pyrox.dev
config.security.oath: new module
Add a module to make options to pam_oath module configurable.
These are:
- enable - enable the OATH pam module
- window - number of OTPs to check
- digits - length of the OTP (adds support for two-factor auth)
- usersFile - filename to store OATH credentials in
+1
nixos/modules/module-list.nix
+1
nixos/modules/module-list.nix
+50
nixos/modules/security/oath.nix
+50
nixos/modules/security/oath.nix
···
1
+
# This module provides configuration for the OATH PAM modules.
2
+
3
+
{ config, lib, pkgs, ... }:
4
+
5
+
with lib;
6
+
7
+
{
8
+
options = {
9
+
10
+
security.pam.oath = {
11
+
enable = mkOption {
12
+
type = types.bool;
13
+
default = false;
14
+
description = ''
15
+
Enable the OATH (one-time password) PAM module.
16
+
'';
17
+
};
18
+
19
+
digits = mkOption {
20
+
type = types.enum [ 6 7 8 ];
21
+
default = 6;
22
+
description = ''
23
+
Specify the length of the one-time password in number of
24
+
digits.
25
+
'';
26
+
};
27
+
28
+
window = mkOption {
29
+
type = types.int;
30
+
default = 5;
31
+
description = ''
32
+
Specify the number of one-time passwords to check in order
33
+
to accommodate for situations where the system and the
34
+
client are slightly out of sync (iteration for HOTP or time
35
+
steps for TOTP).
36
+
'';
37
+
};
38
+
39
+
usersFile = mkOption {
40
+
type = types.path;
41
+
default = "/etc/users.oath";
42
+
description = ''
43
+
Set the path to file where the user's credentials are
44
+
stored. This file must not be world readable!
45
+
'';
46
+
};
47
+
};
48
+
49
+
};
50
+
}
+4
-13
nixos/modules/security/pam.nix
+4
-13
nixos/modules/security/pam.nix
···
75
75
};
76
76
77
77
oathAuth = mkOption {
78
-
default = config.security.pam.enableOATH;
78
+
default = config.security.pam.oath.enable;
79
79
type = types.bool;
80
80
description = ''
81
81
If set, the OATH Toolkit will be used.
···
259
259
"auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth try_first_pass"}
260
260
${optionalString cfg.otpwAuth
261
261
"auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so"}
262
-
${optionalString cfg.oathAuth
263
-
"auth sufficient ${pkgs.oathToolkit}/lib/security/pam_oath.so window=5 usersfile=/etc/users.oath"}
262
+
${let oath = config.security.pam.oath; in optionalString cfg.oathAuth
263
+
"auth sufficient ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}"}
264
264
${optionalString config.users.ldap.enable
265
265
"auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass"}
266
266
${optionalString config.krb5.enable ''
···
302
302
"session optional ${pam_krb5}/lib/security/pam_krb5.so"}
303
303
${optionalString cfg.otpwAuth
304
304
"session optional ${pkgs.otpw}/lib/security/pam_otpw.so"}
305
-
${optionalString cfg.oathAuth
306
-
"session optional ${pkgs.oathToolkit}/lib/security/pam_oath.so window=5 usersfile=/etc/users.oath"}
307
305
${optionalString cfg.startSession
308
306
"session optional ${pkgs.systemd}/lib/security/pam_systemd.so"}
309
307
${optionalString cfg.forwardXAuth
···
405
403
'';
406
404
};
407
405
408
-
security.pam.enableOATH = mkOption {
409
-
default = false;
410
-
description = ''
411
-
Enable the OATH (one-time password) PAM module.
412
-
'';
413
-
};
414
-
415
406
security.pam.enableU2F = mkOption {
416
407
default = false;
417
408
description = ''
···
446
437
++ optional config.users.ldap.enable pam_ldap
447
438
++ optionals config.krb5.enable [pam_krb5 pam_ccreds]
448
439
++ optionals config.security.pam.enableOTPW [ pkgs.otpw ]
449
-
++ optionals config.security.pam.enableOATH [ pkgs.oathToolkit ]
440
+
++ optionals config.security.pam.oath.enable [ pkgs.oathToolkit ]
450
441
++ optionals config.security.pam.enableU2F [ pkgs.pam_u2f ]
451
442
++ optionals config.security.pam.enableEcryptfs [ pkgs.ecryptfs ];
452
443