public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos: Adding OATH in pam.

Browse Source 
(cherry picked from commit cb3cba54a1b87c376d0801238cb827eadb18e39e)

Conflicts:
	nixos/modules/security/pam.nix
This commit is contained in:
Lluís Batlle i Rossell 2015-02-14 23:52:22 +01:00
parent d44573e16f
commit 4e99901961
1 changed files with 21 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
nixos/modules/security/pam.nix
View File

@ -63,6 +63,14 @@ let
''; '';
}; };
oathAuth = mkOption {
default = config.security.pam.enableOATH;
type = types.bool;
description = ''
If set, the OATH Toolkit will be used.
'';
};
sshAgentAuth = mkOption { sshAgentAuth = mkOption {
default = false; default = false;
type = types.bool; type = types.bool;
@ -206,6 +214,8 @@ let
"auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth"} "auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth"}
${optionalString cfg.otpwAuth ${optionalString cfg.otpwAuth
"auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so"} "auth sufficient ${pkgs.otpw}/lib/security/pam_otpw.so"}
${optionalString cfg.oathAuth
"auth sufficient ${pkgs.oathToolkit}/lib/security/pam_oath.so"} window=5 usersfile=/etc/users.oath
${optionalString config.users.ldap.enable ${optionalString config.users.ldap.enable
"auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass"} "auth sufficient ${pam_ldap}/lib/security/pam_ldap.so use_first_pass"}
${optionalString config.krb5.enable '' ${optionalString config.krb5.enable ''
@ -241,6 +251,8 @@ let
"session optional ${pam_krb5}/lib/security/pam_krb5.so"} "session optional ${pam_krb5}/lib/security/pam_krb5.so"}
${optionalString cfg.otpwAuth ${optionalString cfg.otpwAuth
"session optional ${pkgs.otpw}/lib/security/pam_otpw.so"} "session optional ${pkgs.otpw}/lib/security/pam_otpw.so"}
${optionalString cfg.oathAuth
"session optional ${pkgs.oathToolkit}/lib/security/pam_oath.so"} window=5 usersfile=/etc/users.oath
${optionalString cfg.startSession ${optionalString cfg.startSession
"session optional ${pkgs.systemd}/lib/security/pam_systemd.so"} "session optional ${pkgs.systemd}/lib/security/pam_systemd.so"}
${optionalString cfg.forwardXAuth ${optionalString cfg.forwardXAuth
@ -338,6 +350,13 @@ in
''; '';
}; };
security.pam.enableOATH = mkOption {
default = false;
description = ''
Enable the OATH (one-time password) PAM module.
'';
};
users.motd = mkOption { users.motd = mkOption {
default = null; default = null;
example = "Today is Sweetmorn, the 4th day of The Aftermath in the YOLD 3178."; example = "Today is Sweetmorn, the 4th day of The Aftermath in the YOLD 3178.";
@ -357,7 +376,8 @@ in
[ pkgs.pam ] [ pkgs.pam ]
++ optional config.users.ldap.enable pam_ldap ++ optional config.users.ldap.enable pam_ldap
++ optionals config.krb5.enable [pam_krb5 pam_ccreds] ++ optionals config.krb5.enable [pam_krb5 pam_ccreds]
++ optionals config.security.pam.enableOTPW [ pkgs.otpw ]; ++ optionals config.security.pam.enableOTPW [ pkgs.otpw ]
++ optionals config.security.pam.enableOATH [ pkgs.oathToolkit ];
environment.etc = environment.etc =
mapAttrsToList (n: v: makePAMService v) config.security.pam.services; mapAttrsToList (n: v: makePAMService v) config.security.pam.services;