pam: add yubico option
Write YubiKey token IDs in the format yubico_pam expects. See https://developers.yubico.com/yubico-pam/ for details. Also refer to the NixOS option security.pam.services.<name>.yubicoAuth. Closes #2502
This commit is contained in:
parent
78aa7cceff
commit
d8f9dcfbd3
|
@ -4,10 +4,10 @@ with lib;
|
||||||
|
|
||||||
let
|
let
|
||||||
|
|
||||||
vars = config.pam.sessionVariables;
|
cfg = config.pam;
|
||||||
|
|
||||||
in {
|
in {
|
||||||
meta.maintainers = [ maintainers.rycee ];
|
meta.maintainers = with maintainers; [ rycee veehaitch ];
|
||||||
|
|
||||||
options = {
|
options = {
|
||||||
pam.sessionVariables = mkOption {
|
pam.sessionVariables = mkOption {
|
||||||
|
@ -26,10 +26,46 @@ in {
|
||||||
therefore discouraged.
|
therefore discouraged.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
pam.yubico.authorizedYubiKeys = {
|
||||||
|
ids = mkOption {
|
||||||
|
type = with types;
|
||||||
|
let
|
||||||
|
yubiKeyId = addCheck str (s: stringLength s == 12) // {
|
||||||
|
name = "yubiKeyId";
|
||||||
|
description = "string of length 12";
|
||||||
|
};
|
||||||
|
in listOf yubiKeyId;
|
||||||
|
default = [ ];
|
||||||
|
description = ''
|
||||||
|
List of authorized YubiKey token IDs. Refer to
|
||||||
|
<link xlink:href="https://developers.yubico.com/yubico-pam"/>
|
||||||
|
for details on how to obtain the token ID of a YubiKey.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
path = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = ".yubico/authorized_yubikeys";
|
||||||
|
description = ''
|
||||||
|
File path to write the authorized YubiKeys,
|
||||||
|
relative to <envar>HOME</envar>.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = mkIf (vars != { }) {
|
config = mkMerge [
|
||||||
home.file.".pam_environment".text = concatStringsSep "\n"
|
(mkIf (cfg.sessionVariables != { }) {
|
||||||
(mapAttrsToList (n: v: ''${n} OVERRIDE="${toString v}"'') vars) + "\n";
|
home.file.".pam_environment".text = concatStringsSep "\n"
|
||||||
};
|
(mapAttrsToList (n: v: ''${n} OVERRIDE="${toString v}"'')
|
||||||
|
cfg.sessionVariables) + "\n";
|
||||||
|
})
|
||||||
|
|
||||||
|
(mkIf (cfg.yubico.authorizedYubiKeys.ids != [ ]) {
|
||||||
|
home.file.${cfg.yubico.authorizedYubiKeys.path}.text =
|
||||||
|
concatStringsSep ":"
|
||||||
|
([ config.home.username ] ++ cfg.yubico.authorizedYubiKeys.ids);
|
||||||
|
})
|
||||||
|
];
|
||||||
}
|
}
|
||||||
|
|
|
@ -1 +1,5 @@
|
||||||
{ pam-session-variables = ./session-variables.nix; }
|
{
|
||||||
|
pam-session-variables = ./session-variables.nix;
|
||||||
|
pam-yubico-with-ids = ./yubico-with-ids.nix;
|
||||||
|
pam-yubico-no-ids = ./yubico-with-ids.nix;
|
||||||
|
}
|
||||||
|
|
7
tests/modules/misc/pam/yubico-no-ids.nix
Normal file
7
tests/modules/misc/pam/yubico-no-ids.nix
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
{
|
||||||
|
config = {
|
||||||
|
nmt.script = ''
|
||||||
|
assertPathNotExists home-files/.yubico/authorized_yubikeys
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
}
|
15
tests/modules/misc/pam/yubico-with-ids.nix
Normal file
15
tests/modules/misc/pam/yubico-with-ids.nix
Normal file
|
@ -0,0 +1,15 @@
|
||||||
|
{
|
||||||
|
config = {
|
||||||
|
pam.yubico.authorizedYubiKeys.ids = [ "abcdefghijkl" "012345678912" ];
|
||||||
|
|
||||||
|
nmt.script = ''
|
||||||
|
assertFileExists home-files/.yubico/authorized_yubikeys
|
||||||
|
assertFileContent \
|
||||||
|
home-files/.yubico/authorized_yubikeys \
|
||||||
|
${
|
||||||
|
builtins.toFile "yubico-with-ids-expected.txt"
|
||||||
|
"hm-user:abcdefghijkl:012345678912"
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
}
|
Loading…
Reference in a new issue