diff --git a/nixops/desktop.nix b/nixops/desktop.nix
index cee216b8..87bac5c3 100644
--- a/nixops/desktop.nix
+++ b/nixops/desktop.nix
@@ -3,17 +3,23 @@
{ config, pkgs, ... }:
let
m-labs = import (fetchTarball https://nixbld.m-labs.hk/channel/custom/artiq/full/artiq-full/nixexprs.tar.xz) { inherit pkgs; };
- pkgs-unstable = import (fetchTarball https://github.com/NixOS/nixpkgs/archive/nixos-20.09.tar.gz) {};
in
{
deployment.targetHost = host;
- disabledModules = [ "security/pam.nix" ];
imports =
[
(./. + "/${host}-hardware-configuration.nix")
- ./pam_p11
];
+ nixpkgs.config.packageOverrides = super: let self = super.pkgs; in {
+ pam_p11 = super.pam_p11.overrideAttrs(oa: {
+ patchPhase = oa.patchPhase or "" + ''
+ substituteInPlace src/match_openssh.c --replace \
+ '"%s/.ssh/authorized_keys", pw->pw_dir)' \
+ '"/etc/ssh/authorized_keys.d/%s", pw->pw_name)'
+ '';
+ });
+ };
networking.hostName = host;
networking.firewall.allowedTCPPorts = [ 1883 ];
@@ -35,11 +41,11 @@ in
jq sublime3 rink qemu_kvm
tmux xc3sprog m-labs.openocd screen gdb minicom picocom tigervnc
emacs bat ripgrep
- pkgs-unstable.xpra
- pkgs-unstable.rust-analyzer
- (pkgs-unstable.vscode-with-extensions.override {
+ xpra
+ rust-analyzer
+ (vscode-with-extensions.override {
vscodeExtensions = [
- pkgs-unstable.vscode-extensions.matklad.rust-analyzer
+ vscode-extensions.matklad.rust-analyzer
];
})
(import ./fish-nix-shell)
@@ -56,7 +62,6 @@ in
'';
programs.mosh.enable = true;
- hardware.u2f.enable = true;
services.pcscd.enable = true;
programs.ssh.extraConfig =
''
diff --git a/nixops/light.nix b/nixops/light.nix
index 635fbfe0..7fa394b4 100644
--- a/nixops/light.nix
+++ b/nixops/light.nix
@@ -4,12 +4,19 @@
{
deployment.targetHost = host;
- disabledModules = [ "security/pam.nix" ];
imports =
[
(./. + "/${host}-hardware-configuration.nix")
- ./pam_p11
];
+ nixpkgs.config.packageOverrides = super: let self = super.pkgs; in {
+ pam_p11 = super.pam_p11.overrideAttrs(oa: {
+ patchPhase = oa.patchPhase or "" + ''
+ substituteInPlace src/match_openssh.c --replace \
+ '"%s/.ssh/authorized_keys", pw->pw_dir)' \
+ '"/etc/ssh/authorized_keys.d/%s", pw->pw_name)'
+ '';
+ });
+ };
networking.hostName = host;
@@ -41,7 +48,6 @@
'';
programs.mosh.enable = true;
- hardware.u2f.enable = true;
services.pcscd.enable = true;
programs.ssh.extraConfig =
''
diff --git a/nixops/pam_p11/default.nix b/nixops/pam_p11/default.nix
deleted file mode 100644
index 5945535e..00000000
--- a/nixops/pam_p11/default.nix
+++ /dev/null
@@ -1,843 +0,0 @@
-# This module provides configuration for the PAM (Pluggable
-# Authentication Modules) system.
-
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-let
- pam_p11 = pkgs.callPackage ./pam_p11.nix {};
-
- parentConfig = config;
-
- pamOpts = { config, name, ... }: let cfg = config; in let config = parentConfig; in {
-
- options = {
-
- name = mkOption {
- example = "sshd";
- type = types.str;
- description = "Name of the PAM service.";
- };
-
- unixAuth = mkOption {
- default = true;
- type = types.bool;
- description = ''
- Whether users can log in with passwords defined in
- /etc/shadow.
- '';
- };
-
- rootOK = mkOption {
- default = false;
- type = types.bool;
- description = ''
- If set, root doesn't need to authenticate (e.g. for the
- useradd service).
- '';
- };
-
- p11Auth = mkOption {
- default = config.security.pam.p11.enable;
- type = types.bool;
- description = ''
- If set, keys listed in
- ~/.ssh/authorized_keys and
- ~/.eid/authorized_certificates
- can be used to log in with the associated PKCS#11 tokens.
- '';
- };
-
- u2fAuth = mkOption {
- default = config.security.pam.u2f.enable;
- type = types.bool;
- description = ''
- If set, users listed in
- $XDG_CONFIG_HOME/Yubico/u2f_keys (or
- $HOME/.config/Yubico/u2f_keys if XDG variable is
- not set) are able to log in with the associated U2F key. Path can be
- changed using option.
- '';
- };
-
- yubicoAuth = mkOption {
- default = config.security.pam.yubico.enable;
- type = types.bool;
- description = ''
- If set, users listed in
- ~/.yubico/authorized_yubikeys
- are able to log in with the associated Yubikey tokens.
- '';
- };
-
- googleAuthenticator = {
- enable = mkOption {
- default = false;
- type = types.bool;
- description = ''
- If set, users with enabled Google Authenticator (created
- ~/.google_authenticator) will be required
- to provide Google Authenticator token to log in.
- '';
- };
- };
-
- usbAuth = mkOption {
- default = config.security.pam.usb.enable;
- type = types.bool;
- description = ''
- If set, users listed in
- /etc/pamusb.conf are able to log in
- with the associated USB key.
- '';
- };
-
- otpwAuth = mkOption {
- default = config.security.pam.enableOTPW;
- type = types.bool;
- description = ''
- If set, the OTPW system will be used (if
- ~/.otpw exists).
- '';
- };
-
- googleOsLoginAccountVerification = mkOption {
- default = false;
- type = types.bool;
- description = ''
- If set, will use the Google OS Login PAM modules
- (pam_oslogin_login,
- pam_oslogin_admin) to verify possible OS Login
- users and set sudoers configuration accordingly.
- This only makes sense to enable for the sshd PAM
- service.
- '';
- };
-
- googleOsLoginAuthentication = mkOption {
- default = false;
- type = types.bool;
- description = ''
- If set, will use the pam_oslogin_login's user
- authentication methods to authenticate users using 2FA.
- This only makes sense to enable for the sshd PAM
- service.
- '';
- };
-
- fprintAuth = mkOption {
- default = config.services.fprintd.enable;
- type = types.bool;
- description = ''
- If set, fingerprint reader will be used (if exists and
- your fingerprints are enrolled).
- '';
- };
-
- oathAuth = mkOption {
- default = config.security.pam.oath.enable;
- type = types.bool;
- description = ''
- If set, the OATH Toolkit will be used.
- '';
- };
-
- sshAgentAuth = mkOption {
- default = false;
- type = types.bool;
- description = ''
- If set, the calling user's SSH agent is used to authenticate
- against the keys in the calling user's
- ~/.ssh/authorized_keys. This is useful
- for sudo on password-less remote systems.
- '';
- };
-
- duoSecurity = {
- enable = mkOption {
- default = false;
- type = types.bool;
- description = ''
- If set, use the Duo Security pam module
- pam_duo for authentication. Requires
- configuration of options.
- '';
- };
- };
-
- startSession = mkOption {
- default = false;
- type = types.bool;
- description = ''
- If set, the service will register a new session with
- systemd's login manager. For local sessions, this will give
- the user access to audio devices, CD-ROM drives. In the
- default PolicyKit configuration, it also allows the user to
- reboot the system.
- '';
- };
-
- setEnvironment = mkOption {
- type = types.bool;
- default = true;
- description = ''
- Whether the service should set the environment variables
- listed in
- using pam_env.so.
- '';
- };
-
- setLoginUid = mkOption {
- type = types.bool;
- description = ''
- Set the login uid of the process
- (/proc/self/loginuid) for auditing
- purposes. The login uid is only set by ‘entry points’ like
- login and sshd, not by
- commands like sudo.
- '';
- };
-
- forwardXAuth = mkOption {
- default = false;
- type = types.bool;
- description = ''
- Whether X authentication keys should be passed from the
- calling user to the target user (e.g. for
- su)
- '';
- };
-
- pamMount = mkOption {
- default = config.security.pam.mount.enable;
- type = types.bool;
- description = ''
- Enable PAM mount (pam_mount) system to mount fileystems on user login.
- '';
- };
-
- allowNullPassword = mkOption {
- default = false;
- type = types.bool;
- description = ''
- Whether to allow logging into accounts that have no password
- set (i.e., have an empty password field in
- /etc/passwd or
- /etc/group). This does not enable
- logging into disabled accounts (i.e., that have the password
- field set to !). Note that regardless of
- what the pam_unix documentation says, accounts with hashed
- empty passwords are always allowed to log in.
- '';
- };
-
- nodelay = mkOption {
- default = false;
- type = types.bool;
- description = ''
- Wheather the delay after typing a wrong password should be disabled.
- '';
- };
-
- requireWheel = mkOption {
- default = false;
- type = types.bool;
- description = ''
- Whether to permit root access only to members of group wheel.
- '';
- };
-
- limits = mkOption {
- description = ''
- Attribute set describing resource limits. Defaults to the
- value of .
- '';
- };
-
- showMotd = mkOption {
- default = false;
- type = types.bool;
- description = "Whether to show the message of the day.";
- };
-
- makeHomeDir = mkOption {
- default = false;
- type = types.bool;
- description = ''
- Whether to try to create home directories for users
- with $HOMEs pointing to nonexistent
- locations on session login.
- '';
- };
-
- updateWtmp = mkOption {
- default = false;
- type = types.bool;
- description = "Whether to update /var/log/wtmp.";
- };
-
- logFailures = mkOption {
- default = false;
- type = types.bool;
- description = "Whether to log authentication failures in /var/log/faillog.";
- };
-
- enableAppArmor = mkOption {
- default = false;
- type = types.bool;
- description = ''
- Enable support for attaching AppArmor profiles at the
- user/group level, e.g., as part of a role based access
- control scheme.
- '';
- };
-
- enableKwallet = mkOption {
- default = false;
- type = types.bool;
- description = ''
- If enabled, pam_wallet will attempt to automatically unlock the
- user's default KDE wallet upon login. If the user has no wallet named
- "kdewallet", or the login password does not match their wallet
- password, KDE will prompt separately after login.
- '';
- };
- sssdStrictAccess = mkOption {
- default = false;
- type = types.bool;
- description = "enforce sssd access control";
- };
-
- enableGnomeKeyring = mkOption {
- default = false;
- type = types.bool;
- description = ''
- If enabled, pam_gnome_keyring will attempt to automatically unlock the
- user's default Gnome keyring upon login. If the user login password does
- not match their keyring password, Gnome Keyring will prompt separately
- after login.
- '';
- };
-
- text = mkOption {
- type = types.nullOr types.lines;
- description = "Contents of the PAM service file.";
- };
-
- };
-
- config = {
- name = mkDefault name;
- setLoginUid = mkDefault cfg.startSession;
- limits = mkDefault config.security.pam.loginLimits;
-
- # !!! TODO: move the LDAP stuff to the LDAP module, and the
- # Samba stuff to the Samba module. This requires that the PAM
- # module provides the right hooks.
- text = mkDefault
- (''
- # Account management.
- account required pam_unix.so
- ${optionalString use_ldap
- "account sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
- ${optionalString (config.services.sssd.enable && cfg.sssdStrictAccess==false)
- "account sufficient ${pkgs.sssd}/lib/security/pam_sss.so"}
- ${optionalString (config.services.sssd.enable && cfg.sssdStrictAccess)
- "account [default=bad success=ok user_unknown=ignore] ${pkgs.sssd}/lib/security/pam_sss.so"}
- ${optionalString config.krb5.enable
- "account sufficient ${pam_krb5}/lib/security/pam_krb5.so"}
- ${optionalString cfg.googleOsLoginAccountVerification ''
- account [success=ok ignore=ignore default=die] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so
- account [success=ok default=ignore] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_admin.so
- ''}
-
- # Authentication management.
- ${optionalString cfg.googleOsLoginAuthentication
- "auth [success=done perm_denied=bad default=ignore] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so"}
- ${optionalString cfg.rootOK
- "auth sufficient pam_rootok.so"}
- ${optionalString cfg.requireWheel
- "auth required pam_wheel.so use_uid"}
- ${optionalString cfg.logFailures
- "auth required pam_tally.so"}
- ${optionalString (config.security.pam.enableSSHAgentAuth && cfg.sshAgentAuth)
- "auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=~/.ssh/authorized_keys:~/.ssh/authorized_keys2:/etc/ssh/authorized_keys.d/%u"}
- ${optionalString cfg.fprintAuth
- "auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so"}
- ${let p11 = config.security.pam.p11; in optionalString cfg.p11Auth
- "auth ${p11.control} ${pam_p11}/lib/security/pam_p11.so ${pkgs.opensc}/lib/opensc-pkcs11.so"}
- ${let u2f = config.security.pam.u2f; in optionalString cfg.u2fAuth
- "auth ${u2f.control} ${pkgs.pam_u2f}/lib/security/pam_u2f.so ${optionalString u2f.debug "debug"} ${optionalString (u2f.authFile != null) "authfile=${u2f.authFile}"} ${optionalString u2f.interactive "interactive"} ${optionalString u2f.cue "cue"}"}
- ${optionalString cfg.usbAuth
- "auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so"}
- ${let oath = config.security.pam.oath; in optionalString cfg.oathAuth
- "auth requisite ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}"}
- ${let yubi = config.security.pam.yubico; in optionalString cfg.yubicoAuth
- "auth ${yubi.control} ${pkgs.yubico-pam}/lib/security/pam_yubico.so mode=${toString yubi.mode} ${optionalString (yubi.mode == "client") "id=${toString yubi.id}"} ${optionalString yubi.debug "debug"}"}
- '' +
- # Modules in this block require having the password set in PAM_AUTHTOK.
- # pam_unix is marked as 'sufficient' on NixOS which means nothing will run
- # after it succeeds. Certain modules need to run after pam_unix
- # prompts the user for password so we run it once with 'required' at an
- # earlier point and it will run again with 'sufficient' further down.
- # We use try_first_pass the second time to avoid prompting password twice
- (optionalString (cfg.unixAuth &&
- (config.security.pam.enableEcryptfs
- || cfg.pamMount
- || cfg.enableKwallet
- || cfg.enableGnomeKeyring
- || cfg.googleAuthenticator.enable
- || cfg.duoSecurity.enable)) ''
- auth required pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth
- ${optionalString config.security.pam.enableEcryptfs
- "auth optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"}
- ${optionalString cfg.pamMount
- "auth optional ${pkgs.pam_mount}/lib/security/pam_mount.so"}
- ${optionalString cfg.enableKwallet
- ("auth optional ${pkgs.plasma5.kwallet-pam}/lib/security/pam_kwallet5.so" +
- " kwalletd=${pkgs.libsForQt5.kwallet.bin}/bin/kwalletd5")}
- ${optionalString cfg.enableGnomeKeyring
- "auth optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so"}
- ${optionalString cfg.googleAuthenticator.enable
- "auth required ${pkgs.googleAuthenticator}/lib/security/pam_google_authenticator.so no_increment_hotp"}
- ${optionalString cfg.duoSecurity.enable
- "auth required ${pkgs.duo-unix}/lib/security/pam_duo.so"}
- '') + ''
- ${optionalString cfg.unixAuth
- "auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth try_first_pass"}
- ${optionalString cfg.otpwAuth
- "auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so"}
- ${optionalString use_ldap
- "auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass"}
- ${optionalString config.services.sssd.enable
- "auth sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_first_pass"}
- ${optionalString config.krb5.enable ''
- auth [default=ignore success=1 service_err=reset] ${pam_krb5}/lib/security/pam_krb5.so use_first_pass
- auth [default=die success=done] ${pam_ccreds}/lib/security/pam_ccreds.so action=validate use_first_pass
- auth sufficient ${pam_ccreds}/lib/security/pam_ccreds.so action=store use_first_pass
- ''}
- auth required pam_deny.so
-
- # Password management.
- password sufficient pam_unix.so nullok sha512
- ${optionalString config.security.pam.enableEcryptfs
- "password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"}
- ${optionalString cfg.pamMount
- "password optional ${pkgs.pam_mount}/lib/security/pam_mount.so"}
- ${optionalString use_ldap
- "password sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
- ${optionalString config.services.sssd.enable
- "password sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_authtok"}
- ${optionalString config.krb5.enable
- "password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass"}
- ${optionalString config.services.samba.syncPasswordsByPam
- "password optional ${pkgs.samba}/lib/security/pam_smbpass.so nullok use_authtok try_first_pass"}
- ${optionalString cfg.enableGnomeKeyring
- "password optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so use_authtok"}
-
- # Session management.
- ${optionalString cfg.setEnvironment ''
- session required pam_env.so conffile=${config.system.build.pamEnvironment} readenv=0
- ''}
- session required pam_unix.so
- ${optionalString cfg.setLoginUid
- "session ${
- if config.boot.isContainer then "optional" else "required"
- } pam_loginuid.so"}
- ${optionalString cfg.makeHomeDir
- "session required ${pkgs.pam}/lib/security/pam_mkhomedir.so silent skel=${config.security.pam.makeHomeDir.skelDirectory} umask=0022"}
- ${optionalString cfg.updateWtmp
- "session required ${pkgs.pam}/lib/security/pam_lastlog.so silent"}
- ${optionalString config.security.pam.enableEcryptfs
- "session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"}
- ${optionalString use_ldap
- "session optional ${pam_ldap}/lib/security/pam_ldap.so"}
- ${optionalString config.services.sssd.enable
- "session optional ${pkgs.sssd}/lib/security/pam_sss.so"}
- ${optionalString config.krb5.enable
- "session optional ${pam_krb5}/lib/security/pam_krb5.so"}
- ${optionalString cfg.otpwAuth
- "session optional ${pkgs.otpw}/lib/security/pam_otpw.so"}
- ${optionalString cfg.startSession
- "session optional ${pkgs.systemd}/lib/security/pam_systemd.so"}
- ${optionalString cfg.forwardXAuth
- "session optional pam_xauth.so xauthpath=${pkgs.xorg.xauth}/bin/xauth systemuser=99"}
- ${optionalString (cfg.limits != [])
- "session required ${pkgs.pam}/lib/security/pam_limits.so conf=${makeLimitsConf cfg.limits}"}
- ${optionalString (cfg.showMotd && config.users.motd != null)
- "session optional ${pkgs.pam}/lib/security/pam_motd.so motd=${motd}"}
- ${optionalString cfg.pamMount
- "session optional ${pkgs.pam_mount}/lib/security/pam_mount.so"}
- ${optionalString (cfg.enableAppArmor && config.security.apparmor.enable)
- "session optional ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so order=user,group,default debug"}
- ${optionalString (cfg.enableKwallet)
- ("session optional ${pkgs.plasma5.kwallet-pam}/lib/security/pam_kwallet5.so" +
- " kwalletd=${pkgs.libsForQt5.kwallet.bin}/bin/kwalletd5")}
- ${optionalString (cfg.enableGnomeKeyring)
- "session optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start"}
- ${optionalString (config.virtualisation.lxc.lxcfs.enable)
- "session optional ${pkgs.lxc}/lib/security/pam_cgfs.so -c all"}
- '');
- };
-
- };
-
-
- inherit (pkgs) pam_krb5 pam_ccreds;
-
- use_ldap = (config.users.ldap.enable && config.users.ldap.loginPam);
- pam_ldap = if config.users.ldap.daemon.enable then pkgs.nss_pam_ldapd else pkgs.pam_ldap;
-
- # Create a limits.conf(5) file.
- makeLimitsConf = limits:
- pkgs.writeText "limits.conf"
- (concatMapStrings ({ domain, type, item, value }:
- "${domain} ${type} ${item} ${toString value}\n")
- limits);
-
- motd = pkgs.writeText "motd" config.users.motd;
-
- makePAMService = name: service:
- { name = "pam.d/${name}";
- value.source = pkgs.writeText "${name}.pam" service.text;
- };
-
-in
-
-{
-
- imports = [
- (mkRenamedOptionModule [ "security" "pam" "enableU2F" ] [ "security" "pam" "u2f" "enable" ])
- ];
-
- ###### interface
-
- options = {
-
- security.pam.loginLimits = mkOption {
- default = [];
- example =
- [ { domain = "ftp";
- type = "hard";
- item = "nproc";
- value = "0";
- }
- { domain = "@student";
- type = "-";
- item = "maxlogins";
- value = "4";
- }
- ];
-
- description =
- '' Define resource limits that should apply to users or groups.
- Each item in the list should be an attribute set with a
- domain, type,
- item, and value
- attribute. The syntax and semantics of these attributes
- must be that described in the limits.conf(5) man page.
-
- Note that these limits do not apply to systemd services,
- whose limits can be changed via
- instead.
- '';
- };
-
- security.pam.services = mkOption {
- default = [];
- type = with types; loaOf (submodule pamOpts);
- description =
- ''
- This option defines the PAM services. A service typically
- corresponds to a program that uses PAM,
- e.g. login or passwd.
- Each attribute of this set defines a PAM service, with the attribute name
- defining the name of the service.
- '';
- };
-
- security.pam.makeHomeDir.skelDirectory = mkOption {
- type = types.str;
- default = "/var/empty";
- example = "/etc/skel";
- description = ''
- Path to skeleton directory whose contents are copied to home
- directories newly created by pam_mkhomedir.
- '';
- };
-
- security.pam.enableSSHAgentAuth = mkOption {
- type = types.bool;
- default = false;
- description =
- ''
- Enable sudo logins if the user's SSH agent provides a key
- present in ~/.ssh/authorized_keys.
- This allows machines to exclusively use SSH keys instead of
- passwords.
- '';
- };
-
- security.pam.enableOTPW = mkEnableOption "the OTPW (one-time password) PAM module";
-
- security.pam.p11 = {
- enable = mkOption {
- default = false;
- type = types.bool;
- description = ''
- Enables P11 PAM (pam_p11) module.
-
- If set, users can log in with SSH keys and PKCS#11 tokens.
-
- More information can be found here.
- '';
- };
-
- control = mkOption {
- default = "sufficient";
- type = types.enum [ "required" "requisite" "sufficient" "optional" ];
- description = ''
- This option sets pam "control".
- If you want to have multi factor authentication, use "required".
- If you want to use the PKCS#11 device instead of the regular password,
- use "sufficient".
-
- Read
-
- pam.conf
- 5
-
- for better understanding of this option.
- '';
- };
- };
-
- security.pam.u2f = {
- enable = mkOption {
- default = false;
- type = types.bool;
- description = ''
- Enables U2F PAM (pam-u2f) module.
-
- If set, users listed in
- $XDG_CONFIG_HOME/Yubico/u2f_keys (or
- $HOME/.config/Yubico/u2f_keys if XDG variable is
- not set) are able to log in with the associated U2F key. The path can
- be changed using option.
-
- File format is:
- username:first_keyHandle,first_public_key: second_keyHandle,second_public_key
- This file can be generated using pamu2fcfg command.
-
- More information can be found here.
- '';
- };
-
- authFile = mkOption {
- default = null;
- type = with types; nullOr path;
- description = ''
- By default pam-u2f module reads the keys from
- $XDG_CONFIG_HOME/Yubico/u2f_keys (or
- $HOME/.config/Yubico/u2f_keys if XDG variable is
- not set).
-
- If you want to change auth file locations or centralize database (for
- example use /etc/u2f-mappings) you can set this
- option.
-
- File format is:
- username:first_keyHandle,first_public_key: second_keyHandle,second_public_key
- This file can be generated using pamu2fcfg command.
-
- More information can be found here.
- '';
- };
-
- control = mkOption {
- default = "sufficient";
- type = types.enum [ "required" "requisite" "sufficient" "optional" ];
- description = ''
- This option sets pam "control".
- If you want to have multi factor authentication, use "required".
- If you want to use U2F device instead of regular password, use "sufficient".
-
- Read
-
- pam.conf
- 5
-
- for better understanding of this option.
- '';
- };
-
- debug = mkOption {
- default = false;
- type = types.bool;
- description = ''
- Debug output to stderr.
- '';
- };
-
- interactive = mkOption {
- default = false;
- type = types.bool;
- description = ''
- Set to prompt a message and wait before testing the presence of a U2F device.
- Recommended if your device doesn’t have a tactile trigger.
- '';
- };
-
- cue = mkOption {
- default = false;
- type = types.bool;
- description = ''
- By default pam-u2f module does not inform user
- that he needs to use the u2f device, it just waits without a prompt.
-
- If you set this option to true,
- cue option is added to pam-u2f
- module and reminder message will be displayed.
- '';
- };
- };
-
- security.pam.yubico = {
- enable = mkOption {
- default = false;
- type = types.bool;
- description = ''
- Enables Yubico PAM (yubico-pam) module.
-
- If set, users listed in
- ~/.yubico/authorized_yubikeys
- are able to log in with the associated Yubikey tokens.
-
- The file must have only one line:
- username:yubikey_token_id1:yubikey_token_id2
- More information can be found here.
- '';
- };
- control = mkOption {
- default = "sufficient";
- type = types.enum [ "required" "requisite" "sufficient" "optional" ];
- description = ''
- This option sets pam "control".
- If you want to have multi factor authentication, use "required".
- If you want to use Yubikey instead of regular password, use "sufficient".
-
- Read
-
- pam.conf
- 5
-
- for better understanding of this option.
- '';
- };
- id = mkOption {
- example = "42";
- type = types.str;
- description = "client id";
- };
-
- debug = mkOption {
- default = false;
- type = types.bool;
- description = ''
- Debug output to stderr.
- '';
- };
- mode = mkOption {
- default = "client";
- type = types.enum [ "client" "challenge-response" ];
- description = ''
- Mode of operation.
-
- Use "client" for online validation with a YubiKey validation service such as
- the YubiCloud.
-
- Use "challenge-response" for offline validation using YubiKeys with HMAC-SHA-1
- Challenge-Response configurations. See the man-page ykpamcfg(1) for further
- details on how to configure offline Challenge-Response validation.
-
- More information can be found here.
- '';
- };
- };
-
- security.pam.enableEcryptfs = mkEnableOption "eCryptfs PAM module (mounting ecryptfs home directory on login)";
-
- users.motd = mkOption {
- default = null;
- example = "Today is Sweetmorn, the 4th day of The Aftermath in the YOLD 3178.";
- type = types.nullOr types.lines;
- description = "Message of the day shown to users when they log in.";
- };
-
- };
-
-
- ###### implementation
-
- config = {
-
- environment.systemPackages =
- # Include the PAM modules in the system path mostly for the manpages.
- [ pkgs.pam ]
- ++ optional config.users.ldap.enable pam_ldap
- ++ optional config.services.sssd.enable pkgs.sssd
- ++ optionals config.krb5.enable [pam_krb5 pam_ccreds]
- ++ optionals config.security.pam.enableOTPW [ pkgs.otpw ]
- ++ optionals config.security.pam.oath.enable [ pkgs.oathToolkit ]
- ++ optionals config.security.pam.p11.enable [ pam_p11 ]
- ++ optionals config.security.pam.u2f.enable [ pkgs.pam_u2f ];
-
- boot.supportedFilesystems = optionals config.security.pam.enableEcryptfs [ "ecryptfs" ];
-
- security.wrappers = {
- unix_chkpwd = {
- source = "${pkgs.pam}/sbin/unix_chkpwd.orig";
- owner = "root";
- setuid = true;
- };
- };
-
- environment.etc = mapAttrs' makePAMService config.security.pam.services;
-
- security.pam.services =
- { other.text =
- ''
- auth required pam_warn.so
- auth required pam_deny.so
- account required pam_warn.so
- account required pam_deny.so
- password required pam_warn.so
- password required pam_deny.so
- session required pam_warn.so
- session required pam_deny.so
- '';
-
- # Most of these should be moved to specific modules.
- i3lock = {};
- i3lock-color = {};
- vlock = {};
- xlock = {};
- xscreensaver = {};
-
- runuser = { rootOK = true; unixAuth = false; setEnvironment = false; };
-
- /* FIXME: should runuser -l start a systemd session? Currently
- it complains "Cannot create session: Already running in a
- session". */
- runuser-l = { rootOK = true; unixAuth = false; };
- };
-
- };
-
-}
diff --git a/nixops/pam_p11/pam_p11.nix b/nixops/pam_p11/pam_p11.nix
deleted file mode 100644
index 2257bd51..00000000
--- a/nixops/pam_p11/pam_p11.nix
+++ /dev/null
@@ -1,23 +0,0 @@
-{ stdenv, fetchFromGitHub, autoreconfHook, pkg-config, openssl, libp11, pam }:
-
-stdenv.mkDerivation rec {
- pname = "pam_p11";
- version = "0.3.1";
-
- src = fetchFromGitHub {
- owner = "OpenSC";
- repo = "pam_p11";
- rev = "pam_p11-${version}";
- sha256 = "1caidy18rq5zk82d51x8vwidmkhwmanf3qm25x1yrdlbhxv6m7lk";
- };
-
- patchPhase =
- ''
- substituteInPlace src/match_openssh.c --replace \
- '"%s/.ssh/authorized_keys", pw->pw_dir)' \
- '"/etc/ssh/authorized_keys.d/%s", pw->pw_name)'
- '';
-
- nativeBuildInputs = [ autoreconfHook pkg-config ];
- buildInputs = [ pam openssl libp11 ];
-}