diff options
| -rw-r--r-- | nixos/modules/security/pam.nix | 19 | ||||
| -rw-r--r-- | pkgs/development/libraries/yubico-pam/default.nix | 6 |
2 files changed, 21 insertions, 4 deletions
diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index a3eb12b06940..11227354ad3b 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -351,7 +351,7 @@ let ${let oath = config.security.pam.oath; in optionalString cfg.oathAuth "auth requisite ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}"} ${let yubi = config.security.pam.yubico; in optionalString cfg.yubicoAuth - "auth ${yubi.control} ${pkgs.yubico-pam}/lib/security/pam_yubico.so id=${toString yubi.id} ${optionalString yubi.debug "debug"}"} + "auth ${yubi.control} ${pkgs.yubico-pam}/lib/security/pam_yubico.so mode=${toString yubi.mode} ${optionalString (yubi.mode == "client") "id=${toString yubi.id}"} ${optionalString yubi.debug "debug"}"} '' + # Modules in this block require having the password set in PAM_AUTHTOK. # pam_unix is marked as 'sufficient' on NixOS which means nothing will run @@ -696,6 +696,23 @@ in Debug output to stderr. ''; }; + mode = mkOption { + default = "client"; + type = types.enum [ "client" "challenge-response" ]; + description = '' + Mode of operation. + + Use "client" for online validation with a YubiKey validation service such as + the YubiCloud. + + Use "challenge-response" for offline validation using YubiKeys with HMAC-SHA-1 + Challenge-Response configurations. See the man-page ykpamcfg(1) for further + details on how to configure offline Challenge-Response validation. + + More information can be found <link + xlink:href="https://developers.yubico.com/yubico-pam/Authentication_Using_Challenge-Response.html">here</link>. + ''; + }; }; security.pam.enableEcryptfs = mkOption { diff --git a/pkgs/development/libraries/yubico-pam/default.nix b/pkgs/development/libraries/yubico-pam/default.nix index 5d7d0e664c64..e6a3fa9fbe14 100644 --- a/pkgs/development/libraries/yubico-pam/default.nix +++ b/pkgs/development/libraries/yubico-pam/default.nix @@ -4,12 +4,12 @@ stdenv.mkDerivation rec { pname = "yubico-pam"; - version = "unstable-2019-03-19"; + version = "unstable-2019-07-01"; src = fetchFromGitHub { owner = "Yubico"; repo = pname; - rev = "1c6fa66825e77b3ad8df46513d0125bed9bde704"; - sha256 = "1g41wdwa1wbp391w1crbis4hwz60m3y06rd6j59m003zx40sk9s4"; + rev = "b5bd00db81e0e0e0ecced65c684080bb56ddc35b"; + sha256 = "10dq8dqi3jldllj6p8r9hldx9sank9n82c44w8akxrs1vli6nj3m"; }; nativeBuildInputs = [ autoreconfHook pkgconfig asciidoc libxslt docbook_xsl ]; |