diff options
| author | Silvan Mosberger <infinisil@icloud.com> | 2019-02-25 01:38:51 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-02-25 01:38:51 +0100 |
| commit | 02db11d3692622c2c2202ac733c0d4054eb9dc37 (patch) | |
| tree | d283e4451f8d5dc2636aaaaeb5595f067de1a753 /nixos/modules/security | |
| parent | 59338fb99d257df49ebb885d164224793f79d727 (diff) | |
| parent | a11ad16bd7f1bd648ddad3bd5b9507b909472451 (diff) | |
Merge pull request #55792 from sdier/fix/pam-update
Allow duosec to be used in nixos as a pam module.
Diffstat (limited to 'nixos/modules/security')
| -rw-r--r-- | nixos/modules/security/duosec.nix | 19 | ||||
| -rw-r--r-- | nixos/modules/security/pam.nix | 21 |
2 files changed, 26 insertions, 14 deletions
diff --git a/nixos/modules/security/duosec.nix b/nixos/modules/security/duosec.nix index df6108dede7c..14bf118f2d84 100644 --- a/nixos/modules/security/duosec.nix +++ b/nixos/modules/security/duosec.nix @@ -7,7 +7,7 @@ let boolToStr = b: if b then "yes" else "no"; - configFile = '' + configFilePam = '' [duo] ikey=${cfg.ikey} skey=${cfg.skey} @@ -16,21 +16,24 @@ let failmode=${cfg.failmode} pushinfo=${boolToStr cfg.pushinfo} autopush=${boolToStr cfg.autopush} - motd=${boolToStr cfg.motd} prompts=${toString cfg.prompts} - accept_env_factor=${boolToStr cfg.acceptEnvFactor} fallback_local_ip=${boolToStr cfg.fallbackLocalIP} ''; + configFileLogin = configFilePam + '' + motd=${boolToStr cfg.motd} + accept_env_factor=${boolToStr cfg.acceptEnvFactor} + ''; + loginCfgFile = optional cfg.ssh.enable - { source = pkgs.writeText "login_duo.conf" configFile; + { source = pkgs.writeText "login_duo.conf" configFileLogin; mode = "0600"; user = "sshd"; target = "duo/login_duo.conf"; }; pamCfgFile = optional cfg.pam.enable - { source = pkgs.writeText "pam_duo.conf" configFile; + { source = pkgs.writeText "pam_duo.conf" configFilePam; mode = "0600"; user = "sshd"; target = "duo/pam_duo.conf"; @@ -180,12 +183,6 @@ in }; config = mkIf (cfg.ssh.enable || cfg.pam.enable) { - assertions = - [ { assertion = !cfg.pam.enable; - message = "PAM support is currently not implemented."; - } - ]; - environment.systemPackages = [ pkgs.duo-unix ]; security.wrappers.login_duo.source = "${pkgs.duo-unix.out}/bin/login_duo"; diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 206b529ed680..03d2f899f2ab 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -131,6 +131,18 @@ let ''; }; + duoSecurity = { + enable = mkOption { + default = false; + type = types.bool; + description = '' + If set, use the Duo Security pam module + <literal>pam_duo</literal> for authentication. Requires + configuration of <option>security.duosec</option> options. + ''; + }; + }; + startSession = mkOption { default = false; type = types.bool; @@ -340,7 +352,8 @@ let || cfg.pamMount || cfg.enableKwallet || cfg.enableGnomeKeyring - || cfg.googleAuthenticator.enable)) '' + || cfg.googleAuthenticator.enable + || cfg.duoSecurity.enable)) '' auth required pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth ${optionalString config.security.pam.enableEcryptfs "auth optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"} @@ -350,9 +363,11 @@ let ("auth optional ${pkgs.plasma5.kwallet-pam}/lib/security/pam_kwallet5.so" + " kwalletd=${pkgs.libsForQt5.kwallet.bin}/bin/kwalletd5")} ${optionalString cfg.enableGnomeKeyring - ("auth optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so")} + "auth optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so"} ${optionalString cfg.googleAuthenticator.enable - "auth required ${pkgs.googleAuthenticator}/lib/security/pam_google_authenticator.so no_increment_hotp"} + "auth required ${pkgs.googleAuthenticator}/lib/security/pam_google_authenticator.so no_increment_hotp"} + ${optionalString cfg.duoSecurity.enable + "auth required ${pkgs.duo-unix}/lib/security/pam_duo.so"} '') + '' ${optionalString cfg.unixAuth "auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth try_first_pass"} |