nordic-dev.net/nixpkgs
nordic-dev.net/nixpkgs
2
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2024-11-01 07:01:54 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #55792 from sdier/fix/pam-update

Browse Source 
Allow duosec to be used in nixos as a pam module.
This commit is contained in:
Silvan Mosberger 2019-02-25 01:38:51 +01:00 committed by GitHub
commit 02db11d369
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 43 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
nixos/doc/manual/release-notes/rl-1903.xml
View File

@ -106,6 +106,23 @@
</para> </para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<itemizedlist>
<listitem>
<para>
<literal>./security/duosec.nix</literal>
</para>
</listitem>
<listitem>
<para>
The <link xlink:href="https://duo.com/docs/duounix">PAM module for Duo
Security</link> has been enabled for use. One can configure it using
the <option>security.duosec</option> options along with the
corresponding PAM option in
<option>security.pam.services.&lt;name?&gt;.duoSecurity.enable</option>.
</para>
</listitem>
</itemizedlist>
</section> </section>
<section xmlns="http://docbook.org/ns/docbook" <section xmlns="http://docbook.org/ns/docbook"

19
nixos/modules/security/duosec.nix
View File

@ -7,7 +7,7 @@ let
boolToStr = b: if b then "yes" else "no"; boolToStr = b: if b then "yes" else "no";
configFile = '' configFilePam = ''
[duo] [duo]
ikey=${cfg.ikey} ikey=${cfg.ikey}
skey=${cfg.skey} skey=${cfg.skey}
@ -16,21 +16,24 @@ let
failmode=${cfg.failmode} failmode=${cfg.failmode}
pushinfo=${boolToStr cfg.pushinfo} pushinfo=${boolToStr cfg.pushinfo}
autopush=${boolToStr cfg.autopush} autopush=${boolToStr cfg.autopush}
motd=${boolToStr cfg.motd}
prompts=${toString cfg.prompts} prompts=${toString cfg.prompts}
accept_env_factor=${boolToStr cfg.acceptEnvFactor}
fallback_local_ip=${boolToStr cfg.fallbackLocalIP} fallback_local_ip=${boolToStr cfg.fallbackLocalIP}
''; '';
configFileLogin = configFilePam + ''
motd=${boolToStr cfg.motd}
accept_env_factor=${boolToStr cfg.acceptEnvFactor}
'';
loginCfgFile = optional cfg.ssh.enable loginCfgFile = optional cfg.ssh.enable
{ source = pkgs.writeText "login_duo.conf" configFile; { source = pkgs.writeText "login_duo.conf" configFileLogin;
mode = "0600"; mode = "0600";
user = "sshd"; user = "sshd";
target = "duo/login_duo.conf"; target = "duo/login_duo.conf";
}; };
pamCfgFile = optional cfg.pam.enable pamCfgFile = optional cfg.pam.enable
{ source = pkgs.writeText "pam_duo.conf" configFile; { source = pkgs.writeText "pam_duo.conf" configFilePam;
mode = "0600"; mode = "0600";
user = "sshd"; user = "sshd";
target = "duo/pam_duo.conf"; target = "duo/pam_duo.conf";
@ -180,12 +183,6 @@ in
}; };
config = mkIf (cfg.ssh.enable || cfg.pam.enable) { config = mkIf (cfg.ssh.enable || cfg.pam.enable) {
assertions =
[ { assertion = !cfg.pam.enable;
message = "PAM support is currently not implemented.";
}
];
environment.systemPackages = [ pkgs.duo-unix ]; environment.systemPackages = [ pkgs.duo-unix ];
security.wrappers.login_duo.source = "${pkgs.duo-unix.out}/bin/login_duo"; security.wrappers.login_duo.source = "${pkgs.duo-unix.out}/bin/login_duo";

21
nixos/modules/security/pam.nix
View File

@ -131,6 +131,18 @@ let
''; '';
}; };
duoSecurity = {
enable = mkOption {
default = false;
type = types.bool;
description = ''
If set, use the Duo Security pam module
<literal>pam_duo</literal> for authentication. Requires
configuration of <option>security.duosec</option> options.
'';
};
};
startSession = mkOption { startSession = mkOption {
default = false; default = false;
type = types.bool; type = types.bool;
@ -340,7 +352,8 @@ let
|| cfg.pamMount || cfg.pamMount
|| cfg.enableKwallet || cfg.enableKwallet
|| cfg.enableGnomeKeyring || cfg.enableGnomeKeyring
|| cfg.googleAuthenticator.enable)) '' || cfg.googleAuthenticator.enable
|| cfg.duoSecurity.enable)) ''
auth required pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth auth required pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth
${optionalString config.security.pam.enableEcryptfs ${optionalString config.security.pam.enableEcryptfs
"auth optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"} "auth optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"}
@ -350,9 +363,11 @@ let
("auth optional ${pkgs.plasma5.kwallet-pam}/lib/security/pam_kwallet5.so" + ("auth optional ${pkgs.plasma5.kwallet-pam}/lib/security/pam_kwallet5.so" +
" kwalletd=${pkgs.libsForQt5.kwallet.bin}/bin/kwalletd5")} " kwalletd=${pkgs.libsForQt5.kwallet.bin}/bin/kwalletd5")}
${optionalString cfg.enableGnomeKeyring ${optionalString cfg.enableGnomeKeyring
("auth optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so")} "auth optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so"}
${optionalString cfg.googleAuthenticator.enable ${optionalString cfg.googleAuthenticator.enable
"auth required ${pkgs.googleAuthenticator}/lib/security/pam_google_authenticator.so no_increment_hotp"} "auth required ${pkgs.googleAuthenticator}/lib/security/pam_google_authenticator.so no_increment_hotp"}
${optionalString cfg.duoSecurity.enable
"auth required ${pkgs.duo-unix}/lib/security/pam_duo.so"}
'') + '' '') + ''
${optionalString cfg.unixAuth ${optionalString cfg.unixAuth
"auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth try_first_pass"} "auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth try_first_pass"}