nixos/pam: add Google Authenticator 2FA support over XRDP

(cherry picked from commit 8331187976)
2025-07-14 06:00:33 +03:00 · 2025-05-16 23:24:05 +02:00 · 2025-05-16 23:24:05 +02:00 · f0a47fd2a3
commit f0a47fd2a3
parent 7548b2f7ee
1 changed files with 19 additions and 0 deletions
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@ -249,6 +249,23 @@ let
              to provide Google Authenticator token to log in.
            '';
          };
+          allowNullOTP = lib.mkOption {
+            type = lib.types.bool;
+            default = false;
+            description = ''
+              Whether to allow login for accounts that have no OTP set
+              (i.e., accounts with no OTP configured or no existing
+              {file}`~/.google_authenticator`).
+            '';
+          };
+          forwardPass = lib.mkOption {
+            type = lib.types.bool;
+            default = false;
+            description = ''
+              The authentication provides a single field requiring
+              the user's password followed by the one-time password (OTP).
+            '';
+          };
        };

        otpwAuth = lib.mkOption {
@ -1048,6 +1065,8 @@ let
                      modulePath = "${pkgs.google-authenticator}/lib/security/pam_google_authenticator.so";
                      settings = {
                        no_increment_hotp = true;
+                        forward_pass = cfg.googleAuthenticator.forwardPass;
+                        nullok = cfg.googleAuthenticator.allowNullOTP;
                      };
                    }
                    {