movefasta/nixpkgs
0
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-07-13 21:50:33 +03:00
Code Activity

Merge pull request #67748 from typetetris/yubico-local-auth

Browse source 
Yubico local auth
This commit is contained in:
Jörg Thalheim 2019-09-24 03:31:39 +01:00 committed by GitHub
commit c5bc77d151
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 21 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

19
nixos/modules/security/pam.nix
View file

@ -351,7 +351,7 @@ let
${let oath = config.security.pam.oath; in optionalString cfg.oathAuth ${let oath = config.security.pam.oath; in optionalString cfg.oathAuth
"auth requisite ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}"} "auth requisite ${pkgs.oathToolkit}/lib/security/pam_oath.so window=${toString oath.window} usersfile=${toString oath.usersFile} digits=${toString oath.digits}"}
${let yubi = config.security.pam.yubico; in optionalString cfg.yubicoAuth ${let yubi = config.security.pam.yubico; in optionalString cfg.yubicoAuth
"auth ${yubi.control} ${pkgs.yubico-pam}/lib/security/pam_yubico.so id=${toString yubi.id} ${optionalString yubi.debug "debug"}"} "auth ${yubi.control} ${pkgs.yubico-pam}/lib/security/pam_yubico.so mode=${toString yubi.mode} ${optionalString (yubi.mode == "client") "id=${toString yubi.id}"} ${optionalString yubi.debug "debug"}"}
'' + '' +
# Modules in this block require having the password set in PAM_AUTHTOK. # Modules in this block require having the password set in PAM_AUTHTOK.
# pam_unix is marked as 'sufficient' on NixOS which means nothing will run # pam_unix is marked as 'sufficient' on NixOS which means nothing will run
@ -696,6 +696,23 @@ in
Debug output to stderr. Debug output to stderr.
''; '';
}; };
mode = mkOption {
default = "client";
type = types.enum [ "client" "challenge-response" ];
description = ''
Mode of operation.
Use "client" for online validation with a YubiKey validation service such as
the YubiCloud.
Use "challenge-response" for offline validation using YubiKeys with HMAC-SHA-1
Challenge-Response configurations. See the man-page ykpamcfg(1) for further
details on how to configure offline Challenge-Response validation.
More information can be found <link
xlink:href="https://developers.yubico.com/yubico-pam/Authentication_Using_Challenge-Response.html">here</link>.
'';
};
}; };
security.pam.enableEcryptfs = mkOption { security.pam.enableEcryptfs = mkOption {

6
pkgs/development/libraries/yubico-pam/default.nix
View file

@ -4,12 +4,12 @@
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
pname = "yubico-pam"; pname = "yubico-pam";
version = "unstable-2019-03-19"; version = "unstable-2019-07-01";
src = fetchFromGitHub { src = fetchFromGitHub {
owner = "Yubico"; owner = "Yubico";
repo = pname; repo = pname;
rev = "1c6fa66825e77b3ad8df46513d0125bed9bde704"; rev = "b5bd00db81e0e0e0ecced65c684080bb56ddc35b";
sha256 = "1g41wdwa1wbp391w1crbis4hwz60m3y06rd6j59m003zx40sk9s4"; sha256 = "10dq8dqi3jldllj6p8r9hldx9sank9n82c44w8akxrs1vli6nj3m";
}; };
nativeBuildInputs = [ autoreconfHook pkgconfig asciidoc libxslt docbook_xsl ]; nativeBuildInputs = [ autoreconfHook pkgconfig asciidoc libxslt docbook_xsl ];