nixos/duosec: Add an option to allow TCP forwarding
Signed-off-by: Austin Seipp <aseipp@pobox.com>
This commit is contained in:
Austin Seipp
parent
010833c634
commit
e31f212f6b
|
|
@ -165,6 +165,17 @@ in
|
||||||
whitelist.
|
whitelist.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
allowTcpForwarding = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = false;
|
||||||
|
description = ''
|
||||||
|
By default, when SSH forwarding, enabling Duo Security will
|
||||||
|
disable TCP forwarding. By enabling this, you potentially
|
||||||
|
undermine some of the SSH based login security. Note this is
|
||||||
|
not needed if you use PAM.
|
||||||
|
'';
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
@ -192,7 +203,9 @@ in
|
||||||
# Duo Security configuration
|
# Duo Security configuration
|
||||||
ForceCommand ${config.security.wrapperDir}/login_duo
|
ForceCommand ${config.security.wrapperDir}/login_duo
|
||||||
PermitTunnel no
|
PermitTunnel no
|
||||||
AllowTcpForwarding no
|
${optionalString (!cfg.allowTcpForwarding) ''
|
||||||
|
AllowTcpForwarding no
|
||||||
|
''}
|
||||||
'');
|
'');
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue