pam: add yubico option

Write YubiKey token IDs in the format yubico_pam expects. See https://developers.yubico.com/yubico-pam/ for details. Also refer to the NixOS option security.pam.services.<name>.yubicoAuth. Closes #2502
2021-11-22 12:10:11 +01:00 · 2021-11-22 12:10:11 +01:00 · d8f9dcfbd3
parent 78aa7cceff
commit d8f9dcfbd3
4 changed files with 69 additions and 7 deletions
--- a/modules/misc/pam.nix
+++ b/modules/misc/pam.nix
@ -4,10 +4,10 @@ with lib;

 let

-  vars = config.pam.sessionVariables;
+  cfg = config.pam;

 in {
-  meta.maintainers = [ maintainers.rycee ];
+  meta.maintainers = with maintainers; [ rycee veehaitch ];

  options = {
    pam.sessionVariables = mkOption {
@ -26,10 +26,46 @@ in {
        therefore discouraged.
      '';
    };
+
+    pam.yubico.authorizedYubiKeys = {
+      ids = mkOption {
+        type = with types;
+          let
+            yubiKeyId = addCheck str (s: stringLength s == 12) // {
+              name = "yubiKeyId";
+              description = "string of length 12";
+            };
+          in listOf yubiKeyId;
+        default = [ ];
+        description = ''
+          List of authorized YubiKey token IDs. Refer to
+          <link xlink:href="https://developers.yubico.com/yubico-pam"/>
+          for details on how to obtain the token ID of a YubiKey.
+        '';
+      };
+
+      path = mkOption {
+        type = types.str;
+        default = ".yubico/authorized_yubikeys";
+        description = ''
+          File path to write the authorized YubiKeys,
+          relative to <envar>HOME</envar>.
+        '';
+      };
+    };
  };

-  config = mkIf (vars != { }) {
-    home.file.".pam_environment".text = concatStringsSep "\n"
-      (mapAttrsToList (n: v: ''${n} OVERRIDE="${toString v}"'') vars) + "\n";
-  };
+  config = mkMerge [
+    (mkIf (cfg.sessionVariables != { }) {
+      home.file.".pam_environment".text = concatStringsSep "\n"
+        (mapAttrsToList (n: v: ''${n} OVERRIDE="${toString v}"'')
+          cfg.sessionVariables) + "\n";
+    })
+
+    (mkIf (cfg.yubico.authorizedYubiKeys.ids != [ ]) {
+      home.file.${cfg.yubico.authorizedYubiKeys.path}.text =
+        concatStringsSep ":"
+        ([ config.home.username ] ++ cfg.yubico.authorizedYubiKeys.ids);
+    })
+  ];
 }
--- a/tests/modules/misc/pam/default.nix
+++ b/tests/modules/misc/pam/default.nix
@ -1 +1,5 @@
-{ pam-session-variables = ./session-variables.nix; }
+{
+  pam-session-variables = ./session-variables.nix;
+  pam-yubico-with-ids = ./yubico-with-ids.nix;
+  pam-yubico-no-ids = ./yubico-with-ids.nix;
+}
--- a/tests/modules/misc/pam/yubico-no-ids.nix
+++ b/tests/modules/misc/pam/yubico-no-ids.nix
@ -0,0 +1,7 @@
+{
+  config = {
+    nmt.script = ''
+      assertPathNotExists home-files/.yubico/authorized_yubikeys
+    '';
+  };
+}
--- a/tests/modules/misc/pam/yubico-with-ids.nix
+++ b/tests/modules/misc/pam/yubico-with-ids.nix
@ -0,0 +1,15 @@
+{
+  config = {
+    pam.yubico.authorizedYubiKeys.ids = [ "abcdefghijkl" "012345678912" ];
+
+    nmt.script = ''
+      assertFileExists home-files/.yubico/authorized_yubikeys
+      assertFileContent \
+        home-files/.yubico/authorized_yubikeys \
+        ${
+          builtins.toFile "yubico-with-ids-expected.txt"
+          "hm-user:abcdefghijkl:012345678912"
+        }
+    '';
+  };
+}