diff options
author | Jörg Thalheim <Mic92@users.noreply.github.com> | 2019-09-24 03:31:39 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-09-24 03:31:39 +0100 |
commit | c5bc77d15112421289a07bdbbc5990f96348deaa (patch) | |
tree | 56b94847e6ae92b7d876a3d4d2d503d6af3fcc56 | |
parent | 9f35287e8e7028d90868ce5542c145b66852a40d (diff) | |
parent | edf538f7b9da60b318a0b1881881e90cf7884d67 (diff) | |
download | nixlib-c5bc77d15112421289a07bdbbc5990f96348deaa.tar nixlib-c5bc77d15112421289a07bdbbc5990f96348deaa.tar.gz nixlib-c5bc77d15112421289a07bdbbc5990f96348deaa.tar.bz2 nixlib-c5bc77d15112421289a07bdbbc5990f96348deaa.tar.lz nixlib-c5bc77d15112421289a07bdbbc5990f96348deaa.tar.xz nixlib-c5bc77d15112421289a07bdbbc5990f96348deaa.tar.zst nixlib-c5bc77d15112421289a07bdbbc5990f96348deaa.zip |
Merge pull request #67748 from typetetris/yubico-local-auth
Yubico local auth
-rw-r--r-- | nixos/modules/security/pam.nix | 19 | ||||
-rw-r--r-- | pkgs/development/libraries/yubico-pam/default.nix | 6 |
2 files changed, 21 insertions, 4 deletions
diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index a3eb12b06940..11227354ad3b 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -351,7 +351,7 @@ let ${let oath = config.security.pam.oath; in optionalString cfg.oathAuth "auth requisite ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}"} ${let yubi = config.security.pam.yubico; in optionalString cfg.yubicoAuth - "auth ${yubi.control} ${pkgs.yubico-pam}/lib/security/pam_yubico.so id=${toString yubi.id} ${optionalString yubi.debug "debug"}"} + "auth ${yubi.control} ${pkgs.yubico-pam}/lib/security/pam_yubico.so mode=${toString yubi.mode} ${optionalString (yubi.mode == "client") "id=${toString yubi.id}"} ${optionalString yubi.debug "debug"}"} '' + # Modules in this block require having the password set in PAM_AUTHTOK. # pam_unix is marked as 'sufficient' on NixOS which means nothing will run @@ -696,6 +696,23 @@ in Debug output to stderr. ''; }; + mode = mkOption { + default = "client"; + type = types.enum [ "client" "challenge-response" ]; + description = '' + Mode of operation. + + Use "client" for online validation with a YubiKey validation service such as + the YubiCloud. + + Use "challenge-response" for offline validation using YubiKeys with HMAC-SHA-1 + Challenge-Response configurations. See the man-page ykpamcfg(1) for further + details on how to configure offline Challenge-Response validation. + + More information can be found <link + xlink:href="https://developers.yubico.com/yubico-pam/Authentication_Using_Challenge-Response.html">here</link>. + ''; + }; }; security.pam.enableEcryptfs = mkOption { diff --git a/pkgs/development/libraries/yubico-pam/default.nix b/pkgs/development/libraries/yubico-pam/default.nix index 5d7d0e664c64..e6a3fa9fbe14 100644 --- a/pkgs/development/libraries/yubico-pam/default.nix +++ b/pkgs/development/libraries/yubico-pam/default.nix @@ -4,12 +4,12 @@ stdenv.mkDerivation rec { pname = "yubico-pam"; - version = "unstable-2019-03-19"; + version = "unstable-2019-07-01"; src = fetchFromGitHub { owner = "Yubico"; repo = pname; - rev = "1c6fa66825e77b3ad8df46513d0125bed9bde704"; - sha256 = "1g41wdwa1wbp391w1crbis4hwz60m3y06rd6j59m003zx40sk9s4"; + rev = "b5bd00db81e0e0e0ecced65c684080bb56ddc35b"; + sha256 = "10dq8dqi3jldllj6p8r9hldx9sank9n82c44w8akxrs1vli6nj3m"; }; nativeBuildInputs = [ autoreconfHook pkgconfig asciidoc libxslt docbook_xsl ]; |