diff options
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/doc/manual/release-notes/rl-1903.xml | 17 | ||||
-rw-r--r-- | nixos/modules/security/duosec.nix | 19 | ||||
-rw-r--r-- | nixos/modules/security/pam.nix | 21 |
3 files changed, 43 insertions, 14 deletions
diff --git a/nixos/doc/manual/release-notes/rl-1903.xml b/nixos/doc/manual/release-notes/rl-1903.xml index a8e4807f238..0a5fe858f07 100644 --- a/nixos/doc/manual/release-notes/rl-1903.xml +++ b/nixos/doc/manual/release-notes/rl-1903.xml @@ -106,6 +106,23 @@ </para> </listitem> </itemizedlist> + + <itemizedlist> + <listitem> + <para> + <literal>./security/duosec.nix</literal> + </para> + </listitem> + <listitem> + <para> + The <link xlink:href="https://duo.com/docs/duounix">PAM module for Duo + Security</link> has been enabled for use. One can configure it using + the <option>security.duosec</option> options along with the + corresponding PAM option in + <option>security.pam.services.<name?>.duoSecurity.enable</option>. + </para> + </listitem> + </itemizedlist> </section> <section xmlns="http://docbook.org/ns/docbook" diff --git a/nixos/modules/security/duosec.nix b/nixos/modules/security/duosec.nix index df6108dede7..14bf118f2d8 100644 --- a/nixos/modules/security/duosec.nix +++ b/nixos/modules/security/duosec.nix @@ -7,7 +7,7 @@ let boolToStr = b: if b then "yes" else "no"; - configFile = '' + configFilePam = '' [duo] ikey=${cfg.ikey} skey=${cfg.skey} @@ -16,21 +16,24 @@ let failmode=${cfg.failmode} pushinfo=${boolToStr cfg.pushinfo} autopush=${boolToStr cfg.autopush} - motd=${boolToStr cfg.motd} prompts=${toString cfg.prompts} - accept_env_factor=${boolToStr cfg.acceptEnvFactor} fallback_local_ip=${boolToStr cfg.fallbackLocalIP} ''; + configFileLogin = configFilePam + '' + motd=${boolToStr cfg.motd} + accept_env_factor=${boolToStr cfg.acceptEnvFactor} + ''; + loginCfgFile = optional cfg.ssh.enable - { source = pkgs.writeText "login_duo.conf" configFile; + { source = pkgs.writeText "login_duo.conf" configFileLogin; mode = "0600"; user = "sshd"; target = "duo/login_duo.conf"; }; pamCfgFile = optional cfg.pam.enable - { source = pkgs.writeText "pam_duo.conf" configFile; + { source = pkgs.writeText "pam_duo.conf" configFilePam; mode = "0600"; user = "sshd"; target = "duo/pam_duo.conf"; @@ -180,12 +183,6 @@ in }; config = mkIf (cfg.ssh.enable || cfg.pam.enable) { - assertions = - [ { assertion = !cfg.pam.enable; - message = "PAM support is currently not implemented."; - } - ]; - environment.systemPackages = [ pkgs.duo-unix ]; security.wrappers.login_duo.source = "${pkgs.duo-unix.out}/bin/login_duo"; diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 206b529ed68..03d2f899f2a 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -131,6 +131,18 @@ let ''; }; + duoSecurity = { + enable = mkOption { + default = false; + type = types.bool; + description = '' + If set, use the Duo Security pam module + <literal>pam_duo</literal> for authentication. Requires + configuration of <option>security.duosec</option> options. + ''; + }; + }; + startSession = mkOption { default = false; type = types.bool; @@ -340,7 +352,8 @@ let || cfg.pamMount || cfg.enableKwallet || cfg.enableGnomeKeyring - || cfg.googleAuthenticator.enable)) '' + || cfg.googleAuthenticator.enable + || cfg.duoSecurity.enable)) '' auth required pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth ${optionalString config.security.pam.enableEcryptfs "auth optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so unwrap"} @@ -350,9 +363,11 @@ let ("auth optional ${pkgs.plasma5.kwallet-pam}/lib/security/pam_kwallet5.so" + " kwalletd=${pkgs.libsForQt5.kwallet.bin}/bin/kwalletd5")} ${optionalString cfg.enableGnomeKeyring - ("auth optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so")} + "auth optional ${pkgs.gnome3.gnome-keyring}/lib/security/pam_gnome_keyring.so"} ${optionalString cfg.googleAuthenticator.enable - "auth required ${pkgs.googleAuthenticator}/lib/security/pam_google_authenticator.so no_increment_hotp"} + "auth required ${pkgs.googleAuthenticator}/lib/security/pam_google_authenticator.so no_increment_hotp"} + ${optionalString cfg.duoSecurity.enable + "auth required ${pkgs.duo-unix}/lib/security/pam_duo.so"} '') + '' ${optionalString cfg.unixAuth "auth sufficient pam_unix.so ${optionalString cfg.allowNullPassword "nullok"} likeauth try_first_pass"} |