From 70c6a212e231887b9c46c7603d0a1c9c79ba26da Mon Sep 17 00:00:00 2001 From: Sebastien Bourdeauducq Date: Sun, 14 Jun 2020 22:52:17 +0800 Subject: [PATCH] nixops: yubikey piv auth --- nixops/desktop.nix | 4 + nixops/light.nix | 4 + nixops/pam_p11/default.nix | 843 +++++++++++++++++++++++++++++++++++++ nixops/pam_p11/pam_p11.nix | 23 + 4 files changed, 874 insertions(+) create mode 100644 nixops/pam_p11/default.nix create mode 100644 nixops/pam_p11/pam_p11.nix diff --git a/nixops/desktop.nix b/nixops/desktop.nix index 04760eb..0429ed8 100644 --- a/nixops/desktop.nix +++ b/nixops/desktop.nix @@ -8,9 +8,11 @@ in { deployment.targetHost = host; + disabledModules = [ "security/pam.nix" ]; imports = [ (./. + "/${host}-hardware-configuration.nix") + ./pam_p11 ]; networking.hostName = host; @@ -21,6 +23,7 @@ in # $ nix search wget nixpkgs.config.allowUnfree = true; environment.systemPackages = with pkgs; [ + opensc yubikey-manager yubikey-manager-qt wget vim gitAndTools.gitFull firefox thunderbird hexchat usbutils pciutils file lm_sensors audacious acpi gimp imagemagick (python3.withPackages(ps: with ps; [ numpy scipy matplotlib qtconsole regex ])) @@ -52,6 +55,7 @@ in programs.ssh.startAgent = true; services.gnome3.gnome-keyring.enable = pkgs.lib.mkForce false; programs.ssh.agentPKCS11Whitelist = "${pkgs.opensc}/lib/opensc-pkcs11.so"; + security.pam.p11.enable = true; # Enable CUPS to print documents. services.printing = { diff --git a/nixops/light.nix b/nixops/light.nix index 266f2bd..39fb23a 100644 --- a/nixops/light.nix +++ b/nixops/light.nix @@ -4,9 +4,11 @@ { deployment.targetHost = host; + disabledModules = [ "security/pam.nix" ]; imports = [ (./. + "/${host}-hardware-configuration.nix") + ./pam_p11 ]; networking.hostName = host; @@ -18,6 +20,7 @@ documentation.enable = false; nixpkgs.config.allowUnfree = true; environment.systemPackages = with pkgs; [ + opensc wget vim git firefox usbutils pciutils file lm_sensors acpi gimp imagemagick (python3.withPackages(ps: with ps; [ numpy scipy ])) @@ -40,6 +43,7 @@ ''; programs.ssh.startAgent = true; programs.ssh.agentPKCS11Whitelist = "${pkgs.opensc}/lib/opensc-pkcs11.so"; + security.pam.p11.enable = true; # Enable CUPS to print documents. services.printing = { diff --git a/nixops/pam_p11/default.nix b/nixops/pam_p11/default.nix new file mode 100644 index 0000000..5945535 --- /dev/null +++ b/nixops/pam_p11/default.nix @@ -0,0 +1,843 @@ +# This module provides configuration for the PAM (Pluggable +# Authentication Modules) system. + +{ config, lib, pkgs, ... }: + +with lib; + +let + pam_p11 = pkgs.callPackage ./pam_p11.nix {}; + + parentConfig = config; + + pamOpts = { config, name, ... }: let cfg = config; in let config = parentConfig; in { + + options = { + + name = mkOption { + example = "sshd"; + type = types.str; + description = "Name of the PAM service."; + }; + + unixAuth = mkOption { + default = true; + type = types.bool; + description = '' + Whether users can log in with passwords defined in + /etc/shadow. + ''; + }; + + rootOK = mkOption { + default = false; + type = types.bool; + description = '' + If set, root doesn't need to authenticate (e.g. for the + useradd service). + ''; + }; + + p11Auth = mkOption { + default = config.security.pam.p11.enable; + type = types.bool; + description = '' + If set, keys listed in + ~/.ssh/authorized_keys and + ~/.eid/authorized_certificates + can be used to log in with the associated PKCS#11 tokens. + ''; + }; + + u2fAuth = mkOption { + default = config.security.pam.u2f.enable; + type = types.bool; + description = '' + If set, users listed in + $XDG_CONFIG_HOME/Yubico/u2f_keys (or + $HOME/.config/Yubico/u2f_keys if XDG variable is + not set) are able to log in with the associated U2F key. Path can be + changed using option. + ''; + }; + + yubicoAuth = mkOption { + default = config.security.pam.yubico.enable; + type = types.bool; + description = '' + If set, users listed in + ~/.yubico/authorized_yubikeys + are able to log in with the associated Yubikey tokens. + ''; + }; + + googleAuthenticator = { + enable = mkOption { + default = false; + type = types.bool; + description = '' + If set, users with enabled Google Authenticator (created + ~/.google_authenticator) will be required + to provide Google Authenticator token to log in. + ''; + }; + }; + + usbAuth = mkOption { + default = config.security.pam.usb.enable; + type = types.bool; + description = '' + If set, users listed in + /etc/pamusb.conf are able to log in + with the associated USB key. + ''; + }; + + otpwAuth = mkOption { + default = config.security.pam.enableOTPW; + type = types.bool; + description = '' + If set, the OTPW system will be used (if + ~/.otpw exists). + ''; + }; + + googleOsLoginAccountVerification = mkOption { + default = false; + type = types.bool; + description = '' + If set, will use the Google OS Login PAM modules + (pam_oslogin_login, + pam_oslogin_admin) to verify possible OS Login + users and set sudoers configuration accordingly. + This only makes sense to enable for the sshd PAM + service. + ''; + }; + + googleOsLoginAuthentication = mkOption { + default = false; + type = types.bool; + description = '' + If set, will use the pam_oslogin_login's user + authentication methods to authenticate users using 2FA. + This only makes sense to enable for the sshd PAM + service. + ''; + }; + + fprintAuth = mkOption { + default = config.services.fprintd.enable; + type = types.bool; + description = '' + If set, fingerprint reader will be used (if exists and + your fingerprints are enrolled). + ''; + }; + + oathAuth = mkOption { + default = config.security.pam.oath.enable; + type = types.bool; + description = '' + If set, the OATH Toolkit will be used. + ''; + }; + + sshAgentAuth = mkOption { + default = false; + type = types.bool; + description = '' + If set, the calling user's SSH agent is used to authenticate + against the keys in the calling user's + ~/.ssh/authorized_keys. This is useful + for sudo on password-less remote systems. + ''; + }; + + duoSecurity = { + enable = mkOption { + default = false; + type = types.bool; + description = '' + If set, use the Duo Security pam module + pam_duo for authentication. Requires + configuration of options. + ''; + }; + }; + + startSession = mkOption { + default = false; + type = types.bool; + description = '' + If set, the service will register a new session with + systemd's login manager. For local sessions, this will give + the user access to audio devices, CD-ROM drives. In the + default PolicyKit configuration, it also allows the user to + reboot the system. + ''; + }; + + setEnvironment = mkOption { + type = types.bool; + default = true; + description = '' + Whether the service should set the environment variables + listed in + using pam_env.so. + ''; + }; + + setLoginUid = mkOption { + type = types.bool; + description = '' + Set the login uid of the process + (/proc/self/loginuid) for auditing + purposes. The login uid is only set by ‘entry points’ like + login and sshd, not by + commands like sudo. + ''; + }; + + forwardXAuth = mkOption { + default = false; + type = types.bool; + description = '' + Whether X authentication keys should be passed from the + calling user to the target user (e.g. for + su) + ''; + }; + + pamMount = mkOption { + default = config.security.pam.mount.enable; + type = types.bool; + description = '' + Enable PAM mount (pam_mount) system to mount fileystems on user login. + ''; + }; + + allowNullPassword = mkOption { + default = false; + type = types.bool; + description = '' + Whether to allow logging into accounts that have no password + set (i.e., have an empty password field in + /etc/passwd or + /etc/group). This does not enable + logging into disabled accounts (i.e., that have the password + field set to !). Note that regardless of + what the pam_unix documentation says, accounts with hashed + empty passwords are always allowed to log in. + ''; + }; + + nodelay = mkOption { + default = false; + type = types.bool; + description = '' + Wheather the delay after typing a wrong password should be disabled. + ''; + }; + + requireWheel = mkOption { + default = false; + type = types.bool; + description = '' + Whether to permit root access only to members of group wheel. + ''; + }; + + limits = mkOption { + description = '' + Attribute set describing resource limits. Defaults to the + value of . + ''; + }; + + showMotd = mkOption { + default = false; + type = types.bool; + description = "Whether to show the message of the day."; + }; + + makeHomeDir = mkOption { + default = false; + type = types.bool; + description = '' + Whether to try to create home directories for users + with $HOMEs pointing to nonexistent + locations on session login. + ''; + }; + + updateWtmp = mkOption { + default = false; + type = types.bool; + description = "Whether to update /var/log/wtmp."; + }; + + logFailures = mkOption { + default = false; + type = types.bool; + description = "Whether to log authentication failures in /var/log/faillog."; + }; + + enableAppArmor = mkOption { + default = false; + type = types.bool; + description = '' + Enable support for attaching AppArmor profiles at the + user/group level, e.g., as part of a role based access + control scheme. + ''; + }; + + enableKwallet = mkOption { + default = false; + type = types.bool; + description = '' + If enabled, pam_wallet will attempt to automatically unlock the + user's default KDE wallet upon login. If the user has no wallet named + "kdewallet", or the login password does not match their wallet + password, KDE will prompt separately after login. + ''; + }; + sssdStrictAccess = mkOption { + default = false; + type = types.bool; + description = "enforce sssd access control"; + }; + + enableGnomeKeyring = mkOption { + default = false; + type = types.bool; + description = '' + If enabled, pam_gnome_keyring will attempt to automatically unlock the + user's default Gnome keyring upon login. If the user login password does + not match their keyring password, Gnome Keyring will prompt separately + after login. + ''; + }; + + text = mkOption { + type = types.nullOr types.lines; + description = "Contents of the PAM service file."; + }; + + }; + + config = { + name = mkDefault name; + setLoginUid = mkDefault cfg.startSession; + limits = mkDefault config.security.pam.loginLimits; + + # !!! TODO: move the LDAP stuff to the LDAP module, and the + # Samba stuff to the Samba module. This requires that the PAM + # module provides the right hooks. + text = mkDefault + ('' + # Account management. + account required pam_unix.so + ${optionalString use_ldap + "account sufficient ${pam_ldap}/lib/security/pam_ldap.so"} + ${optionalString (config.services.sssd.enable && cfg.sssdStrictAccess==false) + "account sufficient ${pkgs.sssd}/lib/security/pam_sss.so"} + ${optionalString (config.services.sssd.enable && cfg.sssdStrictAccess) + "account [default=bad success=ok user_unknown=ignore] ${pkgs.sssd}/lib/security/pam_sss.so"} + ${optionalString config.krb5.enable + "account sufficient ${pam_krb5}/lib/security/pam_krb5.so"} + ${optionalString cfg.googleOsLoginAccountVerification '' + account [success=ok ignore=ignore default=die] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so + account [success=ok default=ignore] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_admin.so + ''} + + # Authentication management. + ${optionalString cfg.googleOsLoginAuthentication + "auth [success=done perm_denied=bad default=ignore] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so"} + ${optionalString cfg.rootOK + "auth sufficient pam_rootok.so"} + ${optionalString cfg.requireWheel + "auth required pam_wheel.so use_uid"} + ${optionalString cfg.logFailures + "auth required pam_tally.so"} + ${optionalString (config.security.pam.enableSSHAgentAuth && cfg.sshAgentAuth) + "auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=~/.ssh/authorized_keys:~/.ssh/authorized_keys2:/etc/ssh/authorized_keys.d/%u"} + ${optionalString cfg.fprintAuth + "auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so"} + ${let p11 = config.security.pam.p11; in optionalString cfg.p11Auth + "auth ${p11.control} ${pam_p11}/lib/security/pam_p11.so ${pkgs.opensc}/lib/opensc-pkcs11.so"} + ${let u2f = config.security.pam.u2f; in optionalString cfg.u2fAuth + "auth ${u2f.control} ${pkgs.pam_u2f}/lib/security/pam_u2f.so ${optionalString u2f.debug "debug"} ${optionalString (u2f.authFile != null) "authfile=${u2f.authFile}"} ${optionalString u2f.interactive "interactive"} ${optionalString u2f.cue "cue"}"} + ${optionalString cfg.usbAuth + "auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so"} + ${let oath = config.security.pam.oath; in optionalString cfg.oathAuth + "auth requisite ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}"} + ${let yubi = config.security.pam.yubico; in optionalString cfg.yubicoAuth + "auth ${yubi.control} ${pkgs.yubico-pam}/lib/security/pam_yubico.so mode=${toString yubi.mode} ${optionalString (yubi.mode == "client") "id=${toString yubi.id}"} ${optionalString yubi.debug "debug"}"} + '' + + # Modules in this block require having the password set in PAM_AUTHTOK. + # pam_unix is marked as 'sufficient' on NixOS which means nothing will run + # after it succeeds. Certain modules need to run after pam_unix + # prompts the user for password so we run it once with 'required' at an + # earlier point and it will run again with 'sufficient' further down. + # We use try_first_pass the second time to avoid prompting password twice + (optionalString (cfg.unixAuth && + (config.security.pam.enableEcryptfs + || cfg.pamMount + || cfg.enableKwallet + || cfg.enableGnomeKeyring + || cfg.googleAuthenticator.enable + || cfg.duoSecurity.enable)) '' + auth required pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth + ${optionalString config.security.pam.enableEcryptfs + "auth optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"} + ${optionalString cfg.pamMount + "auth optional ${pkgs.pam_mount}/lib/security/pam_mount.so"} + ${optionalString cfg.enableKwallet + ("auth optional ${pkgs.plasma5.kwallet-pam}/lib/security/pam_kwallet5.so" + + " kwalletd=${pkgs.libsForQt5.kwallet.bin}/bin/kwalletd5")} + ${optionalString cfg.enableGnomeKeyring + "auth optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so"} + ${optionalString cfg.googleAuthenticator.enable + "auth required ${pkgs.googleAuthenticator}/lib/security/pam_google_authenticator.so no_increment_hotp"} + ${optionalString cfg.duoSecurity.enable + "auth required ${pkgs.duo-unix}/lib/security/pam_duo.so"} + '') + '' + ${optionalString cfg.unixAuth + "auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth try_first_pass"} + ${optionalString cfg.otpwAuth + "auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so"} + ${optionalString use_ldap + "auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass"} + ${optionalString config.services.sssd.enable + "auth sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_first_pass"} + ${optionalString config.krb5.enable '' + auth [default=ignore success=1 service_err=reset] ${pam_krb5}/lib/security/pam_krb5.so use_first_pass + auth [default=die success=done] ${pam_ccreds}/lib/security/pam_ccreds.so action=validate use_first_pass + auth sufficient ${pam_ccreds}/lib/security/pam_ccreds.so action=store use_first_pass + ''} + auth required pam_deny.so + + # Password management. + password sufficient pam_unix.so nullok sha512 + ${optionalString config.security.pam.enableEcryptfs + "password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"} + ${optionalString cfg.pamMount + "password optional ${pkgs.pam_mount}/lib/security/pam_mount.so"} + ${optionalString use_ldap + "password sufficient ${pam_ldap}/lib/security/pam_ldap.so"} + ${optionalString config.services.sssd.enable + "password sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_authtok"} + ${optionalString config.krb5.enable + "password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass"} + ${optionalString config.services.samba.syncPasswordsByPam + "password optional ${pkgs.samba}/lib/security/pam_smbpass.so nullok use_authtok try_first_pass"} + ${optionalString cfg.enableGnomeKeyring + "password optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so use_authtok"} + + # Session management. + ${optionalString cfg.setEnvironment '' + session required pam_env.so conffile=${config.system.build.pamEnvironment} readenv=0 + ''} + session required pam_unix.so + ${optionalString cfg.setLoginUid + "session ${ + if config.boot.isContainer then "optional" else "required" + } pam_loginuid.so"} + ${optionalString cfg.makeHomeDir + "session required ${pkgs.pam}/lib/security/pam_mkhomedir.so silent skel=${config.security.pam.makeHomeDir.skelDirectory} umask=0022"} + ${optionalString cfg.updateWtmp + "session required ${pkgs.pam}/lib/security/pam_lastlog.so silent"} + ${optionalString config.security.pam.enableEcryptfs + "session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"} + ${optionalString use_ldap + "session optional ${pam_ldap}/lib/security/pam_ldap.so"} + ${optionalString config.services.sssd.enable + "session optional ${pkgs.sssd}/lib/security/pam_sss.so"} + ${optionalString config.krb5.enable + "session optional ${pam_krb5}/lib/security/pam_krb5.so"} + ${optionalString cfg.otpwAuth + "session optional ${pkgs.otpw}/lib/security/pam_otpw.so"} + ${optionalString cfg.startSession + "session optional ${pkgs.systemd}/lib/security/pam_systemd.so"} + ${optionalString cfg.forwardXAuth + "session optional pam_xauth.so xauthpath=${pkgs.xorg.xauth}/bin/xauth systemuser=99"} + ${optionalString (cfg.limits != []) + "session required ${pkgs.pam}/lib/security/pam_limits.so conf=${makeLimitsConf cfg.limits}"} + ${optionalString (cfg.showMotd && config.users.motd != null) + "session optional ${pkgs.pam}/lib/security/pam_motd.so motd=${motd}"} + ${optionalString cfg.pamMount + "session optional ${pkgs.pam_mount}/lib/security/pam_mount.so"} + ${optionalString (cfg.enableAppArmor && config.security.apparmor.enable) + "session optional ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so order=user,group,default debug"} + ${optionalString (cfg.enableKwallet) + ("session optional ${pkgs.plasma5.kwallet-pam}/lib/security/pam_kwallet5.so" + + " kwalletd=${pkgs.libsForQt5.kwallet.bin}/bin/kwalletd5")} + ${optionalString (cfg.enableGnomeKeyring) + "session optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start"} + ${optionalString (config.virtualisation.lxc.lxcfs.enable) + "session optional ${pkgs.lxc}/lib/security/pam_cgfs.so -c all"} + ''); + }; + + }; + + + inherit (pkgs) pam_krb5 pam_ccreds; + + use_ldap = (config.users.ldap.enable && config.users.ldap.loginPam); + pam_ldap = if config.users.ldap.daemon.enable then pkgs.nss_pam_ldapd else pkgs.pam_ldap; + + # Create a limits.conf(5) file. + makeLimitsConf = limits: + pkgs.writeText "limits.conf" + (concatMapStrings ({ domain, type, item, value }: + "${domain} ${type} ${item} ${toString value}\n") + limits); + + motd = pkgs.writeText "motd" config.users.motd; + + makePAMService = name: service: + { name = "pam.d/${name}"; + value.source = pkgs.writeText "${name}.pam" service.text; + }; + +in + +{ + + imports = [ + (mkRenamedOptionModule [ "security" "pam" "enableU2F" ] [ "security" "pam" "u2f" "enable" ]) + ]; + + ###### interface + + options = { + + security.pam.loginLimits = mkOption { + default = []; + example = + [ { domain = "ftp"; + type = "hard"; + item = "nproc"; + value = "0"; + } + { domain = "@student"; + type = "-"; + item = "maxlogins"; + value = "4"; + } + ]; + + description = + '' Define resource limits that should apply to users or groups. + Each item in the list should be an attribute set with a + domain, type, + item, and value + attribute. The syntax and semantics of these attributes + must be that described in the limits.conf(5) man page. + + Note that these limits do not apply to systemd services, + whose limits can be changed via + instead. + ''; + }; + + security.pam.services = mkOption { + default = []; + type = with types; loaOf (submodule pamOpts); + description = + '' + This option defines the PAM services. A service typically + corresponds to a program that uses PAM, + e.g. login or passwd. + Each attribute of this set defines a PAM service, with the attribute name + defining the name of the service. + ''; + }; + + security.pam.makeHomeDir.skelDirectory = mkOption { + type = types.str; + default = "/var/empty"; + example = "/etc/skel"; + description = '' + Path to skeleton directory whose contents are copied to home + directories newly created by pam_mkhomedir. + ''; + }; + + security.pam.enableSSHAgentAuth = mkOption { + type = types.bool; + default = false; + description = + '' + Enable sudo logins if the user's SSH agent provides a key + present in ~/.ssh/authorized_keys. + This allows machines to exclusively use SSH keys instead of + passwords. + ''; + }; + + security.pam.enableOTPW = mkEnableOption "the OTPW (one-time password) PAM module"; + + security.pam.p11 = { + enable = mkOption { + default = false; + type = types.bool; + description = '' + Enables P11 PAM (pam_p11) module. + + If set, users can log in with SSH keys and PKCS#11 tokens. + + More information can be found here. + ''; + }; + + control = mkOption { + default = "sufficient"; + type = types.enum [ "required" "requisite" "sufficient" "optional" ]; + description = '' + This option sets pam "control". + If you want to have multi factor authentication, use "required". + If you want to use the PKCS#11 device instead of the regular password, + use "sufficient". + + Read + + pam.conf + 5 + + for better understanding of this option. + ''; + }; + }; + + security.pam.u2f = { + enable = mkOption { + default = false; + type = types.bool; + description = '' + Enables U2F PAM (pam-u2f) module. + + If set, users listed in + $XDG_CONFIG_HOME/Yubico/u2f_keys (or + $HOME/.config/Yubico/u2f_keys if XDG variable is + not set) are able to log in with the associated U2F key. The path can + be changed using option. + + File format is: + username:first_keyHandle,first_public_key: second_keyHandle,second_public_key + This file can be generated using pamu2fcfg command. + + More information can be found here. + ''; + }; + + authFile = mkOption { + default = null; + type = with types; nullOr path; + description = '' + By default pam-u2f module reads the keys from + $XDG_CONFIG_HOME/Yubico/u2f_keys (or + $HOME/.config/Yubico/u2f_keys if XDG variable is + not set). + + If you want to change auth file locations or centralize database (for + example use /etc/u2f-mappings) you can set this + option. + + File format is: + username:first_keyHandle,first_public_key: second_keyHandle,second_public_key + This file can be generated using pamu2fcfg command. + + More information can be found here. + ''; + }; + + control = mkOption { + default = "sufficient"; + type = types.enum [ "required" "requisite" "sufficient" "optional" ]; + description = '' + This option sets pam "control". + If you want to have multi factor authentication, use "required". + If you want to use U2F device instead of regular password, use "sufficient". + + Read + + pam.conf + 5 + + for better understanding of this option. + ''; + }; + + debug = mkOption { + default = false; + type = types.bool; + description = '' + Debug output to stderr. + ''; + }; + + interactive = mkOption { + default = false; + type = types.bool; + description = '' + Set to prompt a message and wait before testing the presence of a U2F device. + Recommended if your device doesn’t have a tactile trigger. + ''; + }; + + cue = mkOption { + default = false; + type = types.bool; + description = '' + By default pam-u2f module does not inform user + that he needs to use the u2f device, it just waits without a prompt. + + If you set this option to true, + cue option is added to pam-u2f + module and reminder message will be displayed. + ''; + }; + }; + + security.pam.yubico = { + enable = mkOption { + default = false; + type = types.bool; + description = '' + Enables Yubico PAM (yubico-pam) module. + + If set, users listed in + ~/.yubico/authorized_yubikeys + are able to log in with the associated Yubikey tokens. + + The file must have only one line: + username:yubikey_token_id1:yubikey_token_id2 + More information can be found here. + ''; + }; + control = mkOption { + default = "sufficient"; + type = types.enum [ "required" "requisite" "sufficient" "optional" ]; + description = '' + This option sets pam "control". + If you want to have multi factor authentication, use "required". + If you want to use Yubikey instead of regular password, use "sufficient". + + Read + + pam.conf + 5 + + for better understanding of this option. + ''; + }; + id = mkOption { + example = "42"; + type = types.str; + description = "client id"; + }; + + debug = mkOption { + default = false; + type = types.bool; + description = '' + Debug output to stderr. + ''; + }; + mode = mkOption { + default = "client"; + type = types.enum [ "client" "challenge-response" ]; + description = '' + Mode of operation. + + Use "client" for online validation with a YubiKey validation service such as + the YubiCloud. + + Use "challenge-response" for offline validation using YubiKeys with HMAC-SHA-1 + Challenge-Response configurations. See the man-page ykpamcfg(1) for further + details on how to configure offline Challenge-Response validation. + + More information can be found here. + ''; + }; + }; + + security.pam.enableEcryptfs = mkEnableOption "eCryptfs PAM module (mounting ecryptfs home directory on login)"; + + users.motd = mkOption { + default = null; + example = "Today is Sweetmorn, the 4th day of The Aftermath in the YOLD 3178."; + type = types.nullOr types.lines; + description = "Message of the day shown to users when they log in."; + }; + + }; + + + ###### implementation + + config = { + + environment.systemPackages = + # Include the PAM modules in the system path mostly for the manpages. + [ pkgs.pam ] + ++ optional config.users.ldap.enable pam_ldap + ++ optional config.services.sssd.enable pkgs.sssd + ++ optionals config.krb5.enable [pam_krb5 pam_ccreds] + ++ optionals config.security.pam.enableOTPW [ pkgs.otpw ] + ++ optionals config.security.pam.oath.enable [ pkgs.oathToolkit ] + ++ optionals config.security.pam.p11.enable [ pam_p11 ] + ++ optionals config.security.pam.u2f.enable [ pkgs.pam_u2f ]; + + boot.supportedFilesystems = optionals config.security.pam.enableEcryptfs [ "ecryptfs" ]; + + security.wrappers = { + unix_chkpwd = { + source = "${pkgs.pam}/sbin/unix_chkpwd.orig"; + owner = "root"; + setuid = true; + }; + }; + + environment.etc = mapAttrs' makePAMService config.security.pam.services; + + security.pam.services = + { other.text = + '' + auth required pam_warn.so + auth required pam_deny.so + account required pam_warn.so + account required pam_deny.so + password required pam_warn.so + password required pam_deny.so + session required pam_warn.so + session required pam_deny.so + ''; + + # Most of these should be moved to specific modules. + i3lock = {}; + i3lock-color = {}; + vlock = {}; + xlock = {}; + xscreensaver = {}; + + runuser = { rootOK = true; unixAuth = false; setEnvironment = false; }; + + /* FIXME: should runuser -l start a systemd session? Currently + it complains "Cannot create session: Already running in a + session". */ + runuser-l = { rootOK = true; unixAuth = false; }; + }; + + }; + +} diff --git a/nixops/pam_p11/pam_p11.nix b/nixops/pam_p11/pam_p11.nix new file mode 100644 index 0000000..2257bd5 --- /dev/null +++ b/nixops/pam_p11/pam_p11.nix @@ -0,0 +1,23 @@ +{ stdenv, fetchFromGitHub, autoreconfHook, pkg-config, openssl, libp11, pam }: + +stdenv.mkDerivation rec { + pname = "pam_p11"; + version = "0.3.1"; + + src = fetchFromGitHub { + owner = "OpenSC"; + repo = "pam_p11"; + rev = "pam_p11-${version}"; + sha256 = "1caidy18rq5zk82d51x8vwidmkhwmanf3qm25x1yrdlbhxv6m7lk"; + }; + + patchPhase = + '' + substituteInPlace src/match_openssh.c --replace \ + '"%s/.ssh/authorized_keys", pw->pw_dir)' \ + '"/etc/ssh/authorized_keys.d/%s", pw->pw_name)' + ''; + + nativeBuildInputs = [ autoreconfHook pkg-config ]; + buildInputs = [ pam openssl libp11 ]; +}