diff options
| author | Philip Potter <philip.g.potter@gmail.com> | 2015-05-03 15:29:42 +0100 |
|---|---|---|
| committer | Philip Potter <philip.g.potter@gmail.com> | 2015-05-03 19:22:00 +0100 |
| commit | 22167289794c080c50f092274de808543c7978c4 (patch) | |
| tree | 990249295189b7e6ef0a2b215fbd0e2b4c15ae61 /nixos | |
| parent | 0f8203d120dc0bd88b205b5f6ed5409d6b1e06ac (diff) | |
| download | nixlib-22167289794c080c50f092274de808543c7978c4.tar nixlib-22167289794c080c50f092274de808543c7978c4.tar.gz nixlib-22167289794c080c50f092274de808543c7978c4.tar.bz2 nixlib-22167289794c080c50f092274de808543c7978c4.tar.lz nixlib-22167289794c080c50f092274de808543c7978c4.tar.xz nixlib-22167289794c080c50f092274de808543c7978c4.tar.zst nixlib-22167289794c080c50f092274de808543c7978c4.zip | |
add support for pam_u2f to nixos pam module
This adds support for authenticating using a U2F device such as a yubikey neo.
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/security/pam.nix | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 631e8317cb4c..35622b12ea33 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -36,6 +36,16 @@ let ''; }; + u2fAuth = mkOption { + default = config.security.pam.enableU2F; + type = types.bool; + description = '' + If set, users listed in + <filename>~/.yubico/u2f_keys</filename> are able to log in + with the associated U2F key. + ''; + }; + usbAuth = mkOption { default = config.security.pam.usb.enable; type = types.bool; @@ -209,6 +219,8 @@ let "auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=~/.ssh/authorized_keys:~/.ssh/authorized_keys2:/etc/ssh/authorized_keys.d/%u"} ${optionalString cfg.fprintAuth "auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so"} + ${optionalString cfg.u2fAuth + "auth sufficient ${pkgs.pam_u2f}/lib/security/pam_u2f.so"} ${optionalString cfg.usbAuth "auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so"} ${optionalString cfg.unixAuth @@ -364,6 +376,13 @@ in ''; }; + security.pam.enableU2F = mkOption { + default = false; + description = '' + Enable the U2F PAM module. + ''; + }; + security.pam.enableEcryptfs = mkOption { default = false; description = '' @@ -392,6 +411,7 @@ in ++ optionals config.krb5.enable [pam_krb5 pam_ccreds] ++ optionals config.security.pam.enableOTPW [ pkgs.otpw ] ++ optionals config.security.pam.enableOATH [ pkgs.oathToolkit ] + ++ optionals config.security.pam.enableU2F [ pkgs.pam_u2f ] ++ optionals config.security.pam.enableEcryptfs [ pkgs.ecryptfs ]; security.setuidPrograms = |