diff options
author | Arian van Putten <arian.vanputten@gmail.com> | 2022-07-16 10:56:26 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-07-16 10:56:26 +0200 |
commit | 55bd7706622c05ca3f535e5b972b6605536bb4af (patch) | |
tree | ea06323192c4a89863f647d0db90fe39949adadc | |
parent | 385a38d1f6623797ba912c1e3d0dcfd2f965c09b (diff) | |
parent | 327d99c0caceb3e6fed76347c53d9ff8c667bc59 (diff) |
Merge pull request #167514 from shimunn/pam_u2f_module
nixos/security/pam: added `origin` option to pamu2f
-rw-r--r-- | nixos/modules/security/pam.nix | 21 | ||||
-rw-r--r-- | nixos/tests/pam/pam-u2f.nix | 3 |
2 files changed, 22 insertions, 2 deletions
diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 23d1344a57ac5..ce18af9fbc951 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -483,7 +483,8 @@ let auth ${p11.control} ${pkgs.pam_p11}/lib/security/pam_p11.so ${pkgs.opensc}/lib/opensc-pkcs11.so '') + (let u2f = config.security.pam.u2f; in optionalString cfg.u2fAuth '' - auth ${u2f.control} ${pkgs.pam_u2f}/lib/security/pam_u2f.so ${optionalString u2f.debug "debug"} ${optionalString (u2f.authFile != null) "authfile=${u2f.authFile}"} ${optionalString u2f.interactive "interactive"} ${optionalString u2f.cue "cue"} ${optionalString (u2f.appId != null) "appid=${u2f.appId}"} + auth ${u2f.control} ${pkgs.pam_u2f}/lib/security/pam_u2f.so ${optionalString u2f.debug "debug"} ${optionalString (u2f.authFile != null) "authfile=${u2f.authFile}"} '' + + ''${optionalString u2f.interactive "interactive"} ${optionalString u2f.cue "cue"} ${optionalString (u2f.appId != null) "appid=${u2f.appId}"} ${optionalString (u2f.origin != null) "origin=${u2f.origin}"} '') + optionalString cfg.usbAuth '' auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so @@ -895,6 +896,24 @@ in ''; }; + origin = mkOption { + default = null; + type = with types; nullOr str; + description = '' + By default <literal>pam-u2f</literal> module sets the origin + to <literal>pam://$HOSTNAME</literal>. + Setting origin to an host independent value will allow you to + reuse credentials across machines + + When using <command>pamu2fcfg</command>, you can specify your + application ID with the <literal>-o</literal> flag. + + More information can be found <link + xlink:href="https://developers.yubico.com/pam-u2f/Manuals/pam_u2f.8.html"> + here</link> + ''; + }; + control = mkOption { default = "sufficient"; type = types.enum [ "required" "requisite" "sufficient" "optional" ]; diff --git a/nixos/tests/pam/pam-u2f.nix b/nixos/tests/pam/pam-u2f.nix index d7c540982cfa0..07408dea797e4 100644 --- a/nixos/tests/pam/pam-u2f.nix +++ b/nixos/tests/pam/pam-u2f.nix @@ -12,6 +12,7 @@ import ../make-test-python.nix ({ ... }: debug = true; enable = true; interactive = true; + origin = "nixos-test"; }; }; @@ -19,7 +20,7 @@ import ../make-test-python.nix ({ ... }: '' machine.wait_for_unit("multi-user.target") machine.succeed( - 'egrep "auth required .*/lib/security/pam_u2f.so.*debug.*interactive.*cue" /etc/pam.d/ -R' + 'egrep "auth required .*/lib/security/pam_u2f.so.*debug.*interactive.*cue.*origin=nixos-test" /etc/pam.d/ -R' ) ''; }) |