diff options
author | Florian Klink <flokli@flokli.de> | 2018-12-12 13:53:51 +0100 |
---|---|---|
committer | Florian Klink <flokli@flokli.de> | 2018-12-21 17:52:37 +0100 |
commit | be5ad774bff3e8fe21010d606776672ae7b6ee55 (patch) | |
tree | c6187c2ec603852e29d9e0106a1008718d0aef8c /nixos | |
parent | fb41136208d24985df8c39cd69c491d5cb22bfe9 (diff) |
security.pam.services.<name?>.: add googleOsLogin(AccountVerification|Authentication)
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/security/pam.nix | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 812a71c68a309..b1a0eff98c207 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -77,6 +77,30 @@ let ''; }; + googleOsLoginAccountVerification = mkOption { + default = false; + type = types.bool; + description = '' + If set, will use the Google OS Login PAM modules + (<literal>pam_oslogin_login</literal>, + <literal>pam_oslogin_admin</literal>) to verify possible OS Login + users and set sudoers configuration accordingly. + This only makes sense to enable for the <literal>sshd</literal> PAM + service. + ''; + }; + + googleOsLoginAuthentication = mkOption { + default = false; + type = types.bool; + description = '' + If set, will use the <literal>pam_oslogin_login</literal>'s user + authentication methods to authenticate users using 2FA. + This only makes sense to enable for the <literal>sshd</literal> PAM + service. + ''; + }; + fprintAuth = mkOption { default = config.services.fprintd.enable; type = types.bool; @@ -278,8 +302,14 @@ let "account [default=bad success=ok user_unknown=ignore] ${pkgs.sssd}/lib/security/pam_sss.so"} ${optionalString config.krb5.enable "account sufficient ${pam_krb5}/lib/security/pam_krb5.so"} + ${optionalString cfg.googleOsLoginAccountVerification '' + account [success=ok ignore=ignore default=die] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so + account [success=ok default=ignore] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_admin.so + ''} # Authentication management. + ${optionalString cfg.googleOsLoginAuthentication + "auth [success=done perm_denied=bad default=ignore] ${pkgs.google-compute-engine-oslogin}/lib/pam_oslogin_login.so"} ${optionalString cfg.rootOK "auth sufficient pam_rootok.so"} ${optionalString cfg.requireWheel |