commit 79315b632efb9131f6b37ebe634e38217c9e4fdc · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs

lol

fork atom

Merge pull request #34728 from dpc/master

Add pam option to enable Google Authenticator

authored by Jörg Thalheim and committed by GitHub 8 years ago 79315b63 603952d8

+20 -1

1 changed file

expand all

unified split

nixos

modules

security

pam.nix

+20 -1

nixos/modules/security/pam.nix

··· 46 ''; 47 }; 48 49 usbAuth = mkOption { 50 default = config.security.pam.usb.enable; 51 type = types.bool; ··· 284 # prompts the user for password so we run it once with 'required' at an 285 # earlier point and it will run again with 'sufficient' further down. 286 # We use try_first_pass the second time to avoid prompting password twice 287 - (optionalString (cfg.unixAuth && (config.security.pam.enableEcryptfs || cfg.pamMount || cfg.enableKwallet || cfg.enableGnomeKeyring)) '' 288 auth required pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth 289 ${optionalString config.security.pam.enableEcryptfs 290 "auth optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"} ··· 295 " kwalletd=${pkgs.libsForQt5.kwallet.bin}/bin/kwalletd5")} 296 ${optionalString cfg.enableGnomeKeyring 297 ("auth optional ${pkgs.gnome3.gnome_keyring}/lib/security/pam_gnome_keyring.so")} 298 '') + '' 299 ${optionalString cfg.unixAuth 300 "auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth try_first_pass"}

··· 46 ''; 47 }; 48 49 + googleAuthenticator = { 50 + enable = mkOption { 51 + default = false; 52 + type = types.bool; 53 + description = '' 54 + If set, users with enabled Google Authenticator (created 55 + <filename>~/.google_authenticator</filename>) will be required 56 + to provide Google Authenticator token to log in. 57 + ''; 58 + }; 59 + }; 60 + 61 usbAuth = mkOption { 62 default = config.security.pam.usb.enable; 63 type = types.bool; ··· 296 # prompts the user for password so we run it once with 'required' at an 297 # earlier point and it will run again with 'sufficient' further down. 298 # We use try_first_pass the second time to avoid prompting password twice 299 + (optionalString (cfg.unixAuth && 300 + (config.security.pam.enableEcryptfs 301 + || cfg.pamMount 302 + || cfg.enableKwallet 303 + || cfg.enableGnomeKeyring 304 + || cfg.googleAuthenticator.enable)) '' 305 auth required pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth 306 ${optionalString config.security.pam.enableEcryptfs 307 "auth optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"} ··· 312 " kwalletd=${pkgs.libsForQt5.kwallet.bin}/bin/kwalletd5")} 313 ${optionalString cfg.enableGnomeKeyring 314 ("auth optional ${pkgs.gnome3.gnome_keyring}/lib/security/pam_gnome_keyring.so")} 315 + ${optionalString cfg.googleAuthenticator.enable 316 + "auth required ${pkgs.googleAuthenticator}/lib/security/pam_google_authenticator.so no_increment_hotp"} 317 '') + '' 318 ${optionalString cfg.unixAuth 319 "auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth try_first_pass"}