security.pam.services.<name?>.: add googleOsLogin(AccountVerification|Authentication)

2018-12-12 13:53:51 +01:00 · 2018-12-12 13:53:51 +01:00 · be5ad774bf
commit be5ad774bf
parent fb41136208
1 changed files with 30 additions and 0 deletions
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@ -77,6 +77,30 @@ let
        '';
      };
      googleOsLoginAccountVerification = mkOption {
        default = false;
        type = types.bool;
        description = ''
          If set, will use the Google OS Login PAM modules
          (<literal>pam_oslogin_login</literal>,
          <literal>pam_oslogin_admin</literal>) to verify possible OS Login
          users and set sudoers configuration accordingly.
          This only makes sense to enable for the <literal>sshd</literal> PAM
          service.
        '';
      };
      googleOsLoginAuthentication = mkOption {
        default = false;
        type = types.bool;
        description = ''
          If set, will use the <literal>pam_oslogin_login</literal>'s user
          authentication methods to authenticate users using 2FA.
          This only makes sense to enable for the <literal>sshd</literal> PAM
          service.
        '';
      };
      fprintAuth = mkOption {
        default = config.services.fprintd.enable;
        type = types.bool;
@ -278,8 +302,14 @@ let
              "account [default=bad success=ok user_unknown=ignore] ${pkgs.sssd}/lib/security/pam_sss.so"}
          ${optionalString config.krb5.enable
              "account sufficient ${pam_krb5}/lib/security/pam_krb5.so"}
          ${optionalString cfg.googleOsLoginAccountVerification ''
            account [success=ok ignore=ignore default=die] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so
            account [success=ok default=ignore] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_admin.so
          ''}
          # Authentication management.
          ${optionalString cfg.googleOsLoginAuthentication
              "auth [success=done perm_denied=bad default=ignore] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so"}
          ${optionalString cfg.rootOK
              "auth sufficient pam_rootok.so"}
          ${optionalString cfg.requireWheel