.pam.oath; in optionalString cfg.oathAuth 263 + "auth sufficient ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}"} 264 264 ${optionalString config.users.ldap.enable 265 265 "auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass"} 266 266 ${optionalString config.krb5.enable '' ··· 302 302 "session optional ${pam_krb5}/lib/security/pam_krb5.so"} 303 303 ${optionalString cfg.otpwAuth 304 304 "session optional ${pkgs.otpw}/lib/security/pam_otpw.so"} 305 - ${optionalString cfg.oathAuth 306 - "session optional ${pkgs.oathToolkit}/lib/security/pam_oath.so window=5 usersfile=/etc/users.oath"} 307 305 ${optionalString cfg.startSession 308 306 "session optional ${pkgs.systemd}/lib/security/pam_systemd.so"} 309 307 ${optionalString cfg.forwardXAuth ··· 405 403 ''; 406 404 }; 407 405 408 - security.pam.enableOATH = mkOption { 409 - default = false; 410 - description = '' 411 - Enable the OATH (one-time password) PAM module. 412 - ''; 413 - }; 414 - 415 406 security.pam.enableU2F = mkOption { 416 407 default = false; 417 408 description = '' ··· 446 437 ++ optional config.users.ldap.enable pam_ldap 447 438 ++ optionals config.krb5.enable [pam_krb5 pam_ccreds] 448 439 ++ optionals config.security.pam.enableOTPW [ pkgs.otpw ] 449 - ++ optionals config.security.pam.enableOATH [ pkgs.oathToolkit ] 440 + ++ optionals config.security.pam.oath.enable [ pkgs.oathToolkit ] 450 441 ++ optionals config.security.pam.enableU2F [ pkgs.pam_u2f ] 451 442 ++ optionals config.security.pam.enableEcryptfs [ pkgs.ecryptfs ]; 452 443