From 43ca464e37b6262516e1064408c280f9f141ab97 Mon Sep 17 00:00:00 2001 From: mlatus Date: Sat, 17 Jul 2021 14:56:55 +0800 Subject: nixos/pam: allow users to set the path to store challenge and expected responsed used by yubico_pam --- nixos/modules/security/pam.nix | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) (limited to 'nixos/modules/security/pam.nix') diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 5699025601f..9a6c7d17825 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -406,7 +406,7 @@ let ${let oath = config.security.pam.oath; in optionalString cfg.oathAuth "auth requisite ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}"} ${let yubi = config.security.pam.yubico; in optionalString cfg.yubicoAuth - "auth ${yubi.control} ${pkgs.yubico-pam}/lib/security/pam_yubico.so mode=${toString yubi.mode} ${optionalString (yubi.mode == "client") "id=${toString yubi.id}"} ${optionalString yubi.debug "debug"}"} + "auth ${yubi.control} ${pkgs.yubico-pam}/lib/security/pam_yubico.so mode=${toString yubi.mode} ${optionalString (yubi.challengeResponsePath != null) "chalresp_path=${yubi.challengeResponsePath}"} ${optionalString (yubi.mode == "client") "id=${toString yubi.id}"} ${optionalString yubi.debug "debug"}"} ${optionalString cfg.fprintAuth "auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so"} '' + @@ -822,6 +822,16 @@ in Challenge-Response configurations. See the man-page ykpamcfg(1) for further details on how to configure offline Challenge-Response validation. + More information can be found here. + ''; + }; + challengeResponsePath = mkOption { + default = null; + type = types.path; + description = '' + If not null, set the path used by yubico pam module where the challenge expected response is stored. + More information can be found here. ''; -- cgit 1.4.1