diff options
| author | Jörg Thalheim <Mic92@users.noreply.github.com> | 2018-02-10 08:16:50 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-02-10 08:16:50 +0000 |
| commit | 79315b632efb9131f6b37ebe634e38217c9e4fdc (patch) | |
| tree | 7608e5657db82620289ddcc8378504c9c0ada540 /nixos | |
| parent | 603952d86c2d9b218820ed29dd11e5ae54e310c0 (diff) | |
| parent | 5c746a0a847d1ba9419094445bb55d6ab405a9ab (diff) | |
| download | nixlib-79315b632efb9131f6b37ebe634e38217c9e4fdc.tar nixlib-79315b632efb9131f6b37ebe634e38217c9e4fdc.tar.gz nixlib-79315b632efb9131f6b37ebe634e38217c9e4fdc.tar.bz2 nixlib-79315b632efb9131f6b37ebe634e38217c9e4fdc.tar.lz nixlib-79315b632efb9131f6b37ebe634e38217c9e4fdc.tar.xz nixlib-79315b632efb9131f6b37ebe634e38217c9e4fdc.tar.zst nixlib-79315b632efb9131f6b37ebe634e38217c9e4fdc.zip | |
Merge pull request #34728 from dpc/master
Add pam option to enable Google Authenticator
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/modules/security/pam.nix | 21 |
1 files changed, 20 insertions, 1 deletions
diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 3fff9e78aa19..f39f64033ca7 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -46,6 +46,18 @@ let ''; }; + googleAuthenticator = { + enable = mkOption { + default = false; + type = types.bool; + description = '' + If set, users with enabled Google Authenticator (created + <filename>~/.google_authenticator</filename>) will be required + to provide Google Authenticator token to log in. + ''; + }; + }; + usbAuth = mkOption { default = config.security.pam.usb.enable; type = types.bool; @@ -284,7 +296,12 @@ let # prompts the user for password so we run it once with 'required' at an # earlier point and it will run again with 'sufficient' further down. # We use try_first_pass the second time to avoid prompting password twice - (optionalString (cfg.unixAuth && (config.security.pam.enableEcryptfs || cfg.pamMount || cfg.enableKwallet || cfg.enableGnomeKeyring)) '' + (optionalString (cfg.unixAuth && + (config.security.pam.enableEcryptfs + || cfg.pamMount + || cfg.enableKwallet + || cfg.enableGnomeKeyring + || cfg.googleAuthenticator.enable)) '' auth required pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth ${optionalString config.security.pam.enableEcryptfs "auth optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"} @@ -295,6 +312,8 @@ let " kwalletd=${pkgs.libsForQt5.kwallet.bin}/bin/kwalletd5")} ${optionalString cfg.enableGnomeKeyring ("auth optional ${pkgs.gnome3.gnome_keyring}/lib/security/pam_gnome_keyring.so")} + ${optionalString cfg.googleAuthenticator.enable + "auth required ${pkgs.googleAuthenticator}/lib/security/pam_google_authenticator.so no_increment_hotp"} '') + '' ${optionalString cfg.unixAuth "auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth try_first_pass"} |