commit e31f212f6b6a46e28b8d0d77d22767432f4a2b44 · pyrox.dev/nixpkgs

+14 -1
nixos/modules/security/duosec.nix
···

       165
       165
        
                 whitelist.

     

       166
       166
        
               '';

     

       167
       167
        
             };

     

       168
       168
       +
       

     

       169
       169
       +
             allowTcpForwarding = mkOption {

     

       170
       170
       +
               type = types.bool;

     

       171
       171
       +
               default = false;

     

       172
       172
       +
               description = ''

     

       173
       173
       +
                 By default, when SSH forwarding, enabling Duo Security will

     

       174
       174
       +
                 disable TCP forwarding. By enabling this, you potentially

     

       175
       175
       +
                 undermine some of the SSH based login security. Note this is

     

       176
       176
       +
                 not needed if you use PAM.

     

       177
       177
       +
               '';

     

       178
       178
       +
             };

     

       168
       179
        
           };

     

       169
       180
        
         };

     

       170
       181
        
       

     
···

       192
       203
        
              # Duo Security configuration

     

       193
       204
        
              ForceCommand ${config.security.wrapperDir}/login_duo

     

       194
       205
        
              PermitTunnel no

     

       195
       195
       -
              AllowTcpForwarding no

     

       206
       206
       +
              ${optionalString (!cfg.allowTcpForwarding) ''

     

       207
       207
       +
                AllowTcpForwarding no

     

       208
       208
       +
              ''}

     

       196
       209
        
            '');

     

       197
       210
        
         };

     

       198
       211
        
       }