Merge pull request #55792 from sdier/fix/pam-update

Allow duosec to be used in nixos as a pam module.
2024-11-01 07:01:54 +00:00 · 2019-02-25 01:38:51 +01:00 · 2019-02-25 01:38:51 +01:00 · 02db11d369
commit 02db11d369
parent 59338fb99d a11ad16bd7
3 changed files with 43 additions and 14 deletions
--- a/nixos/doc/manual/release-notes/rl-1903.xml
+++ b/nixos/doc/manual/release-notes/rl-1903.xml
@ -106,6 +106,23 @@
    </para>
   </listitem>
  </itemizedlist>
+
+  <itemizedlist>
+   <listitem>
+    <para>
+      <literal>./security/duosec.nix</literal>
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     The <link xlink:href="https://duo.com/docs/duounix">PAM module for Duo
+     Security</link> has been enabled for use.  One can configure it using
+     the <option>security.duosec</option> options along with the
+     corresponding PAM option in
+     <option>security.pam.services.&lt;name?&gt;.duoSecurity.enable</option>.
+    </para>
+   </listitem>
+  </itemizedlist>
 </section>

 <section xmlns="http://docbook.org/ns/docbook"
--- a/nixos/modules/security/duosec.nix
+++ b/nixos/modules/security/duosec.nix
@ -7,7 +7,7 @@ let

  boolToStr = b: if b then "yes" else "no";

-  configFile = ''
+  configFilePam = ''
    [duo]
    ikey=${cfg.ikey}
    skey=${cfg.skey}
@ -16,21 +16,24 @@ let
    failmode=${cfg.failmode}
    pushinfo=${boolToStr cfg.pushinfo}
    autopush=${boolToStr cfg.autopush}
-    motd=${boolToStr cfg.motd}
    prompts=${toString cfg.prompts}
-    accept_env_factor=${boolToStr cfg.acceptEnvFactor}
    fallback_local_ip=${boolToStr cfg.fallbackLocalIP}
  '';

+  configFileLogin = configFilePam + ''
+    motd=${boolToStr cfg.motd}
+    accept_env_factor=${boolToStr cfg.acceptEnvFactor}
+  '';
+
  loginCfgFile = optional cfg.ssh.enable
-    { source = pkgs.writeText "login_duo.conf" configFile;
+    { source = pkgs.writeText "login_duo.conf" configFileLogin;
      mode   = "0600";
      user   = "sshd";
      target = "duo/login_duo.conf";
    };

  pamCfgFile = optional cfg.pam.enable
-    { source = pkgs.writeText "pam_duo.conf" configFile;
+    { source = pkgs.writeText "pam_duo.conf" configFilePam;
      mode   = "0600";
      user   = "sshd";
      target = "duo/pam_duo.conf";
@ -180,12 +183,6 @@ in
  };

  config = mkIf (cfg.ssh.enable || cfg.pam.enable) {
-    assertions =
-      [ { assertion = !cfg.pam.enable;
-          message   = "PAM support is currently not implemented.";
-        }
-      ];
-
     environment.systemPackages = [ pkgs.duo-unix ];

     security.wrappers.login_duo.source = "${pkgs.duo-unix.out}/bin/login_duo";
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@ -131,6 +131,18 @@ let
        '';
      };

+      duoSecurity = {
+        enable = mkOption {
+          default = false;
+          type = types.bool;
+          description = ''
+            If set, use the Duo Security pam module
+            <literal>pam_duo</literal> for authentication.  Requires
+            configuration of <option>security.duosec</option> options.
+          '';
+        };
+      };
+
      startSession = mkOption {
        default = false;
        type = types.bool;
@ -340,7 +352,8 @@ let
            || cfg.pamMount
            || cfg.enableKwallet
            || cfg.enableGnomeKeyring
-            || cfg.googleAuthenticator.enable)) ''
+            || cfg.googleAuthenticator.enable
+            || cfg.duoSecurity.enable)) ''
              auth required pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth
              ${optionalString config.security.pam.enableEcryptfs
                "auth optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"}
@ -350,9 +363,11 @@ let
                ("auth optional ${pkgs.plasma5.kwallet-pam}/lib/security/pam_kwallet5.so" +
                 " kwalletd=${pkgs.libsForQt5.kwallet.bin}/bin/kwalletd5")}
              ${optionalString cfg.enableGnomeKeyring
-                ("auth optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so")}
+                "auth optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so"}
              ${optionalString cfg.googleAuthenticator.enable
-                  "auth required ${pkgs.googleAuthenticator}/lib/security/pam_google_authenticator.so no_increment_hotp"}
+                "auth required ${pkgs.googleAuthenticator}/lib/security/pam_google_authenticator.so no_increment_hotp"}
+              ${optionalString cfg.duoSecurity.enable
+                "auth required ${pkgs.duo-unix}/lib/security/pam_duo.so"}
            '') + ''
          ${optionalString cfg.unixAuth
              "auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth try_first_pass"}