diff options
| author | Scott Dier <scott@dier.name> | 2019-02-13 01:12:51 +0000 |
|---|---|---|
| committer | Scott Dier <scott@dier.name> | 2019-02-24 22:48:56 +0000 |
| commit | 096e66a8ad3989d230a7dfcc4aad7297d028d769 (patch) | |
| tree | 86cee12836fe180e3b93768f712899335fe0c6b0 /nixos/modules/security | |
| parent | 98419a0f6453a99e9f57da7edcc53d662561a4f2 (diff) | |
nixos/security: Add duo-unix support to pam.
Also whitespace cleanup of surrounding code.
Diffstat (limited to 'nixos/modules/security')
| -rw-r--r-- | nixos/modules/security/pam.nix | 21 |
1 files changed, 18 insertions, 3 deletions
diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 206b529ed680..03d2f899f2ab 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -131,6 +131,18 @@ let ''; }; + duoSecurity = { + enable = mkOption { + default = false; + type = types.bool; + description = '' + If set, use the Duo Security pam module + <literal>pam_duo</literal> for authentication. Requires + configuration of <option>security.duosec</option> options. + ''; + }; + }; + startSession = mkOption { default = false; type = types.bool; @@ -340,7 +352,8 @@ let || cfg.pamMount || cfg.enableKwallet || cfg.enableGnomeKeyring - || cfg.googleAuthenticator.enable)) '' + || cfg.googleAuthenticator.enable + || cfg.duoSecurity.enable)) '' auth required pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth ${optionalString config.security.pam.enableEcryptfs "auth optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"} @@ -350,9 +363,11 @@ let ("auth optional ${pkgs.plasma5.kwallet-pam}/lib/security/pam_kwallet5.so" + " kwalletd=${pkgs.libsForQt5.kwallet.bin}/bin/kwalletd5")} ${optionalString cfg.enableGnomeKeyring - ("auth optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so")} + "auth optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so"} ${optionalString cfg.googleAuthenticator.enable - "auth required ${pkgs.googleAuthenticator}/lib/security/pam_google_authenticator.so no_increment_hotp"} + "auth required ${pkgs.googleAuthenticator}/lib/security/pam_google_authenticator.so no_increment_hotp"} + ${optionalString cfg.duoSecurity.enable + "auth required ${pkgs.duo-unix}/lib/security/pam_duo.so"} '') + '' ${optionalString cfg.unixAuth "auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth try_first_pass"} |