diff options
author | Aaron Andersen <aaron@fosslib.net> | 2020-01-30 21:18:43 -0500 |
---|---|---|
committer | Aaron Andersen <aaron@fosslib.net> | 2020-03-22 20:23:55 -0400 |
commit | b9dca769f150483b2e5e01c41c7df1e44f48f996 (patch) | |
tree | 3198c4c5bb2a97ced8264bf8b165b2ab1ee5a60d /nixos | |
parent | 4f9cea70bd75b812ccd7edc4e23e95da08eb3d9b (diff) | |
download | nixlib-b9dca769f150483b2e5e01c41c7df1e44f48f996.tar nixlib-b9dca769f150483b2e5e01c41c7df1e44f48f996.tar.gz nixlib-b9dca769f150483b2e5e01c41c7df1e44f48f996.tar.bz2 nixlib-b9dca769f150483b2e5e01c41c7df1e44f48f996.tar.lz nixlib-b9dca769f150483b2e5e01c41c7df1e44f48f996.tar.xz nixlib-b9dca769f150483b2e5e01c41c7df1e44f48f996.tar.zst nixlib-b9dca769f150483b2e5e01c41c7df1e44f48f996.zip |
nixos/duosec: replace insecure skey option with secure secretKeyFile option
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/doc/manual/release-notes/rl-2009.xml | 8 | ||||
-rw-r--r-- | nixos/modules/security/duosec.nix | 61 |
2 files changed, 48 insertions, 21 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2009.xml b/nixos/doc/manual/release-notes/rl-2009.xml index 2f61ee5ae2ed..1ca172c99f13 100644 --- a/nixos/doc/manual/release-notes/rl-2009.xml +++ b/nixos/doc/manual/release-notes/rl-2009.xml @@ -96,6 +96,14 @@ <option>systemd.services.supybot.serviceConfig</option>. </para> </listitem> + <listitem> + <para> + The <literal>security.duosec.skey</literal> option, which stored a secret in the + nix store, has been replaced by a new + <link linkend="opt-security.duosec.secretKeyFile">security.duosec.secretKeyFile</link> + option for better security. + </para> + </listitem> </itemizedlist> </section> diff --git a/nixos/modules/security/duosec.nix b/nixos/modules/security/duosec.nix index 2d5596738ce5..38169706463d 100644 --- a/nixos/modules/security/duosec.nix +++ b/nixos/modules/security/duosec.nix @@ -10,7 +10,6 @@ let configFilePam = '' [duo] ikey=${cfg.ikey} - skey=${cfg.skey} host=${cfg.host} ${optionalString (cfg.groups != "") ("groups="+cfg.groups)} failmode=${cfg.failmode} @@ -24,26 +23,11 @@ let motd=${boolToStr cfg.motd} accept_env_factor=${boolToStr cfg.acceptEnvFactor} ''; - - loginCfgFile = optionalAttrs cfg.ssh.enable { - "duo/login_duo.conf" = - { source = pkgs.writeText "login_duo.conf" configFileLogin; - mode = "0600"; - user = "sshd"; - }; - }; - - pamCfgFile = optional cfg.pam.enable { - "duo/pam_duo.conf" = - { source = pkgs.writeText "pam_duo.conf" configFilePam; - mode = "0600"; - user = "sshd"; - }; - }; in { imports = [ (mkRenamedOptionModule [ "security" "duosec" "group" ] [ "security" "duosec" "groups" ]) + (mkRemovedOptionModule [ "security" "duosec" "skey" ] "The insecure security.duosec.skey option has been replaced by a new security.duosec.secretKeyFile option. Use this new option to store a secure copy of your key instead.") ]; options = { @@ -65,9 +49,13 @@ in description = "Integration key."; }; - skey = mkOption { - type = types.str; - description = "Secret key."; + secretKeyFile = mkOption { + type = types.path; + default = null; + description = '' + A file containing your secret key. The security of your Duo application is tied to the security of your secret key. + ''; + example = "/run/keys/duo-skey"; }; host = mkOption { @@ -198,7 +186,38 @@ in environment.systemPackages = [ pkgs.duo-unix ]; security.wrappers.login_duo.source = "${pkgs.duo-unix.out}/bin/login_duo"; - environment.etc = loginCfgFile // pamCfgFile; + + system.activationScripts = { + login_duo = mkIf cfg.ssh.enable '' + if test -f "${cfg.secretKeyFile}"; then + mkdir -m 0755 -p /etc/duo + + umask 0077 + conf="$(mktemp)" + { + cat ${pkgs.writeText "login_duo.conf" configFileLogin} + printf 'skey = %s\n' "$(cat ${cfg.secretKeyFile})" + } >"$conf" + + chown sshd "$conf" + mv -fT "$conf" /etc/duo/login_duo.conf + fi + ''; + pam_duo = mkIf cfg.pam.enable '' + if test -f "${cfg.secretKeyFile}"; then + mkdir -m 0755 -p /etc/duo + + umask 0077 + conf="$(mktemp)" + { + cat ${pkgs.writeText "login_duo.conf" configFilePam} + printf 'skey = %s\n' "$(cat ${cfg.secretKeyFile})" + } >"$conf" + + mv -fT "$conf" /etc/duo/pam_duo.conf + fi + ''; + }; /* If PAM *and* SSH are enabled, then don't do anything special. If PAM isn't used, set the default SSH-only options. */ |