From be704047e7819ead4bd0e40d51ef7cc0bf3aa4a4 Mon Sep 17 00:00:00 2001 From: Sebastien Bourdeauducq Date: Fri, 6 Nov 2020 14:32:54 +0800 Subject: [PATCH] nixops: nixos 20.09 --- nixops/desktop.nix | 21 +- nixops/light.nix | 12 +- nixops/pam_p11/default.nix | 843 ------------------------------------- nixops/pam_p11/pam_p11.nix | 23 - 4 files changed, 22 insertions(+), 877 deletions(-) delete mode 100644 nixops/pam_p11/default.nix delete mode 100644 nixops/pam_p11/pam_p11.nix diff --git a/nixops/desktop.nix b/nixops/desktop.nix index cee216b8..87bac5c3 100644 --- a/nixops/desktop.nix +++ b/nixops/desktop.nix @@ -3,17 +3,23 @@ { config, pkgs, ... }: let m-labs = import (fetchTarball https://nixbld.m-labs.hk/channel/custom/artiq/full/artiq-full/nixexprs.tar.xz) { inherit pkgs; }; - pkgs-unstable = import (fetchTarball https://github.com/NixOS/nixpkgs/archive/nixos-20.09.tar.gz) {}; in { deployment.targetHost = host; - disabledModules = [ "security/pam.nix" ]; imports = [ (./. + "/${host}-hardware-configuration.nix") - ./pam_p11 ]; + nixpkgs.config.packageOverrides = super: let self = super.pkgs; in { + pam_p11 = super.pam_p11.overrideAttrs(oa: { + patchPhase = oa.patchPhase or "" + '' + substituteInPlace src/match_openssh.c --replace \ + '"%s/.ssh/authorized_keys", pw->pw_dir)' \ + '"/etc/ssh/authorized_keys.d/%s", pw->pw_name)' + ''; + }); + }; networking.hostName = host; networking.firewall.allowedTCPPorts = [ 1883 ]; @@ -35,11 +41,11 @@ in jq sublime3 rink qemu_kvm tmux xc3sprog m-labs.openocd screen gdb minicom picocom tigervnc emacs bat ripgrep - pkgs-unstable.xpra - pkgs-unstable.rust-analyzer - (pkgs-unstable.vscode-with-extensions.override { + xpra + rust-analyzer + (vscode-with-extensions.override { vscodeExtensions = [ - pkgs-unstable.vscode-extensions.matklad.rust-analyzer + vscode-extensions.matklad.rust-analyzer ]; }) (import ./fish-nix-shell) @@ -56,7 +62,6 @@ in ''; programs.mosh.enable = true; - hardware.u2f.enable = true; services.pcscd.enable = true; programs.ssh.extraConfig = '' diff --git a/nixops/light.nix b/nixops/light.nix index 635fbfe0..7fa394b4 100644 --- a/nixops/light.nix +++ b/nixops/light.nix @@ -4,12 +4,19 @@ { deployment.targetHost = host; - disabledModules = [ "security/pam.nix" ]; imports = [ (./. + "/${host}-hardware-configuration.nix") - ./pam_p11 ]; + nixpkgs.config.packageOverrides = super: let self = super.pkgs; in { + pam_p11 = super.pam_p11.overrideAttrs(oa: { + patchPhase = oa.patchPhase or "" + '' + substituteInPlace src/match_openssh.c --replace \ + '"%s/.ssh/authorized_keys", pw->pw_dir)' \ + '"/etc/ssh/authorized_keys.d/%s", pw->pw_name)' + ''; + }); + }; networking.hostName = host; @@ -41,7 +48,6 @@ ''; programs.mosh.enable = true; - hardware.u2f.enable = true; services.pcscd.enable = true; programs.ssh.extraConfig = '' diff --git a/nixops/pam_p11/default.nix b/nixops/pam_p11/default.nix deleted file mode 100644 index 5945535e..00000000 --- a/nixops/pam_p11/default.nix +++ /dev/null @@ -1,843 +0,0 @@ -# This module provides configuration for the PAM (Pluggable -# Authentication Modules) system. - -{ config, lib, pkgs, ... }: - -with lib; - -let - pam_p11 = pkgs.callPackage ./pam_p11.nix {}; - - parentConfig = config; - - pamOpts = { config, name, ... }: let cfg = config; in let config = parentConfig; in { - - options = { - - name = mkOption { - example = "sshd"; - type = types.str; - description = "Name of the PAM service."; - }; - - unixAuth = mkOption { - default = true; - type = types.bool; - description = '' - Whether users can log in with passwords defined in - /etc/shadow. - ''; - }; - - rootOK = mkOption { - default = false; - type = types.bool; - description = '' - If set, root doesn't need to authenticate (e.g. for the - useradd service). - ''; - }; - - p11Auth = mkOption { - default = config.security.pam.p11.enable; - type = types.bool; - description = '' - If set, keys listed in - ~/.ssh/authorized_keys and - ~/.eid/authorized_certificates - can be used to log in with the associated PKCS#11 tokens. - ''; - }; - - u2fAuth = mkOption { - default = config.security.pam.u2f.enable; - type = types.bool; - description = '' - If set, users listed in - $XDG_CONFIG_HOME/Yubico/u2f_keys (or - $HOME/.config/Yubico/u2f_keys if XDG variable is - not set) are able to log in with the associated U2F key. Path can be - changed using option. - ''; - }; - - yubicoAuth = mkOption { - default = config.security.pam.yubico.enable; - type = types.bool; - description = '' - If set, users listed in - ~/.yubico/authorized_yubikeys - are able to log in with the associated Yubikey tokens. - ''; - }; - - googleAuthenticator = { - enable = mkOption { - default = false; - type = types.bool; - description = '' - If set, users with enabled Google Authenticator (created - ~/.google_authenticator) will be required - to provide Google Authenticator token to log in. - ''; - }; - }; - - usbAuth = mkOption { - default = config.security.pam.usb.enable; - type = types.bool; - description = '' - If set, users listed in - /etc/pamusb.conf are able to log in - with the associated USB key. - ''; - }; - - otpwAuth = mkOption { - default = config.security.pam.enableOTPW; - type = types.bool; - description = '' - If set, the OTPW system will be used (if - ~/.otpw exists). - ''; - }; - - googleOsLoginAccountVerification = mkOption { - default = false; - type = types.bool; - description = '' - If set, will use the Google OS Login PAM modules - (pam_oslogin_login, - pam_oslogin_admin) to verify possible OS Login - users and set sudoers configuration accordingly. - This only makes sense to enable for the sshd PAM - service. - ''; - }; - - googleOsLoginAuthentication = mkOption { - default = false; - type = types.bool; - description = '' - If set, will use the pam_oslogin_login's user - authentication methods to authenticate users using 2FA. - This only makes sense to enable for the sshd PAM - service. - ''; - }; - - fprintAuth = mkOption { - default = config.services.fprintd.enable; - type = types.bool; - description = '' - If set, fingerprint reader will be used (if exists and - your fingerprints are enrolled). - ''; - }; - - oathAuth = mkOption { - default = config.security.pam.oath.enable; - type = types.bool; - description = '' - If set, the OATH Toolkit will be used. - ''; - }; - - sshAgentAuth = mkOption { - default = false; - type = types.bool; - description = '' - If set, the calling user's SSH agent is used to authenticate - against the keys in the calling user's - ~/.ssh/authorized_keys. This is useful - for sudo on password-less remote systems. - ''; - }; - - duoSecurity = { - enable = mkOption { - default = false; - type = types.bool; - description = '' - If set, use the Duo Security pam module - pam_duo for authentication. Requires - configuration of options. - ''; - }; - }; - - startSession = mkOption { - default = false; - type = types.bool; - description = '' - If set, the service will register a new session with - systemd's login manager. For local sessions, this will give - the user access to audio devices, CD-ROM drives. In the - default PolicyKit configuration, it also allows the user to - reboot the system. - ''; - }; - - setEnvironment = mkOption { - type = types.bool; - default = true; - description = '' - Whether the service should set the environment variables - listed in - using pam_env.so. - ''; - }; - - setLoginUid = mkOption { - type = types.bool; - description = '' - Set the login uid of the process - (/proc/self/loginuid) for auditing - purposes. The login uid is only set by ‘entry points’ like - login and sshd, not by - commands like sudo. - ''; - }; - - forwardXAuth = mkOption { - default = false; - type = types.bool; - description = '' - Whether X authentication keys should be passed from the - calling user to the target user (e.g. for - su) - ''; - }; - - pamMount = mkOption { - default = config.security.pam.mount.enable; - type = types.bool; - description = '' - Enable PAM mount (pam_mount) system to mount fileystems on user login. - ''; - }; - - allowNullPassword = mkOption { - default = false; - type = types.bool; - description = '' - Whether to allow logging into accounts that have no password - set (i.e., have an empty password field in - /etc/passwd or - /etc/group). This does not enable - logging into disabled accounts (i.e., that have the password - field set to !). Note that regardless of - what the pam_unix documentation says, accounts with hashed - empty passwords are always allowed to log in. - ''; - }; - - nodelay = mkOption { - default = false; - type = types.bool; - description = '' - Wheather the delay after typing a wrong password should be disabled. - ''; - }; - - requireWheel = mkOption { - default = false; - type = types.bool; - description = '' - Whether to permit root access only to members of group wheel. - ''; - }; - - limits = mkOption { - description = '' - Attribute set describing resource limits. Defaults to the - value of . - ''; - }; - - showMotd = mkOption { - default = false; - type = types.bool; - description = "Whether to show the message of the day."; - }; - - makeHomeDir = mkOption { - default = false; - type = types.bool; - description = '' - Whether to try to create home directories for users - with $HOMEs pointing to nonexistent - locations on session login. - ''; - }; - - updateWtmp = mkOption { - default = false; - type = types.bool; - description = "Whether to update /var/log/wtmp."; - }; - - logFailures = mkOption { - default = false; - type = types.bool; - description = "Whether to log authentication failures in /var/log/faillog."; - }; - - enableAppArmor = mkOption { - default = false; - type = types.bool; - description = '' - Enable support for attaching AppArmor profiles at the - user/group level, e.g., as part of a role based access - control scheme. - ''; - }; - - enableKwallet = mkOption { - default = false; - type = types.bool; - description = '' - If enabled, pam_wallet will attempt to automatically unlock the - user's default KDE wallet upon login. If the user has no wallet named - "kdewallet", or the login password does not match their wallet - password, KDE will prompt separately after login. - ''; - }; - sssdStrictAccess = mkOption { - default = false; - type = types.bool; - description = "enforce sssd access control"; - }; - - enableGnomeKeyring = mkOption { - default = false; - type = types.bool; - description = '' - If enabled, pam_gnome_keyring will attempt to automatically unlock the - user's default Gnome keyring upon login. If the user login password does - not match their keyring password, Gnome Keyring will prompt separately - after login. - ''; - }; - - text = mkOption { - type = types.nullOr types.lines; - description = "Contents of the PAM service file."; - }; - - }; - - config = { - name = mkDefault name; - setLoginUid = mkDefault cfg.startSession; - limits = mkDefault config.security.pam.loginLimits; - - # !!! TODO: move the LDAP stuff to the LDAP module, and the - # Samba stuff to the Samba module. This requires that the PAM - # module provides the right hooks. - text = mkDefault - ('' - # Account management. - account required pam_unix.so - ${optionalString use_ldap - "account sufficient ${pam_ldap}/lib/security/pam_ldap.so"} - ${optionalString (config.services.sssd.enable && cfg.sssdStrictAccess==false) - "account sufficient ${pkgs.sssd}/lib/security/pam_sss.so"} - ${optionalString (config.services.sssd.enable && cfg.sssdStrictAccess) - "account [default=bad success=ok user_unknown=ignore] ${pkgs.sssd}/lib/security/pam_sss.so"} - ${optionalString config.krb5.enable - "account sufficient ${pam_krb5}/lib/security/pam_krb5.so"} - ${optionalString cfg.googleOsLoginAccountVerification '' - account [success=ok ignore=ignore default=die] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so - account [success=ok default=ignore] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_admin.so - ''} - - # Authentication management. - ${optionalString cfg.googleOsLoginAuthentication - "auth [success=done perm_denied=bad default=ignore] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so"} - ${optionalString cfg.rootOK - "auth sufficient pam_rootok.so"} - ${optionalString cfg.requireWheel - "auth required pam_wheel.so use_uid"} - ${optionalString cfg.logFailures - "auth required pam_tally.so"} - ${optionalString (config.security.pam.enableSSHAgentAuth && cfg.sshAgentAuth) - "auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=~/.ssh/authorized_keys:~/.ssh/authorized_keys2:/etc/ssh/authorized_keys.d/%u"} - ${optionalString cfg.fprintAuth - "auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so"} - ${let p11 = config.security.pam.p11; in optionalString cfg.p11Auth - "auth ${p11.control} ${pam_p11}/lib/security/pam_p11.so ${pkgs.opensc}/lib/opensc-pkcs11.so"} - ${let u2f = config.security.pam.u2f; in optionalString cfg.u2fAuth - "auth ${u2f.control} ${pkgs.pam_u2f}/lib/security/pam_u2f.so ${optionalString u2f.debug "debug"} ${optionalString (u2f.authFile != null) "authfile=${u2f.authFile}"} ${optionalString u2f.interactive "interactive"} ${optionalString u2f.cue "cue"}"} - ${optionalString cfg.usbAuth - "auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so"} - ${let oath = config.security.pam.oath; in optionalString cfg.oathAuth - "auth requisite ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}"} - ${let yubi = config.security.pam.yubico; in optionalString cfg.yubicoAuth - "auth ${yubi.control} ${pkgs.yubico-pam}/lib/security/pam_yubico.so mode=${toString yubi.mode} ${optionalString (yubi.mode == "client") "id=${toString yubi.id}"} ${optionalString yubi.debug "debug"}"} - '' + - # Modules in this block require having the password set in PAM_AUTHTOK. - # pam_unix is marked as 'sufficient' on NixOS which means nothing will run - # after it succeeds. Certain modules need to run after pam_unix - # prompts the user for password so we run it once with 'required' at an - # earlier point and it will run again with 'sufficient' further down. - # We use try_first_pass the second time to avoid prompting password twice - (optionalString (cfg.unixAuth && - (config.security.pam.enableEcryptfs - || cfg.pamMount - || cfg.enableKwallet - || cfg.enableGnomeKeyring - || cfg.googleAuthenticator.enable - || cfg.duoSecurity.enable)) '' - auth required pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth - ${optionalString config.security.pam.enableEcryptfs - "auth optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"} - ${optionalString cfg.pamMount - "auth optional ${pkgs.pam_mount}/lib/security/pam_mount.so"} - ${optionalString cfg.enableKwallet - ("auth optional ${pkgs.plasma5.kwallet-pam}/lib/security/pam_kwallet5.so" + - " kwalletd=${pkgs.libsForQt5.kwallet.bin}/bin/kwalletd5")} - ${optionalString cfg.enableGnomeKeyring - "auth optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so"} - ${optionalString cfg.googleAuthenticator.enable - "auth required ${pkgs.googleAuthenticator}/lib/security/pam_google_authenticator.so no_increment_hotp"} - ${optionalString cfg.duoSecurity.enable - "auth required ${pkgs.duo-unix}/lib/security/pam_duo.so"} - '') + '' - ${optionalString cfg.unixAuth - "auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} ${optionalString cfg.nodelay "nodelay"} likeauth try_first_pass"} - ${optionalString cfg.otpwAuth - "auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so"} - ${optionalString use_ldap - "auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass"} - ${optionalString config.services.sssd.enable - "auth sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_first_pass"} - ${optionalString config.krb5.enable '' - auth [default=ignore success=1 service_err=reset] ${pam_krb5}/lib/security/pam_krb5.so use_first_pass - auth [default=die success=done] ${pam_ccreds}/lib/security/pam_ccreds.so action=validate use_first_pass - auth sufficient ${pam_ccreds}/lib/security/pam_ccreds.so action=store use_first_pass - ''} - auth required pam_deny.so - - # Password management. - password sufficient pam_unix.so nullok sha512 - ${optionalString config.security.pam.enableEcryptfs - "password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"} - ${optionalString cfg.pamMount - "password optional ${pkgs.pam_mount}/lib/security/pam_mount.so"} - ${optionalString use_ldap - "password sufficient ${pam_ldap}/lib/security/pam_ldap.so"} - ${optionalString config.services.sssd.enable - "password sufficient ${pkgs.sssd}/lib/security/pam_sss.so use_authtok"} - ${optionalString config.krb5.enable - "password sufficient ${pam_krb5}/lib/security/pam_krb5.so use_first_pass"} - ${optionalString config.services.samba.syncPasswordsByPam - "password optional ${pkgs.samba}/lib/security/pam_smbpass.so nullok use_authtok try_first_pass"} - ${optionalString cfg.enableGnomeKeyring - "password optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so use_authtok"} - - # Session management. - ${optionalString cfg.setEnvironment '' - session required pam_env.so conffile=${config.system.build.pamEnvironment} readenv=0 - ''} - session required pam_unix.so - ${optionalString cfg.setLoginUid - "session ${ - if config.boot.isContainer then "optional" else "required" - } pam_loginuid.so"} - ${optionalString cfg.makeHomeDir - "session required ${pkgs.pam}/lib/security/pam_mkhomedir.so silent skel=${config.security.pam.makeHomeDir.skelDirectory} umask=0022"} - ${optionalString cfg.updateWtmp - "session required ${pkgs.pam}/lib/security/pam_lastlog.so silent"} - ${optionalString config.security.pam.enableEcryptfs - "session optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so"} - ${optionalString use_ldap - "session optional ${pam_ldap}/lib/security/pam_ldap.so"} - ${optionalString config.services.sssd.enable - "session optional ${pkgs.sssd}/lib/security/pam_sss.so"} - ${optionalString config.krb5.enable - "session optional ${pam_krb5}/lib/security/pam_krb5.so"} - ${optionalString cfg.otpwAuth - "session optional ${pkgs.otpw}/lib/security/pam_otpw.so"} - ${optionalString cfg.startSession - "session optional ${pkgs.systemd}/lib/security/pam_systemd.so"} - ${optionalString cfg.forwardXAuth - "session optional pam_xauth.so xauthpath=${pkgs.xorg.xauth}/bin/xauth systemuser=99"} - ${optionalString (cfg.limits != []) - "session required ${pkgs.pam}/lib/security/pam_limits.so conf=${makeLimitsConf cfg.limits}"} - ${optionalString (cfg.showMotd && config.users.motd != null) - "session optional ${pkgs.pam}/lib/security/pam_motd.so motd=${motd}"} - ${optionalString cfg.pamMount - "session optional ${pkgs.pam_mount}/lib/security/pam_mount.so"} - ${optionalString (cfg.enableAppArmor && config.security.apparmor.enable) - "session optional ${pkgs.apparmor-pam}/lib/security/pam_apparmor.so order=user,group,default debug"} - ${optionalString (cfg.enableKwallet) - ("session optional ${pkgs.plasma5.kwallet-pam}/lib/security/pam_kwallet5.so" + - " kwalletd=${pkgs.libsForQt5.kwallet.bin}/bin/kwalletd5")} - ${optionalString (cfg.enableGnomeKeyring) - "session optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start"} - ${optionalString (config.virtualisation.lxc.lxcfs.enable) - "session optional ${pkgs.lxc}/lib/security/pam_cgfs.so -c all"} - ''); - }; - - }; - - - inherit (pkgs) pam_krb5 pam_ccreds; - - use_ldap = (config.users.ldap.enable && config.users.ldap.loginPam); - pam_ldap = if config.users.ldap.daemon.enable then pkgs.nss_pam_ldapd else pkgs.pam_ldap; - - # Create a limits.conf(5) file. - makeLimitsConf = limits: - pkgs.writeText "limits.conf" - (concatMapStrings ({ domain, type, item, value }: - "${domain} ${type} ${item} ${toString value}\n") - limits); - - motd = pkgs.writeText "motd" config.users.motd; - - makePAMService = name: service: - { name = "pam.d/${name}"; - value.source = pkgs.writeText "${name}.pam" service.text; - }; - -in - -{ - - imports = [ - (mkRenamedOptionModule [ "security" "pam" "enableU2F" ] [ "security" "pam" "u2f" "enable" ]) - ]; - - ###### interface - - options = { - - security.pam.loginLimits = mkOption { - default = []; - example = - [ { domain = "ftp"; - type = "hard"; - item = "nproc"; - value = "0"; - } - { domain = "@student"; - type = "-"; - item = "maxlogins"; - value = "4"; - } - ]; - - description = - '' Define resource limits that should apply to users or groups. - Each item in the list should be an attribute set with a - domain, type, - item, and value - attribute. The syntax and semantics of these attributes - must be that described in the limits.conf(5) man page. - - Note that these limits do not apply to systemd services, - whose limits can be changed via - instead. - ''; - }; - - security.pam.services = mkOption { - default = []; - type = with types; loaOf (submodule pamOpts); - description = - '' - This option defines the PAM services. A service typically - corresponds to a program that uses PAM, - e.g. login or passwd. - Each attribute of this set defines a PAM service, with the attribute name - defining the name of the service. - ''; - }; - - security.pam.makeHomeDir.skelDirectory = mkOption { - type = types.str; - default = "/var/empty"; - example = "/etc/skel"; - description = '' - Path to skeleton directory whose contents are copied to home - directories newly created by pam_mkhomedir. - ''; - }; - - security.pam.enableSSHAgentAuth = mkOption { - type = types.bool; - default = false; - description = - '' - Enable sudo logins if the user's SSH agent provides a key - present in ~/.ssh/authorized_keys. - This allows machines to exclusively use SSH keys instead of - passwords. - ''; - }; - - security.pam.enableOTPW = mkEnableOption "the OTPW (one-time password) PAM module"; - - security.pam.p11 = { - enable = mkOption { - default = false; - type = types.bool; - description = '' - Enables P11 PAM (pam_p11) module. - - If set, users can log in with SSH keys and PKCS#11 tokens. - - More information can be found here. - ''; - }; - - control = mkOption { - default = "sufficient"; - type = types.enum [ "required" "requisite" "sufficient" "optional" ]; - description = '' - This option sets pam "control". - If you want to have multi factor authentication, use "required". - If you want to use the PKCS#11 device instead of the regular password, - use "sufficient". - - Read - - pam.conf - 5 - - for better understanding of this option. - ''; - }; - }; - - security.pam.u2f = { - enable = mkOption { - default = false; - type = types.bool; - description = '' - Enables U2F PAM (pam-u2f) module. - - If set, users listed in - $XDG_CONFIG_HOME/Yubico/u2f_keys (or - $HOME/.config/Yubico/u2f_keys if XDG variable is - not set) are able to log in with the associated U2F key. The path can - be changed using option. - - File format is: - username:first_keyHandle,first_public_key: second_keyHandle,second_public_key - This file can be generated using pamu2fcfg command. - - More information can be found here. - ''; - }; - - authFile = mkOption { - default = null; - type = with types; nullOr path; - description = '' - By default pam-u2f module reads the keys from - $XDG_CONFIG_HOME/Yubico/u2f_keys (or - $HOME/.config/Yubico/u2f_keys if XDG variable is - not set). - - If you want to change auth file locations or centralize database (for - example use /etc/u2f-mappings) you can set this - option. - - File format is: - username:first_keyHandle,first_public_key: second_keyHandle,second_public_key - This file can be generated using pamu2fcfg command. - - More information can be found here. - ''; - }; - - control = mkOption { - default = "sufficient"; - type = types.enum [ "required" "requisite" "sufficient" "optional" ]; - description = '' - This option sets pam "control". - If you want to have multi factor authentication, use "required". - If you want to use U2F device instead of regular password, use "sufficient". - - Read - - pam.conf - 5 - - for better understanding of this option. - ''; - }; - - debug = mkOption { - default = false; - type = types.bool; - description = '' - Debug output to stderr. - ''; - }; - - interactive = mkOption { - default = false; - type = types.bool; - description = '' - Set to prompt a message and wait before testing the presence of a U2F device. - Recommended if your device doesn’t have a tactile trigger. - ''; - }; - - cue = mkOption { - default = false; - type = types.bool; - description = '' - By default pam-u2f module does not inform user - that he needs to use the u2f device, it just waits without a prompt. - - If you set this option to true, - cue option is added to pam-u2f - module and reminder message will be displayed. - ''; - }; - }; - - security.pam.yubico = { - enable = mkOption { - default = false; - type = types.bool; - description = '' - Enables Yubico PAM (yubico-pam) module. - - If set, users listed in - ~/.yubico/authorized_yubikeys - are able to log in with the associated Yubikey tokens. - - The file must have only one line: - username:yubikey_token_id1:yubikey_token_id2 - More information can be found here. - ''; - }; - control = mkOption { - default = "sufficient"; - type = types.enum [ "required" "requisite" "sufficient" "optional" ]; - description = '' - This option sets pam "control". - If you want to have multi factor authentication, use "required". - If you want to use Yubikey instead of regular password, use "sufficient". - - Read - - pam.conf - 5 - - for better understanding of this option. - ''; - }; - id = mkOption { - example = "42"; - type = types.str; - description = "client id"; - }; - - debug = mkOption { - default = false; - type = types.bool; - description = '' - Debug output to stderr. - ''; - }; - mode = mkOption { - default = "client"; - type = types.enum [ "client" "challenge-response" ]; - description = '' - Mode of operation. - - Use "client" for online validation with a YubiKey validation service such as - the YubiCloud. - - Use "challenge-response" for offline validation using YubiKeys with HMAC-SHA-1 - Challenge-Response configurations. See the man-page ykpamcfg(1) for further - details on how to configure offline Challenge-Response validation. - - More information can be found here. - ''; - }; - }; - - security.pam.enableEcryptfs = mkEnableOption "eCryptfs PAM module (mounting ecryptfs home directory on login)"; - - users.motd = mkOption { - default = null; - example = "Today is Sweetmorn, the 4th day of The Aftermath in the YOLD 3178."; - type = types.nullOr types.lines; - description = "Message of the day shown to users when they log in."; - }; - - }; - - - ###### implementation - - config = { - - environment.systemPackages = - # Include the PAM modules in the system path mostly for the manpages. - [ pkgs.pam ] - ++ optional config.users.ldap.enable pam_ldap - ++ optional config.services.sssd.enable pkgs.sssd - ++ optionals config.krb5.enable [pam_krb5 pam_ccreds] - ++ optionals config.security.pam.enableOTPW [ pkgs.otpw ] - ++ optionals config.security.pam.oath.enable [ pkgs.oathToolkit ] - ++ optionals config.security.pam.p11.enable [ pam_p11 ] - ++ optionals config.security.pam.u2f.enable [ pkgs.pam_u2f ]; - - boot.supportedFilesystems = optionals config.security.pam.enableEcryptfs [ "ecryptfs" ]; - - security.wrappers = { - unix_chkpwd = { - source = "${pkgs.pam}/sbin/unix_chkpwd.orig"; - owner = "root"; - setuid = true; - }; - }; - - environment.etc = mapAttrs' makePAMService config.security.pam.services; - - security.pam.services = - { other.text = - '' - auth required pam_warn.so - auth required pam_deny.so - account required pam_warn.so - account required pam_deny.so - password required pam_warn.so - password required pam_deny.so - session required pam_warn.so - session required pam_deny.so - ''; - - # Most of these should be moved to specific modules. - i3lock = {}; - i3lock-color = {}; - vlock = {}; - xlock = {}; - xscreensaver = {}; - - runuser = { rootOK = true; unixAuth = false; setEnvironment = false; }; - - /* FIXME: should runuser -l start a systemd session? Currently - it complains "Cannot create session: Already running in a - session". */ - runuser-l = { rootOK = true; unixAuth = false; }; - }; - - }; - -} diff --git a/nixops/pam_p11/pam_p11.nix b/nixops/pam_p11/pam_p11.nix deleted file mode 100644 index 2257bd51..00000000 --- a/nixops/pam_p11/pam_p11.nix +++ /dev/null @@ -1,23 +0,0 @@ -{ stdenv, fetchFromGitHub, autoreconfHook, pkg-config, openssl, libp11, pam }: - -stdenv.mkDerivation rec { - pname = "pam_p11"; - version = "0.3.1"; - - src = fetchFromGitHub { - owner = "OpenSC"; - repo = "pam_p11"; - rev = "pam_p11-${version}"; - sha256 = "1caidy18rq5zk82d51x8vwidmkhwmanf3qm25x1yrdlbhxv6m7lk"; - }; - - patchPhase = - '' - substituteInPlace src/match_openssh.c --replace \ - '"%s/.ssh/authorized_keys", pw->pw_dir)' \ - '"/etc/ssh/authorized_keys.d/%s", pw->pw_name)' - ''; - - nativeBuildInputs = [ autoreconfHook pkg-config ]; - buildInputs = [ pam openssl libp11 ]; -}