From 09702822d6c7c682f9eae767a2c7136f636ed20d Mon Sep 17 00:00:00 2001
From: Will Dietz <w@wdtz.org>
Date: Sat, 30 Mar 2019 19:43:14 -0500
Subject: [PATCH 1/3] libykclient: init at 2019-03-18

---
 .../libraries/libykclient/default.nix         | 22 +++++++++++++++++++
 pkgs/top-level/all-packages.nix               |  2 ++
 2 files changed, 24 insertions(+)
 create mode 100644 pkgs/development/libraries/libykclient/default.nix

diff --git a/pkgs/development/libraries/libykclient/default.nix b/pkgs/development/libraries/libykclient/default.nix
new file mode 100644
index 00000000000..9aa189586f0
--- /dev/null
+++ b/pkgs/development/libraries/libykclient/default.nix
@@ -0,0 +1,22 @@
+{ stdenv, fetchFromGitHub, autoreconfHook, pkgconfig, help2man, curl }:
+
+stdenv.mkDerivation rec {
+  pname = "libykclient";
+  version = "unstable-2019-03-18";
+  src = fetchFromGitHub {
+    owner = "Yubico";
+    repo = "yubico-c-client";
+    rev = "ad9eda6aac4c3f81784607c30b971f4a050b5c2e";
+    sha256 = "01b19jgv2lypih6lhw9yjjsfl8q1ahl955vhr2ai8ccshh0050yj";
+  };
+
+  nativeBuildInputs = [ autoreconfHook pkgconfig help2man ];
+  buildInputs = [ curl ];
+
+  meta = with stdenv.lib; {
+    description = "Yubikey C client library";
+    homepage = https://developers.yubico.com/yubico-c-client;
+    license = licenses.bsd2;
+    maintainers = with maintainers; [ dtzWill ];
+  };
+}
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index a9bef3a3c8f..b6e72faa589 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -11731,6 +11731,8 @@ in
       };
   });
 
+  libykclient = callPackage ../development/libraries/libykclient { };
+
   libykneomgr = callPackage ../development/libraries/libykneomgr { };
 
   libytnef = callPackage ../development/libraries/libytnef { };

From faedd9d5277d602a255edee4c76fa097f20ced5d Mon Sep 17 00:00:00 2001
From: Will Dietz <w@wdtz.org>
Date: Sat, 30 Mar 2019 19:49:02 -0500
Subject: [PATCH 2/3] yubico-pam: init at 2019-03-19

---
 .../libraries/yubico-pam/default.nix          | 24 +++++++++++++++++++
 pkgs/top-level/all-packages.nix               |  2 ++
 2 files changed, 26 insertions(+)
 create mode 100644 pkgs/development/libraries/yubico-pam/default.nix

diff --git a/pkgs/development/libraries/yubico-pam/default.nix b/pkgs/development/libraries/yubico-pam/default.nix
new file mode 100644
index 00000000000..5d7d0e664c6
--- /dev/null
+++ b/pkgs/development/libraries/yubico-pam/default.nix
@@ -0,0 +1,24 @@
+{ stdenv, fetchFromGitHub, autoreconfHook, pkgconfig
+, asciidoc, libxslt, docbook_xsl
+, pam, yubikey-personalization, libyubikey, libykclient }:
+
+stdenv.mkDerivation rec {
+  pname = "yubico-pam";
+  version = "unstable-2019-03-19";
+  src = fetchFromGitHub {
+    owner = "Yubico";
+    repo = pname;
+    rev = "1c6fa66825e77b3ad8df46513d0125bed9bde704";
+    sha256 = "1g41wdwa1wbp391w1crbis4hwz60m3y06rd6j59m003zx40sk9s4";
+  };
+
+  nativeBuildInputs = [ autoreconfHook pkgconfig asciidoc libxslt docbook_xsl ];
+  buildInputs = [ pam yubikey-personalization libyubikey libykclient ];
+
+  meta = with stdenv.lib; {
+    description = "Yubico PAM module";
+    homepage = https://developers.yubico.com/yubico-pam;
+    license = licenses.bsd2;
+    maintainers = with maintainers; [ dtzWill ];
+  };
+}
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index b6e72faa589..4b60bc90da6 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -13318,6 +13318,8 @@ in
 
   yubioath-desktop = libsForQt5.callPackage ../applications/misc/yubioath-desktop { };
 
+  yubico-pam = callPackage ../development/libraries/yubico-pam { };
+
   yubico-piv-tool = callPackage ../tools/misc/yubico-piv-tool { };
 
   yubikey-manager = callPackage ../tools/misc/yubikey-manager { };

From c8a9c1c2b834cb014aa45f944966874587f0100c Mon Sep 17 00:00:00 2001
From: Will Dietz <w@wdtz.org>
Date: Sat, 30 Mar 2019 20:07:16 -0500
Subject: [PATCH 3/3] yubico-pam: add nixos integration

---
 nixos/modules/security/pam.nix | 60 ++++++++++++++++++++++++++++++++++
 1 file changed, 60 insertions(+)

diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix
index 03d2f899f2a..46ce274a2a9 100644
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@@ -48,6 +48,16 @@ let
         '';
       };
 
+      yubicoAuth = mkOption {
+        default = config.security.pam.yubico.enable;
+        type = types.bool;
+        description = ''
+          If set, users listed in
+          <filename>~/.yubico/authorized_yubikeys</filename>
+          are able to log in with the asociated Yubikey tokens.
+        '';
+      };
+
       googleAuthenticator = {
         enable = mkOption {
           default = false;
@@ -340,6 +350,8 @@ let
               "auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so"}
           ${let oath = config.security.pam.oath; in optionalString cfg.oathAuth
               "auth requisite ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}"}
+          ${let yubi = config.security.pam.yubico; in optionalString cfg.yubicoAuth
+              "auth ${yubi.control} ${pkgs.yubico-pam}/lib/security/pam_yubico.so id=${toString yubi.id} ${optionalString yubi.debug "debug"}"}
         '' +
           # Modules in this block require having the password set in PAM_AUTHTOK.
           # pam_unix is marked as 'sufficient' on NixOS which means nothing will run
@@ -636,6 +648,54 @@ in
       };
     };
 
+    security.pam.yubico = {
+      enable = mkOption {
+        default = false;
+        type = types.bool;
+        description = ''
+          Enables Yubico PAM (<literal>yubico-pam</literal>) module.
+
+          If set, users listed in
+          <filename>~/.yubico/authorized_yubikeys</filename>
+          are able to log in with the associated Yubikey tokens.
+
+          The file must have only one line:
+          <literal>username:yubikey_token_id1:yubikey_token_id2</literal>
+          More information can be found <link
+          xlink:href="https://developers.yubico.com/yubico-pam/">here</link>.
+        '';
+      };
+      control = mkOption {
+        default = "sufficient";
+        type = types.enum [ "required" "requisite" "sufficient" "optional" ];
+        description = ''
+          This option sets pam "control".
+          If you want to have multi factor authentication, use "required".
+          If you want to use Yubikey instead of regular password, use "sufficient".
+
+          Read
+          <citerefentry>
+            <refentrytitle>pam.conf</refentrytitle>
+            <manvolnum>5</manvolnum>
+          </citerefentry>
+          for better understanding of this option.
+        '';
+      };
+      id = mkOption {
+        example = "42";
+        type = types.string;
+        description = "client id";
+      };
+
+      debug = mkOption {
+        default = false;
+        type = types.bool;
+        description = ''
+          Debug output to stderr.
+        '';
+      };
+    };
+
     security.pam.enableEcryptfs = mkOption {
       default = false;
       description = ''