diff options
| author | Austin Seipp <aseipp@pobox.com> | 2014-05-20 02:42:31 -0500 |
|---|---|---|
| committer | Austin Seipp <aseipp@pobox.com> | 2014-05-20 02:42:38 -0500 |
| commit | e31f212f6b6a46e28b8d0d77d22767432f4a2b44 (patch) | |
| tree | 9c37e21f288c541b4a606f60313d42af49984542 /nixos/modules/security/duosec.nix | |
| parent | 010833c6341998c72407a59763f6f2bfeac40f43 (diff) | |
| download | nixlib-e31f212f6b6a46e28b8d0d77d22767432f4a2b44.tar nixlib-e31f212f6b6a46e28b8d0d77d22767432f4a2b44.tar.gz nixlib-e31f212f6b6a46e28b8d0d77d22767432f4a2b44.tar.bz2 nixlib-e31f212f6b6a46e28b8d0d77d22767432f4a2b44.tar.lz nixlib-e31f212f6b6a46e28b8d0d77d22767432f4a2b44.tar.xz nixlib-e31f212f6b6a46e28b8d0d77d22767432f4a2b44.tar.zst nixlib-e31f212f6b6a46e28b8d0d77d22767432f4a2b44.zip | |
nixos/duosec: Add an option to allow TCP forwarding
Signed-off-by: Austin Seipp <aseipp@pobox.com>
Diffstat (limited to 'nixos/modules/security/duosec.nix')
| -rw-r--r-- | nixos/modules/security/duosec.nix | 15 |
1 files changed, 14 insertions, 1 deletions
diff --git a/nixos/modules/security/duosec.nix b/nixos/modules/security/duosec.nix index bd9611384828..9893e63fb24f 100644 --- a/nixos/modules/security/duosec.nix +++ b/nixos/modules/security/duosec.nix @@ -165,6 +165,17 @@ in whitelist. ''; }; + + allowTcpForwarding = mkOption { + type = types.bool; + default = false; + description = '' + By default, when SSH forwarding, enabling Duo Security will + disable TCP forwarding. By enabling this, you potentially + undermine some of the SSH based login security. Note this is + not needed if you use PAM. + ''; + }; }; }; @@ -192,7 +203,9 @@ in # Duo Security configuration ForceCommand ${config.security.wrapperDir}/login_duo PermitTunnel no - AllowTcpForwarding no + ${optionalString (!cfg.allowTcpForwarding) '' + AllowTcpForwarding no + ''} ''); }; } |