pyrox.dev / nixpkgs
lol
fork atom

Merge pull request #167514 from shimunn/pam_u2f_module

nixos/security/pam: added `origin` option to pamu2f

Arian van Putten 55bd7706 385a38d1

options
unified split
Changed files
+22 -2
nixos
modules
security
pam.nix
tests
pam
pam-u2f.nix
+20 -1
nixos/modules/security/pam.nix 
···

       
483

       
483

       
 

       
            auth ${p11.control} ${pkgs.pam_p11}/lib/security/pam_p11.so ${pkgs.opensc}/lib/opensc-pkcs11.so


     

       
484

       
484

       
 

       
          '') +


     

       
485

       
485

       
 

       
          (let u2f = config.security.pam.u2f; in optionalString cfg.u2fAuth ''


     

       
486

       

       
-

       
            auth ${u2f.control} ${pkgs.pam_u2f}/lib/security/pam_u2f.so ${optionalString u2f.debug "debug"} ${optionalString (u2f.authFile != null) "authfile=${u2f.authFile}"} ${optionalString u2f.interactive "interactive"} ${optionalString u2f.cue "cue"} ${optionalString (u2f.appId != null) "appid=${u2f.appId}"}


     

       

       
486

       
+

       
              auth ${u2f.control} ${pkgs.pam_u2f}/lib/security/pam_u2f.so ${optionalString u2f.debug "debug"} ${optionalString (u2f.authFile != null) "authfile=${u2f.authFile}"} ''


     

       

       
487

       
+

       
                + ''${optionalString u2f.interactive "interactive"} ${optionalString u2f.cue "cue"} ${optionalString (u2f.appId != null) "appid=${u2f.appId}"} ${optionalString (u2f.origin != null) "origin=${u2f.origin}"}


     

       
487

       
488

       
 

       
          '') +


     

       
488

       
489

       
 

       
          optionalString cfg.usbAuth ''


     

       
489

       
490

       
 

       
            auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so


     
···

       
888

       
889

       
 

       



     

       
889

       
890

       
 

       
            When using <command>pamu2fcfg</command>, you can specify your


     

       
890

       
891

       
 

       
            application ID with the <literal>-i</literal> flag.


     

       

       
892

       
+

       



     

       

       
893

       
+

       
            More information can be found <link


     

       

       
894

       
+

       
            xlink:href="https://developers.yubico.com/pam-u2f/Manuals/pam_u2f.8.html">


     

       

       
895

       
+

       
            here</link>


     

       

       
896

       
+

       
        '';


     

       

       
897

       
+

       
      };


     

       

       
898

       
+

       



     

       

       
899

       
+

       
      origin = mkOption {


     

       

       
900

       
+

       
        default = null;


     

       

       
901

       
+

       
        type = with types; nullOr str;


     

       

       
902

       
+

       
        description = ''


     

       

       
903

       
+

       
            By default <literal>pam-u2f</literal> module sets the origin


     

       

       
904

       
+

       
            to <literal>pam://$HOSTNAME</literal>.


     

       

       
905

       
+

       
            Setting origin to an host independent value will allow you to


     

       

       
906

       
+

       
            reuse credentials across machines


     

       

       
907

       
+

       



     

       

       
908

       
+

       
            When using <command>pamu2fcfg</command>, you can specify your


     

       

       
909

       
+

       
            application ID with the <literal>-o</literal> flag.


     

       
891

       
910

       
 

       



     

       
892

       
911

       
 

       
            More information can be found <link


     

       
893

       
912

       
 

       
            xlink:href="https://developers.yubico.com/pam-u2f/Manuals/pam_u2f.8.html">
+2 -1
nixos/tests/pam/pam-u2f.nix 
···

       
12

       
12

       
 

       
        debug = true;


     

       
13

       
13

       
 

       
        enable = true;


     

       
14

       
14

       
 

       
        interactive = true;


     

       

       
15

       
+

       
        origin = "nixos-test";


     

       
15

       
16

       
 

       
      };


     

       
16

       
17

       
 

       
    };


     

       
17

       
18

       
 

       



     
···

       
19

       
20

       
 

       
    ''


     

       
20

       
21

       
 

       
      machine.wait_for_unit("multi-user.target")


     

       
21

       
22

       
 

       
      machine.succeed(


     

       
22

       

       
-

       
          'egrep "auth required .*/lib/security/pam_u2f.so.*debug.*interactive.*cue" /etc/pam.d/ -R'


     

       

       
23

       
+

       
          'egrep "auth required .*/lib/security/pam_u2f.so.*debug.*interactive.*cue.*origin=nixos-test" /etc/pam.d/ -R'


     

       
23

       
24

       
 

       
      )


     

       
24

       
25

       
 

       
    '';


     

       
25

       
26

       
 

       
})