pyrox.dev / nixpkgs
lol
fork atom

config.security.oath: new module

Add a module to make options to pam_oath module configurable.
These are:
- enable - enable the OATH pam module
- window - number of OTPs to check
- digits - length of the OTP (adds support for two-factor auth)
- usersFile - filename to store OATH credentials in

Michael Raitza d09c7986 bd9f128c

options
unified split
Changed files
+55 -13
nixos
modules
module-list.nix
security
oath.nix
pam.nix
+1
nixos/modules/module-list.nix 
···

       
93

       
 

       
  ./security/ca.nix


     

       
94

       
 

       
  ./security/duosec.nix


     

       
95

       
 

       
  ./security/grsecurity.nix


     

       

       

       
     

       
96

       
 

       
  ./security/pam.nix


     

       
97

       
 

       
  ./security/pam_usb.nix


     

       
98

       
 

       
  ./security/pam_mount.nix


     
···

       
93

       
 

       
  ./security/ca.nix


     

       
94

       
 

       
  ./security/duosec.nix


     

       
95

       
 

       
  ./security/grsecurity.nix


     

       
96

       
+

       
  ./security/oath.nix


     

       
97

       
 

       
  ./security/pam.nix


     

       
98

       
 

       
  ./security/pam_usb.nix


     

       
99

       
 

       
  ./security/pam_mount.nix
+50
nixos/modules/security/oath.nix 
···

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     
···

       
1

       
+

       
# This module provides configuration for the OATH PAM modules.


     

       
2

       
+

       



     

       
3

       
+

       
{ config, lib, pkgs, ... }:


     

       
4

       
+

       



     

       
5

       
+

       
with lib;


     

       
6

       
+

       



     

       
7

       
+

       
{


     

       
8

       
+

       
  options = {


     

       
9

       
+

       



     

       
10

       
+

       
    security.pam.oath = {


     

       
11

       
+

       
      enable = mkOption {


     

       
12

       
+

       
        type = types.bool;


     

       
13

       
+

       
        default = false;


     

       
14

       
+

       
        description = ''


     

       
15

       
+

       
          Enable the OATH (one-time password) PAM module.


     

       
16

       
+

       
        '';


     

       
17

       
+

       
      };


     

       
18

       
+

       



     

       
19

       
+

       
      digits = mkOption {


     

       
20

       
+

       
        type = types.enum [ 6 7 8 ];


     

       
21

       
+

       
        default = 6;


     

       
22

       
+

       
        description = ''


     

       
23

       
+

       
          Specify the length of the one-time password in number of


     

       
24

       
+

       
          digits.


     

       
25

       
+

       
        '';


     

       
26

       
+

       
      };


     

       
27

       
+

       



     

       
28

       
+

       
      window = mkOption {


     

       
29

       
+

       
        type = types.int;


     

       
30

       
+

       
        default = 5;


     

       
31

       
+

       
        description = ''


     

       
32

       
+

       
          Specify the number of one-time passwords to check in order


     

       
33

       
+

       
          to accommodate for situations where the system and the


     

       
34

       
+

       
          client are slightly out of sync (iteration for HOTP or time


     

       
35

       
+

       
          steps for TOTP).


     

       
36

       
+

       
        '';


     

       
37

       
+

       
      };


     

       
38

       
+

       



     

       
39

       
+

       
      usersFile = mkOption {


     

       
40

       
+

       
        type = types.path;


     

       
41

       
+

       
        default = "/etc/users.oath";


     

       
42

       
+

       
        description = ''


     

       
43

       
+

       
          Set the path to file where the user's credentials are


     

       
44

       
+

       
          stored. This file must not be world readable!


     

       
45

       
+

       
        '';


     

       
46

       
+

       
      };


     

       
47

       
+

       
    };


     

       
48

       
+

       



     

       
49

       
+

       
  };


     

       
50

       
+

       
}
+4 -13
nixos/modules/security/pam.nix 
···

       
75

       
 

       
      };


     

       
76

       
 

       



     

       
77

       
 

       
      oathAuth = mkOption {


     

       
78

       
-

       
        default = config.security.pam.enableOATH;


     

       
79

       
 

       
        type = types.bool;


     

       
80

       
 

       
        description = ''


     

       
81

       
 

       
          If set, the OATH Toolkit will be used.


     
···

       
259

       
 

       
              "auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth try_first_pass"}


     

       
260

       
 

       
          ${optionalString cfg.otpwAuth


     

       
261

       
 

       
              "auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so"}


     

       
262

       
-

       
          ${optionalString cfg.oathAuth


     

       
263

       
-

       
              "auth sufficient ${pkgs.oathToolkit}/lib/security/pam_oath.so window=5 usersfile=/etc/users.oath"}


     

       
264

       
 

       
          ${optionalString config.users.ldap.enable


     

       
265

       
 

       
              "auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass"}


     

       
266

       
 

       
          ${optionalString config.krb5.enable ''


     
···

       
302

       
 

       
              "session optional ${pam_krb5}/lib/security/pam_krb5.so"}


     

       
303

       
 

       
          ${optionalString cfg.otpwAuth


     

       
304

       
 

       
              "session optional ${pkgs.otpw}/lib/security/pam_otpw.so"}


     

       
305

       
-

       
          ${optionalString cfg.oathAuth


     

       
306

       
-

       
              "session optional ${pkgs.oathToolkit}/lib/security/pam_oath.so window=5 usersfile=/etc/users.oath"}


     

       
307

       
 

       
          ${optionalString cfg.startSession


     

       
308

       
 

       
              "session optional ${pkgs.systemd}/lib/security/pam_systemd.so"}


     

       
309

       
 

       
          ${optionalString cfg.forwardXAuth


     
···

       
405

       
 

       
      '';


     

       
406

       
 

       
    };


     

       
407

       
 

       



     

       
408

       
-

       
    security.pam.enableOATH = mkOption {


     

       
409

       
-

       
      default = false;


     

       
410

       
-

       
      description = ''


     

       
411

       
-

       
        Enable the OATH (one-time password) PAM module.


     

       
412

       
-

       
      '';


     

       
413

       
-

       
    };


     

       
414

       
-

       



     

       
415

       
 

       
    security.pam.enableU2F = mkOption {


     

       
416

       
 

       
      default = false;


     

       
417

       
 

       
      description = ''


     
···

       
446

       
 

       
      ++ optional config.users.ldap.enable pam_ldap


     

       
447

       
 

       
      ++ optionals config.krb5.enable [pam_krb5 pam_ccreds]


     

       
448

       
 

       
      ++ optionals config.security.pam.enableOTPW [ pkgs.otpw ]


     

       
449

       
-

       
      ++ optionals config.security.pam.enableOATH [ pkgs.oathToolkit ]


     

       
450

       
 

       
      ++ optionals config.security.pam.enableU2F [ pkgs.pam_u2f ]


     

       
451

       
 

       
      ++ optionals config.security.pam.enableEcryptfs [ pkgs.ecryptfs ];


     

       
452

       
 

       



     
···

       
75

       
 

       
      };


     

       
76

       
 

       



     

       
77

       
 

       
      oathAuth = mkOption {


     

       
78

       
+

       
        default = config.security.pam.oath.enable;


     

       
79

       
 

       
        type = types.bool;


     

       
80

       
 

       
        description = ''


     

       
81

       
 

       
          If set, the OATH Toolkit will be used.


     
···

       
259

       
 

       
              "auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth try_first_pass"}


     

       
260

       
 

       
          ${optionalString cfg.otpwAuth


     

       
261

       
 

       
              "auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so"}


     

       
262

       
+

       
          ${let oath = config.security.pam.oath; in optionalString cfg.oathAuth


     

       
263

       
+

       
              "auth sufficient ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}"}


     

       
264

       
 

       
          ${optionalString config.users.ldap.enable


     

       
265

       
 

       
              "auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass"}


     

       
266

       
 

       
          ${optionalString config.krb5.enable ''


     
···

       
302

       
 

       
              "session optional ${pam_krb5}/lib/security/pam_krb5.so"}


     

       
303

       
 

       
          ${optionalString cfg.otpwAuth


     

       
304

       
 

       
              "session optional ${pkgs.otpw}/lib/security/pam_otpw.so"}


     

       

       

       
     

       

       

       
     

       
305

       
 

       
          ${optionalString cfg.startSession


     

       
306

       
 

       
              "session optional ${pkgs.systemd}/lib/security/pam_systemd.so"}


     

       
307

       
 

       
          ${optionalString cfg.forwardXAuth


     
···

       
403

       
 

       
      '';


     

       
404

       
 

       
    };


     

       
405

       
 

       



     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       

       

       
     

       
406

       
 

       
    security.pam.enableU2F = mkOption {


     

       
407

       
 

       
      default = false;


     

       
408

       
 

       
      description = ''


     
···

       
437

       
 

       
      ++ optional config.users.ldap.enable pam_ldap


     

       
438

       
 

       
      ++ optionals config.krb5.enable [pam_krb5 pam_ccreds]


     

       
439

       
 

       
      ++ optionals config.security.pam.enableOTPW [ pkgs.otpw ]


     

       
440

       
+

       
      ++ optionals config.security.pam.oath.enable [ pkgs.oathToolkit ]


     

       
441

       
 

       
      ++ optionals config.security.pam.enableU2F [ pkgs.pam_u2f ]


     

       
442

       
 

       
      ++ optionals config.security.pam.enableEcryptfs [ pkgs.ecryptfs ];


     

       
443