diff --git a/nixops/desktop.nix b/nixops/desktop.nix
index 04760eb..0429ed8 100644
--- a/nixops/desktop.nix
+++ b/nixops/desktop.nix
@@ -8,9 +8,11 @@ in
{
deployment.targetHost = host;
+ disabledModules = [ "security/pam.nix" ];
imports =
[
(./. + "/${host}-hardware-configuration.nix")
+ ./pam_p11
];
networking.hostName = host;
@@ -21,6 +23,7 @@ in
# $ nix search wget
nixpkgs.config.allowUnfree = true;
environment.systemPackages = with pkgs; [
+ opensc yubikey-manager yubikey-manager-qt
wget vim gitAndTools.gitFull firefox thunderbird hexchat usbutils pciutils file lm_sensors audacious acpi
gimp imagemagick
(python3.withPackages(ps: with ps; [ numpy scipy matplotlib qtconsole regex ]))
@@ -52,6 +55,7 @@ in
programs.ssh.startAgent = true;
services.gnome3.gnome-keyring.enable = pkgs.lib.mkForce false;
programs.ssh.agentPKCS11Whitelist = "${pkgs.opensc}/lib/opensc-pkcs11.so";
+ security.pam.p11.enable = true;
# Enable CUPS to print documents.
services.printing = {
diff --git a/nixops/light.nix b/nixops/light.nix
index 266f2bd..39fb23a 100644
--- a/nixops/light.nix
+++ b/nixops/light.nix
@@ -4,9 +4,11 @@
{
deployment.targetHost = host;
+ disabledModules = [ "security/pam.nix" ];
imports =
[
(./. + "/${host}-hardware-configuration.nix")
+ ./pam_p11
];
networking.hostName = host;
@@ -18,6 +20,7 @@
documentation.enable = false;
nixpkgs.config.allowUnfree = true;
environment.systemPackages = with pkgs; [
+ opensc
wget vim git firefox usbutils pciutils file lm_sensors acpi
gimp imagemagick
(python3.withPackages(ps: with ps; [ numpy scipy ]))
@@ -40,6 +43,7 @@
'';
programs.ssh.startAgent = true;
programs.ssh.agentPKCS11Whitelist = "${pkgs.opensc}/lib/opensc-pkcs11.so";
+ security.pam.p11.enable = true;
# Enable CUPS to print documents.
services.printing = {
diff --git a/nixops/pam_p11/default.nix b/nixops/pam_p11/default.nix
new file mode 100644
index 0000000..5945535
--- /dev/null
+++ b/nixops/pam_p11/default.nix
@@ -0,0 +1,843 @@
+# This module provides configuration for the PAM (Pluggable
+# Authentication Modules) system.
+
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+let
+ pam_p11 = pkgs.callPackage ./pam_p11.nix {};
+
+ parentConfig = config;
+
+ pamOpts = { config, name, ... }: let cfg = config; in let config = parentConfig; in {
+
+ options = {
+
+ name = mkOption {
+ example = "sshd";
+ type = types.str;
+ description = "Name of the PAM service.";
+ };
+
+ unixAuth = mkOption {
+ default = true;
+ type = types.bool;
+ description = ''
+ Whether users can log in with passwords defined in
+ /etc/shadow.
+ '';
+ };
+
+ rootOK = mkOption {
+ default = false;
+ type = types.bool;
+ description = ''
+ If set, root doesn't need to authenticate (e.g. for the
+ useradd service).
+ '';
+ };
+
+ p11Auth = mkOption {
+ default = config.security.pam.p11.enable;
+ type = types.bool;
+ description = ''
+ If set, keys listed in
+ ~/.ssh/authorized_keys and
+ ~/.eid/authorized_certificates
+ can be used to log in with the associated PKCS#11 tokens.
+ '';
+ };
+
+ u2fAuth = mkOption {
+ default = config.security.pam.u2f.enable;
+ type = types.bool;
+ description = ''
+ If set, users listed in
+ $XDG_CONFIG_HOME/Yubico/u2f_keys (or
+ $HOME/.config/Yubico/u2f_keys if XDG variable is
+ not set) are able to log in with the associated U2F key. Path can be
+ changed using option.
+ '';
+ };
+
+ yubicoAuth = mkOption {
+ default = config.security.pam.yubico.enable;
+ type = types.bool;
+ description = ''
+ If set, users listed in
+ ~/.yubico/authorized_yubikeys
+ are able to log in with the associated Yubikey tokens.
+ '';
+ };
+
+ googleAuthenticator = {
+ enable = mkOption {
+ default = false;
+ type = types.bool;
+ description = ''
+ If set, users with enabled Google Authenticator (created
+ ~/.google_authenticator) will be required
+ to provide Google Authenticator token to log in.
+ '';
+ };
+ };
+
+ usbAuth = mkOption {
+ default = config.security.pam.usb.enable;
+ type = types.bool;
+ description = ''
+ If set, users listed in
+ /etc/pamusb.conf are able to log in
+ with the associated USB key.
+ '';
+ };
+
+ otpwAuth = mkOption {
+ default = config.security.pam.enableOTPW;
+ type = types.bool;
+ description = ''
+ If set, the OTPW system will be used (if
+ ~/.otpw exists).
+ '';
+ };
+
+ googleOsLoginAccountVerification = mkOption {
+ default = false;
+ type = types.bool;
+ description = ''
+ If set, will use the Google OS Login PAM modules
+ (pam_oslogin_login,
+ pam_oslogin_admin) to verify possible OS Login
+ users and set sudoers configuration accordingly.
+ This only makes sense to enable for the sshd PAM
+ service.
+ '';
+ };
+
+ googleOsLoginAuthentication = mkOption {
+ default = false;
+ type = types.bool;
+ description = ''
+ If set, will use the pam_oslogin_login's user
+ authentication methods to authenticate users using 2FA.
+ This only makes sense to enable for the sshd PAM
+ service.
+ '';
+ };
+
+ fprintAuth = mkOption {
+ default = config.services.fprintd.enable;
+ type = types.bool;
+ description = ''
+ If set, fingerprint reader will be used (if exists and
+ your fingerprints are enrolled).
+ '';
+ };
+
+ oathAuth = mkOption {
+ default = config.security.pam.oath.enable;
+ type = types.bool;
+ description = ''
+ If set, the OATH Toolkit will be used.
+ '';
+ };
+
+ sshAgentAuth = mkOption {
+ default = false;
+ type = types.bool;
+ description = ''
+ If set, the calling user's SSH agent is used to authenticate
+ against the keys in the calling user's
+ ~/.ssh/authorized_keys. This is useful
+ for sudo on password-less remote systems.
+ '';
+ };
+
+ duoSecurity = {
+ enable = mkOption {
+ default = false;
+ type = types.bool;
+ description = ''
+ If set, use the Duo Security pam module
+ pam_duo for authentication. Requires
+ configuration of options.
+ '';
+ };
+ };
+
+ startSession = mkOption {
+ default = false;
+ type = types.bool;
+ description = ''
+ If set, the service will register a new session with
+ systemd's login manager. For local sessions, this will give
+ the user access to audio devices, CD-ROM drives. In the
+ default PolicyKit configuration, it also allows the user to
+ reboot the system.
+ '';
+ };
+
+ setEnvironment = mkOption {
+ type = types.bool;
+ default = true;
+ description = ''
+ Whether the service should set the environment variables
+ listed in
+ using pam_env.so.
+ '';
+ };
+
+ setLoginUid = mkOption {
+ type = types.bool;
+ description = ''
+ Set the login uid of the process
+ (/proc/self/loginuid) for auditing
+ purposes. The login uid is only set by ‘entry points’ like
+ login and sshd, not by
+ commands like sudo.
+ '';
+ };
+
+ forwardXAuth = mkOption {
+ default = false;
+ type = types.bool;
+ description = ''
+ Whether X authentication keys should be passed from the
+ calling user to the target user (e.g. for
+ su)
+ '';
+ };
+
+ pamMount = mkOption {
+ default = config.security.pam.mount.enable;
+ type = types.bool;
+ description = ''
+ Enable PAM mount (pam_mount) system to mount fileystems on user login.
+ '';
+ };
+
+ allowNullPassword = mkOption {
+ default = false;
+ type = types.bool;
+ description = ''
+ Whether to allow logging into accounts that have no password
+ set (i.e., have an empty password field in
+ /etc/passwd or
+ /etc/group). This does not enable
+ logging into disabled accounts (i.e., that have the password
+ field set to !). Note that regardless of
+ what the pam_unix documentation says, accounts with hashed
+ empty passwords are always allowed to log in.
+ '';
+ };
+
+ nodelay = mkOption {
+ default = false;
+ type = types.bool;
+ description = ''
+ Wheather the delay after typing a wrong password should be disabled.
+ '';
+ };
+
+ requireWheel = mkOption {
+ default = false;
+ type = types.bool;
+ description = ''
+ Whether to permit root access only to members of group wheel.
+ '';
+ };
+
+ limits = mkOption {
+ description = ''
+ Attribute set describing resource limits. Defaults to the
+ value of .
+ '';
+ };
+
+ showMotd = mkOption {
+ default = false;
+ type = types.bool;
+ description = "Whether to show the message of the day.";
+ };
+
+ makeHomeDir = mkOption {
+ default = false;
+ type = types.bool;
+ description = ''
+ Whether to try to create home directories for users
+ with $HOMEs pointing to nonexistent
+ locations on session login.
+ '';
+ };
+
+ updateWtmp = mkOption {
+ default = false;
+ type = types.bool;
+ description = "Whether to update /var/log/wtmp.";
+ };
+
+ logFailures = mkOption {
+ default = false;
+ type = types.bool;
+ description = "Whether to log authentication failures in /var/log/faillog.";
+ };
+
+ enableAppArmor = mkOption {
+ default = false;
+ type = types.bool;
+ description = ''
+ Enable support for attaching AppArmor profiles at the
+ user/group level, e.g., as part of a role based access
+ control scheme.
+ '';
+ };
+
+ enableKwallet = mkOption {
+ default = false;
+ type = types.bool;
+ description = ''
+ If enabled, pam_wallet will attempt to automatically unlock the
+ user's default KDE wallet upon login. If the user has no wallet named
+ "kdewallet", or the login password does not match their wallet
+ password, KDE will prompt separately after login.
+ '';
+ };
+ sssdStrictAccess = mkOption {
+ default = false;
+ type = types.bool;
+ description = "enforce sssd access control";
+ };
+
+ enableGnomeKeyring = mkOption {
+ default = false;
+ type = types.bool;
+ description = ''
+ If enabled, pam_gnome_keyring will attempt to automatically unlock the
+ user's default Gnome keyring upon login. If the user login password does
+ not match their keyring password, Gnome Keyring will prompt separately
+ after login.
+ '';
+ };
+
+ text = mkOption {
+ type = types.nullOr types.lines;
+ description = "Contents of the PAM service file.";
+ };
+
+ };
+
+ config = {
+ name = mkDefault name;
+ setLoginUid = mkDefault cfg.startSession;
+ limits = mkDefault config.security.pam.loginLimits;
+
+ # !!! TODO: move the LDAP stuff to the LDAP module, and the
+ # Samba stuff to the Samba module. This requires that the PAM
+ # module provides the right hooks.
+ text = mkDefault
+ (''
+ # Account management.
+ account required pam_unix.so
+ ${optionalString use_ldap
+ "account sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
+ ${optionalString (config.services.sssd.enable && cfg.sssdStrictAccess==false)
+ "account sufficient ${pkgs.sssd}/lib/security/pam_sss.so"}
+ ${optionalString (config.services.sssd.enable && cfg.sssdStrictAccess)
+ "account [default=bad success=ok user_unknown=ignore] ${pkgs.sssd}/lib/security/pam_sss.so"}
+ ${optionalString config.krb5.enable
+ "account sufficient ${pam_krb5}/lib/security/pam_krb5.so"}
+ ${optionalString cfg.googleOsLoginAccountVerification ''
+ account [success=ok ignore=ignore default=die] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so
+ account [success=ok default=ignore] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_admin.so
+ ''}
+
+ # Authentication management.
+ ${optionalString cfg.googleOsLoginAuthentication
+ "auth [success=done perm_denied=bad default=ignore] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so"}
+ ${optionalString cfg.rootOK
+ "auth sufficient pam_rootok.so"}
+ ${optionalString cfg.requireWheel
+ "auth required pam_wheel.so use_uid"}
+ ${optionalString cfg.logFailures
+ "auth required pam_tally.so"}
+ ${optionalString (config.security.pam.enableSSHAgentAuth && cfg.sshAgentAuth)
+ "auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=~/.ssh/authorized_keys:~/.ssh/authorized_keys2:/etc/ssh/authorized_keys.d/%u"}
+ ${optionalString cfg.fprintAuth
+ "auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so"}
+ ${let p11 = config.security.pam.p11; in optionalString cfg.p11Auth
+ "auth ${p11.control} ${pam_p11}/lib/security/pam_p11.so ${pkgs.opensc}/lib/opensc-pkcs11.so"}
+ ${let u2f = config.security.pam.u2f; in optionalString cfg.u2fAuth
+ "auth ${u2f.control} ${pkgs.pam_u2f}/lib/security/pam_u2f.so ${optionalString u2f.debug "debug"} ${optionalString (u2f.authFile != null) "authfile=${u2f.authFile}"} ${optionalString u2f.interactive "interactive"} ${optionalString u2f.cue "cue"}"}
+ ${optionalString cfg.usbAuth
+ "auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so"}
+ ${let oath = config.security.pam.oath; in optionalString cfg.oathAuth
+ "auth requisite ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}"}
+ ${let yubi = config.security.pam.yubico; in optionalString cfg.yubicoAuth
+ "auth ${yubi.control} ${pkgs.yubico-pam}/lib/security/pam_yubico.so mode=${toString yubi.mode} ${optionalString (yubi.mode == "client") "id=${toString yubi.id}"} ${optionalString yubi.debug "debug"}"}
+ '' +
+ # Modules in this block require having the password set in PAM_AUTHTOK.
+ # pam_unix is marked as 'sufficient' on NixOS which means nothing will run
+ # after it succeeds. Certain modules need to run after pam_unix
+ # prompts the user for password so we run it once with 'required' at an
+ # earlier point and it will run again with 'sufficient' further down.
+ # We use try_first_pass the second time to avoid prompting password twice
+ (optionalString (cfg.unixAuth &&
+ (config.security.pam.enableEcryptfs
+ || cfg.pamMount
+ || cfg.enableKwallet
+ || cfg.enableGnomeKeyring
+ || cfg.googleAuthenticator.enable
+ || cfg.duoSecurity.enable)) ''
+ auth required pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth
+ ${optionalString config.security.pam.enableEcryptfs
+ "auth optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"}
+ ${optionalString cfg.pamMount
+ "auth optional ${pkgs.pam_mount}/lib/security/pam_mount.so"}
+ ${optionalString cfg.enableKwallet
+ ("auth optional ${pkgs.plasma5.kwallet-pam}/lib/security/pam_kwallet5.so" +
+ " kwalletd=${pkgs.libsForQt5.kwallet.bin}/bin/kwalletd5")}
+ ${optionalString cfg.enableGnomeKeyring
+ "auth optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so"}
+ ${optionalString cfg.googleAuthenticator.enable
+ "auth required ${pkgs.googleAuthenticator}/lib/security/pam_google_authenticator.so no_increment_hotp"}
+ ${optionalString cfg.duoSecurity.enable
+ "auth required ${pkgs.duo-unix}/lib/security/pam_duo.so"}
+ '') + ''
+ ${optionalString cfg.unixAuth
+ "auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth try_first_pass"}
+ ${optionalString cfg.otpwAuth
+ "auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so"}
+ ${optionalString use_ldap
+ "auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass"}
+ ${optionalString config.services.sssd.enable
+ "auth sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_first_pass"}
+ ${optionalString config.krb5.enable ''
+ auth [default=ignore success=1 service_err=reset] ${pam_krb5}/lib/security/pam_krb5.so use_first_pass
+ auth [default=die success=done] ${pam_ccreds}/lib/security/pam_ccreds.so action=validate use_first_pass
+ auth sufficient ${pam_ccreds}/lib/security/pam_ccreds.so action=store use_first_pass
+ ''}
+ auth required pam_deny.so
+
+ # Password management.
+ password sufficient pam_unix.so nullok sha512
+ ${optionalString config.security.pam.enableEcryptfs
+ "password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"}
+ ${optionalString cfg.pamMount
+ "password optional ${pkgs.pam_mount}/lib/security/pam_mount.so"}
+ ${optionalString use_ldap
+ "password sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
+ ${optionalString config.services.sssd.enable
+ "password sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_authtok"}
+ ${optionalString config.krb5.enable
+ "password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass"}
+ ${optionalString config.services.samba.syncPasswordsByPam
+ "password optional ${pkgs.samba}/lib/security/pam_smbpass.so nullok use_authtok try_first_pass"}
+ ${optionalString cfg.enableGnomeKeyring
+ "password optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so use_authtok"}
+
+ # Session management.
+ ${optionalString cfg.setEnvironment ''
+ session required pam_env.so conffile=${config.system.build.pamEnvironment} readenv=0
+ ''}
+ session required pam_unix.so
+ ${optionalString cfg.setLoginUid
+ "session ${
+ if config.boot.isContainer then "optional" else "required"
+ } pam_loginuid.so"}
+ ${optionalString cfg.makeHomeDir
+ "session required ${pkgs.pam}/lib/security/pam_mkhomedir.so silent skel=${config.security.pam.makeHomeDir.skelDirectory} umask=0022"}
+ ${optionalString cfg.updateWtmp
+ "session required ${pkgs.pam}/lib/security/pam_lastlog.so silent"}
+ ${optionalString config.security.pam.enableEcryptfs
+ "session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"}
+ ${optionalString use_ldap
+ "session optional ${pam_ldap}/lib/security/pam_ldap.so"}
+ ${optionalString config.services.sssd.enable
+ "session optional ${pkgs.sssd}/lib/security/pam_sss.so"}
+ ${optionalString config.krb5.enable
+ "session optional ${pam_krb5}/lib/security/pam_krb5.so"}
+ ${optionalString cfg.otpwAuth
+ "session optional ${pkgs.otpw}/lib/security/pam_otpw.so"}
+ ${optionalString cfg.startSession
+ "session optional ${pkgs.systemd}/lib/security/pam_systemd.so"}
+ ${optionalString cfg.forwardXAuth
+ "session optional pam_xauth.so xauthpath=${pkgs.xorg.xauth}/bin/xauth systemuser=99"}
+ ${optionalString (cfg.limits != [])
+ "session required ${pkgs.pam}/lib/security/pam_limits.so conf=${makeLimitsConf cfg.limits}"}
+ ${optionalString (cfg.showMotd && config.users.motd != null)
+ "session optional ${pkgs.pam}/lib/security/pam_motd.so motd=${motd}"}
+ ${optionalString cfg.pamMount
+ "session optional ${pkgs.pam_mount}/lib/security/pam_mount.so"}
+ ${optionalString (cfg.enableAppArmor && config.security.apparmor.enable)
+ "session optional ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so order=user,group,default debug"}
+ ${optionalString (cfg.enableKwallet)
+ ("session optional ${pkgs.plasma5.kwallet-pam}/lib/security/pam_kwallet5.so" +
+ " kwalletd=${pkgs.libsForQt5.kwallet.bin}/bin/kwalletd5")}
+ ${optionalString (cfg.enableGnomeKeyring)
+ "session optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start"}
+ ${optionalString (config.virtualisation.lxc.lxcfs.enable)
+ "session optional ${pkgs.lxc}/lib/security/pam_cgfs.so -c all"}
+ '');
+ };
+
+ };
+
+
+ inherit (pkgs) pam_krb5 pam_ccreds;
+
+ use_ldap = (config.users.ldap.enable && config.users.ldap.loginPam);
+ pam_ldap = if config.users.ldap.daemon.enable then pkgs.nss_pam_ldapd else pkgs.pam_ldap;
+
+ # Create a limits.conf(5) file.
+ makeLimitsConf = limits:
+ pkgs.writeText "limits.conf"
+ (concatMapStrings ({ domain, type, item, value }:
+ "${domain} ${type} ${item} ${toString value}\n")
+ limits);
+
+ motd = pkgs.writeText "motd" config.users.motd;
+
+ makePAMService = name: service:
+ { name = "pam.d/${name}";
+ value.source = pkgs.writeText "${name}.pam" service.text;
+ };
+
+in
+
+{
+
+ imports = [
+ (mkRenamedOptionModule [ "security" "pam" "enableU2F" ] [ "security" "pam" "u2f" "enable" ])
+ ];
+
+ ###### interface
+
+ options = {
+
+ security.pam.loginLimits = mkOption {
+ default = [];
+ example =
+ [ { domain = "ftp";
+ type = "hard";
+ item = "nproc";
+ value = "0";
+ }
+ { domain = "@student";
+ type = "-";
+ item = "maxlogins";
+ value = "4";
+ }
+ ];
+
+ description =
+ '' Define resource limits that should apply to users or groups.
+ Each item in the list should be an attribute set with a
+ domain, type,
+ item, and value
+ attribute. The syntax and semantics of these attributes
+ must be that described in the limits.conf(5) man page.
+
+ Note that these limits do not apply to systemd services,
+ whose limits can be changed via
+ instead.
+ '';
+ };
+
+ security.pam.services = mkOption {
+ default = [];
+ type = with types; loaOf (submodule pamOpts);
+ description =
+ ''
+ This option defines the PAM services. A service typically
+ corresponds to a program that uses PAM,
+ e.g. login or passwd.
+ Each attribute of this set defines a PAM service, with the attribute name
+ defining the name of the service.
+ '';
+ };
+
+ security.pam.makeHomeDir.skelDirectory = mkOption {
+ type = types.str;
+ default = "/var/empty";
+ example = "/etc/skel";
+ description = ''
+ Path to skeleton directory whose contents are copied to home
+ directories newly created by pam_mkhomedir.
+ '';
+ };
+
+ security.pam.enableSSHAgentAuth = mkOption {
+ type = types.bool;
+ default = false;
+ description =
+ ''
+ Enable sudo logins if the user's SSH agent provides a key
+ present in ~/.ssh/authorized_keys.
+ This allows machines to exclusively use SSH keys instead of
+ passwords.
+ '';
+ };
+
+ security.pam.enableOTPW = mkEnableOption "the OTPW (one-time password) PAM module";
+
+ security.pam.p11 = {
+ enable = mkOption {
+ default = false;
+ type = types.bool;
+ description = ''
+ Enables P11 PAM (pam_p11) module.
+
+ If set, users can log in with SSH keys and PKCS#11 tokens.
+
+ More information can be found here.
+ '';
+ };
+
+ control = mkOption {
+ default = "sufficient";
+ type = types.enum [ "required" "requisite" "sufficient" "optional" ];
+ description = ''
+ This option sets pam "control".
+ If you want to have multi factor authentication, use "required".
+ If you want to use the PKCS#11 device instead of the regular password,
+ use "sufficient".
+
+ Read
+
+ pam.conf
+ 5
+
+ for better understanding of this option.
+ '';
+ };
+ };
+
+ security.pam.u2f = {
+ enable = mkOption {
+ default = false;
+ type = types.bool;
+ description = ''
+ Enables U2F PAM (pam-u2f) module.
+
+ If set, users listed in
+ $XDG_CONFIG_HOME/Yubico/u2f_keys (or
+ $HOME/.config/Yubico/u2f_keys if XDG variable is
+ not set) are able to log in with the associated U2F key. The path can
+ be changed using option.
+
+ File format is:
+ username:first_keyHandle,first_public_key: second_keyHandle,second_public_key
+ This file can be generated using pamu2fcfg command.
+
+ More information can be found here.
+ '';
+ };
+
+ authFile = mkOption {
+ default = null;
+ type = with types; nullOr path;
+ description = ''
+ By default pam-u2f module reads the keys from
+ $XDG_CONFIG_HOME/Yubico/u2f_keys (or
+ $HOME/.config/Yubico/u2f_keys if XDG variable is
+ not set).
+
+ If you want to change auth file locations or centralize database (for
+ example use /etc/u2f-mappings) you can set this
+ option.
+
+ File format is:
+ username:first_keyHandle,first_public_key: second_keyHandle,second_public_key
+ This file can be generated using pamu2fcfg command.
+
+ More information can be found here.
+ '';
+ };
+
+ control = mkOption {
+ default = "sufficient";
+ type = types.enum [ "required" "requisite" "sufficient" "optional" ];
+ description = ''
+ This option sets pam "control".
+ If you want to have multi factor authentication, use "required".
+ If you want to use U2F device instead of regular password, use "sufficient".
+
+ Read
+
+ pam.conf
+ 5
+
+ for better understanding of this option.
+ '';
+ };
+
+ debug = mkOption {
+ default = false;
+ type = types.bool;
+ description = ''
+ Debug output to stderr.
+ '';
+ };
+
+ interactive = mkOption {
+ default = false;
+ type = types.bool;
+ description = ''
+ Set to prompt a message and wait before testing the presence of a U2F device.
+ Recommended if your device doesn’t have a tactile trigger.
+ '';
+ };
+
+ cue = mkOption {
+ default = false;
+ type = types.bool;
+ description = ''
+ By default pam-u2f module does not inform user
+ that he needs to use the u2f device, it just waits without a prompt.
+
+ If you set this option to true,
+ cue option is added to pam-u2f
+ module and reminder message will be displayed.
+ '';
+ };
+ };
+
+ security.pam.yubico = {
+ enable = mkOption {
+ default = false;
+ type = types.bool;
+ description = ''
+ Enables Yubico PAM (yubico-pam) module.
+
+ If set, users listed in
+ ~/.yubico/authorized_yubikeys
+ are able to log in with the associated Yubikey tokens.
+
+ The file must have only one line:
+ username:yubikey_token_id1:yubikey_token_id2
+ More information can be found here.
+ '';
+ };
+ control = mkOption {
+ default = "sufficient";
+ type = types.enum [ "required" "requisite" "sufficient" "optional" ];
+ description = ''
+ This option sets pam "control".
+ If you want to have multi factor authentication, use "required".
+ If you want to use Yubikey instead of regular password, use "sufficient".
+
+ Read
+
+ pam.conf
+ 5
+
+ for better understanding of this option.
+ '';
+ };
+ id = mkOption {
+ example = "42";
+ type = types.str;
+ description = "client id";
+ };
+
+ debug = mkOption {
+ default = false;
+ type = types.bool;
+ description = ''
+ Debug output to stderr.
+ '';
+ };
+ mode = mkOption {
+ default = "client";
+ type = types.enum [ "client" "challenge-response" ];
+ description = ''
+ Mode of operation.
+
+ Use "client" for online validation with a YubiKey validation service such as
+ the YubiCloud.
+
+ Use "challenge-response" for offline validation using YubiKeys with HMAC-SHA-1
+ Challenge-Response configurations. See the man-page ykpamcfg(1) for further
+ details on how to configure offline Challenge-Response validation.
+
+ More information can be found here.
+ '';
+ };
+ };
+
+ security.pam.enableEcryptfs = mkEnableOption "eCryptfs PAM module (mounting ecryptfs home directory on login)";
+
+ users.motd = mkOption {
+ default = null;
+ example = "Today is Sweetmorn, the 4th day of The Aftermath in the YOLD 3178.";
+ type = types.nullOr types.lines;
+ description = "Message of the day shown to users when they log in.";
+ };
+
+ };
+
+
+ ###### implementation
+
+ config = {
+
+ environment.systemPackages =
+ # Include the PAM modules in the system path mostly for the manpages.
+ [ pkgs.pam ]
+ ++ optional config.users.ldap.enable pam_ldap
+ ++ optional config.services.sssd.enable pkgs.sssd
+ ++ optionals config.krb5.enable [pam_krb5 pam_ccreds]
+ ++ optionals config.security.pam.enableOTPW [ pkgs.otpw ]
+ ++ optionals config.security.pam.oath.enable [ pkgs.oathToolkit ]
+ ++ optionals config.security.pam.p11.enable [ pam_p11 ]
+ ++ optionals config.security.pam.u2f.enable [ pkgs.pam_u2f ];
+
+ boot.supportedFilesystems = optionals config.security.pam.enableEcryptfs [ "ecryptfs" ];
+
+ security.wrappers = {
+ unix_chkpwd = {
+ source = "${pkgs.pam}/sbin/unix_chkpwd.orig";
+ owner = "root";
+ setuid = true;
+ };
+ };
+
+ environment.etc = mapAttrs' makePAMService config.security.pam.services;
+
+ security.pam.services =
+ { other.text =
+ ''
+ auth required pam_warn.so
+ auth required pam_deny.so
+ account required pam_warn.so
+ account required pam_deny.so
+ password required pam_warn.so
+ password required pam_deny.so
+ session required pam_warn.so
+ session required pam_deny.so
+ '';
+
+ # Most of these should be moved to specific modules.
+ i3lock = {};
+ i3lock-color = {};
+ vlock = {};
+ xlock = {};
+ xscreensaver = {};
+
+ runuser = { rootOK = true; unixAuth = false; setEnvironment = false; };
+
+ /* FIXME: should runuser -l start a systemd session? Currently
+ it complains "Cannot create session: Already running in a
+ session". */
+ runuser-l = { rootOK = true; unixAuth = false; };
+ };
+
+ };
+
+}
diff --git a/nixops/pam_p11/pam_p11.nix b/nixops/pam_p11/pam_p11.nix
new file mode 100644
index 0000000..2257bd5
--- /dev/null
+++ b/nixops/pam_p11/pam_p11.nix
@@ -0,0 +1,23 @@
+{ stdenv, fetchFromGitHub, autoreconfHook, pkg-config, openssl, libp11, pam }:
+
+stdenv.mkDerivation rec {
+ pname = "pam_p11";
+ version = "0.3.1";
+
+ src = fetchFromGitHub {
+ owner = "OpenSC";
+ repo = "pam_p11";
+ rev = "pam_p11-${version}";
+ sha256 = "1caidy18rq5zk82d51x8vwidmkhwmanf3qm25x1yrdlbhxv6m7lk";
+ };
+
+ patchPhase =
+ ''
+ substituteInPlace src/match_openssh.c --replace \
+ '"%s/.ssh/authorized_keys", pw->pw_dir)' \
+ '"/etc/ssh/authorized_keys.d/%s", pw->pw_name)'
+ '';
+
+ nativeBuildInputs = [ autoreconfHook pkg-config ];
+ buildInputs = [ pam openssl libp11 ];
+}