diff options
author | Bobby Rong <rjl931189261@126.com> | 2022-11-07 19:54:57 +0800 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-11-07 19:54:57 +0800 |
commit | 03e68946a043010495b2891b051c04d9282f16c5 (patch) | |
tree | 1a1559008c9d73ed62b5b8b81fde25fe310b928c /nixos/modules/security | |
parent | 590a40e13423cf7f575fc140a54cebeaff9819cd (diff) | |
parent | ab0ae8f5e11bacdf249c27c49f1fe30a3bf8b77f (diff) |
Merge pull request #186628 from ocfox/pam_faildelay
nixos/pam: add option failDelay
Diffstat (limited to 'nixos/modules/security')
-rw-r--r-- | nixos/modules/security/pam.nix | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index dc145d8585154..412c5a433601d 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -392,6 +392,24 @@ let ''; }; + failDelay = { + enable = mkOption { + type = types.bool; + default = false; + description = lib.mdDoc '' + If enabled, this will replace the `FAIL_DELAY` setting from `login.defs`. + Change the delay on failure per-application. + ''; + }; + + delay = mkOption { + default = 3000000; + type = types.int; + example = 1000000; + description = lib.mdDoc "The delay time (in microseconds) on failure."; + }; + }; + gnupg = { enable = mkOption { type = types.bool; @@ -531,6 +549,7 @@ let || cfg.enableGnomeKeyring || cfg.googleAuthenticator.enable || cfg.gnupg.enable + || cfg.failDelay.enable || cfg.duoSecurity.enable)) ( '' @@ -551,6 +570,9 @@ let optionalString cfg.gnupg.enable '' auth optional ${pkgs.pam_gnupg}/lib/security/pam_gnupg.so ${optionalString cfg.gnupg.storeOnly " store-only"} '' + + optionalString cfg.failDelay.enable '' + auth optional ${pkgs.pam}/lib/security/pam_faildelay.so delay=${toString cfg.failDelay.delay} + '' + optionalString cfg.googleAuthenticator.enable '' auth required ${pkgs.google-authenticator}/lib/security/pam_google_authenticator.so no_increment_hotp '' + |