diff options
author | zimbatm <zimbatm@zimbatm.com> | 2016-02-26 18:06:28 +0000 |
---|---|---|
committer | zimbatm <zimbatm@zimbatm.com> | 2016-02-26 18:06:28 +0000 |
commit | 2c7e5a6d8eba8b18269c452e84b9241f9aa4eefd (patch) | |
tree | 4cd0eac736954a5adb1a33f7eb59f2a73b9cc9d8 /nixos/modules | |
parent | c183117aee18e2864033fdb2f0d15d9a51e7fa97 (diff) | |
parent | d09c7986de7d0d4ece340838b9e40eb496486b9f (diff) | |
download | nixlib-2c7e5a6d8eba8b18269c452e84b9241f9aa4eefd.tar nixlib-2c7e5a6d8eba8b18269c452e84b9241f9aa4eefd.tar.gz nixlib-2c7e5a6d8eba8b18269c452e84b9241f9aa4eefd.tar.bz2 nixlib-2c7e5a6d8eba8b18269c452e84b9241f9aa4eefd.tar.lz nixlib-2c7e5a6d8eba8b18269c452e84b9241f9aa4eefd.tar.xz nixlib-2c7e5a6d8eba8b18269c452e84b9241f9aa4eefd.tar.zst nixlib-2c7e5a6d8eba8b18269c452e84b9241f9aa4eefd.zip |
Merge pull request #13434 from spacefrogg/oath-module
config.security.oath: new module
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/module-list.nix | 1 | ||||
-rw-r--r-- | nixos/modules/security/oath.nix | 50 | ||||
-rw-r--r-- | nixos/modules/security/pam.nix | 17 |
3 files changed, 55 insertions, 13 deletions
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index c2bcc361c447..f41e17189a42 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -93,6 +93,7 @@ ./security/ca.nix ./security/duosec.nix ./security/grsecurity.nix + ./security/oath.nix ./security/pam.nix ./security/pam_usb.nix ./security/pam_mount.nix diff --git a/nixos/modules/security/oath.nix b/nixos/modules/security/oath.nix new file mode 100644 index 000000000000..20f3e2dd9f83 --- /dev/null +++ b/nixos/modules/security/oath.nix @@ -0,0 +1,50 @@ +# This module provides configuration for the OATH PAM modules. + +{ config, lib, pkgs, ... }: + +with lib; + +{ + options = { + + security.pam.oath = { + enable = mkOption { + type = types.bool; + default = false; + description = '' + Enable the OATH (one-time password) PAM module. + ''; + }; + + digits = mkOption { + type = types.enum [ 6 7 8 ]; + default = 6; + description = '' + Specify the length of the one-time password in number of + digits. + ''; + }; + + window = mkOption { + type = types.int; + default = 5; + description = '' + Specify the number of one-time passwords to check in order + to accommodate for situations where the system and the + client are slightly out of sync (iteration for HOTP or time + steps for TOTP). + ''; + }; + + usersFile = mkOption { + type = types.path; + default = "/etc/users.oath"; + description = '' + Set the path to file where the user's credentials are + stored. This file must not be world readable! + ''; + }; + }; + + }; +} diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 2ee8a803d2fe..021c561af759 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -75,7 +75,7 @@ let }; oathAuth = mkOption { - default = config.security.pam.enableOATH; + default = config.security.pam.oath.enable; type = types.bool; description = '' If set, the OATH Toolkit will be used. @@ -259,8 +259,8 @@ let "auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth try_first_pass"} ${optionalString cfg.otpwAuth "auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so"} - ${optionalString cfg.oathAuth - "auth sufficient ${pkgs.oathToolkit}/lib/security/pam_oath.so window=5 usersfile=/etc/users.oath"} + ${let oath = config.security.pam.oath; in optionalString cfg.oathAuth + "auth sufficient ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}"} ${optionalString config.users.ldap.enable "auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass"} ${optionalString config.krb5.enable '' @@ -302,8 +302,6 @@ let "session optional ${pam_krb5}/lib/security/pam_krb5.so"} ${optionalString cfg.otpwAuth "session optional ${pkgs.otpw}/lib/security/pam_otpw.so"} - ${optionalString cfg.oathAuth - "session optional ${pkgs.oathToolkit}/lib/security/pam_oath.so window=5 usersfile=/etc/users.oath"} ${optionalString cfg.startSession "session optional ${pkgs.systemd}/lib/security/pam_systemd.so"} ${optionalString cfg.forwardXAuth @@ -405,13 +403,6 @@ in ''; }; - security.pam.enableOATH = mkOption { - default = false; - description = '' - Enable the OATH (one-time password) PAM module. - ''; - }; - security.pam.enableU2F = mkOption { default = false; description = '' @@ -446,7 +437,7 @@ in ++ optional config.users.ldap.enable pam_ldap ++ optionals config.krb5.enable [pam_krb5 pam_ccreds] ++ optionals config.security.pam.enableOTPW [ pkgs.otpw ] - ++ optionals config.security.pam.enableOATH [ pkgs.oathToolkit ] + ++ optionals config.security.pam.oath.enable [ pkgs.oathToolkit ] ++ optionals config.security.pam.enableU2F [ pkgs.pam_u2f ] ++ optionals config.security.pam.enableEcryptfs [ pkgs.ecryptfs ]; |