d09c7986de
Add a module to make options to pam_oath module configurable. These are: - enable - enable the OATH pam module - window - number of OTPs to check - digits - length of the OTP (adds support for two-factor auth) - usersFile - filename to store OATH credentials in
51 lines
1.1 KiB
Nix
51 lines
1.1 KiB
Nix
# This module provides configuration for the OATH PAM modules.
|
|
|
|
{ config, lib, pkgs, ... }:
|
|
|
|
with lib;
|
|
|
|
{
|
|
options = {
|
|
|
|
security.pam.oath = {
|
|
enable = mkOption {
|
|
type = types.bool;
|
|
default = false;
|
|
description = ''
|
|
Enable the OATH (one-time password) PAM module.
|
|
'';
|
|
};
|
|
|
|
digits = mkOption {
|
|
type = types.enum [ 6 7 8 ];
|
|
default = 6;
|
|
description = ''
|
|
Specify the length of the one-time password in number of
|
|
digits.
|
|
'';
|
|
};
|
|
|
|
window = mkOption {
|
|
type = types.int;
|
|
default = 5;
|
|
description = ''
|
|
Specify the number of one-time passwords to check in order
|
|
to accommodate for situations where the system and the
|
|
client are slightly out of sync (iteration for HOTP or time
|
|
steps for TOTP).
|
|
'';
|
|
};
|
|
|
|
usersFile = mkOption {
|
|
type = types.path;
|
|
default = "/etc/users.oath";
|
|
description = ''
|
|
Set the path to file where the user's credentials are
|
|
stored. This file must not be world readable!
|
|
'';
|
|
};
|
|
};
|
|
|
|
};
|
|
}
|