movefasta/nixpkgs
0
0
Fork 0
mirror of https://github.com/NixOS/nixpkgs.git synced 2025-07-13 21:50:33 +03:00
Code Activity

nixos/pam/u2f: implement RFC0042

Browse source 
This module has a lot of options, so it's a good candidate for freeform
settings.
This commit is contained in:
novenary 2023-12-22 19:02:46 +02:00
parent da06c32a5f
commit fcccfb9e48
3 changed files with 124 additions and 88 deletions
Download patch file Download diff file Expand all files Collapse all files

3
nixos/doc/manual/release-notes/rl-2411.section.md
View file

@ -197,6 +197,9 @@
The derivation now installs "impl" headers selectively instead of by a wildcard.
Use `imgui.src` if you just want to access the unpacked sources.
- `security.pam.u2f` now follows RFC42.
All module options are now settable through the freeform `.settings`.
- Cinnamon has been updated to 6.2.
- Following Mint 22 defaults, the Cinnamon module no longer ships geary and hexchat by default.
- Nemo is now built with gtk-layer-shell support, note that for now it will be expected to see nemo-desktop

75
nixos/modules/security/pam.nix
View file

@ -7,6 +7,13 @@ with lib;
let
moduleSettingsType = with types; attrsOf (nullOr (oneOf [ bool str int pathInStore ]));
moduleSettingsDescription = ''
Boolean values render just the key if true, and nothing if false.
Null values are ignored.
All other values are rendered as key-value pairs.
'';
mkRulesTypeOption = type: mkOption {
# These options are experimental and subject to breaking changes without notice.
description = ''
@ -71,12 +78,12 @@ let
'';
};
settings = mkOption {
type = with types; attrsOf (nullOr (oneOf [ bool str int pathInStore ]));
type = moduleSettingsType;
default = {};
description = ''
Settings to add as `module-arguments`.
Boolean values render just the key if true, and nothing if false. Null values are ignored. All other values are rendered as key-value pairs.
${moduleSettingsDescription}
'';
};
};
@ -660,11 +667,7 @@ let
(let p11 = config.security.pam.p11; in { name = "p11"; enable = cfg.p11Auth; control = p11.control; modulePath = "${pkgs.pam_p11}/lib/security/pam_p11.so"; args = [
"${pkgs.opensc}/lib/opensc-pkcs11.so"
]; })
(let u2f = config.security.pam.u2f; in { name = "u2f"; enable = cfg.u2fAuth; control = u2f.control; modulePath = "${pkgs.pam_u2f}/lib/security/pam_u2f.so"; settings = {
inherit (u2f) debug interactive cue origin;
authfile = u2f.authFile;
appid = u2f.appId;
}; })
(let u2f = config.security.pam.u2f; in { name = "u2f"; enable = cfg.u2fAuth; control = u2f.control; modulePath = "${pkgs.pam_u2f}/lib/security/pam_u2f.so"; inherit (u2f) settings; })
(let ussh = config.security.pam.ussh; in { name = "ussh"; enable = config.security.pam.ussh.enable && cfg.usshAuth; control = ussh.control; modulePath = "${pkgs.pam_ussh}/lib/security/pam_ussh.so"; settings = {
ca_file = ussh.caFile;
authorized_principals = ussh.authorizedPrincipals;
@ -952,6 +955,12 @@ in
imports = [
(mkRenamedOptionModule [ "security" "pam" "enableU2F" ] [ "security" "pam" "u2f" "enable" ])
(mkRenamedOptionModule [ "security" "pam" "enableSSHAgentAuth" ] [ "security" "pam" "sshAgentAuth" "enable" ])
(mkRenamedOptionModule [ "security" "pam" "u2f" "authFile" ] [ "security" "pam" "u2f" "settings" "authfile" ])
(mkRenamedOptionModule [ "security" "pam" "u2f" "appId" ] [ "security" "pam" "u2f" "settings" "appid" ])
(mkRenamedOptionModule [ "security" "pam" "u2f" "origin" ] [ "security" "pam" "u2f" "settings" "origin" ])
(mkRenamedOptionModule [ "security" "pam" "u2f" "debug" ] [ "security" "pam" "u2f" "settings" "debug" ])
(mkRenamedOptionModule [ "security" "pam" "u2f" "interactive" ] [ "security" "pam" "u2f" "settings" "interactive" ])
(mkRenamedOptionModule [ "security" "pam" "u2f" "cue" ] [ "security" "pam" "u2f" "settings" "cue" ])
];
###### interface
@ -1144,7 +1153,26 @@ in
'';
};
authFile = mkOption {
control = mkOption {
default = "sufficient";
type = types.enum [ "required" "requisite" "sufficient" "optional" ];
description = ''
This option sets pam "control".
If you want to have multi factor authentication, use "required".
If you want to use U2F device instead of regular password, use "sufficient".
Read
{manpage}`pam.conf(5)`
for better understanding of this option.
'';
};
settings = mkOption {
type = types.submodule {
freeformType = moduleSettingsType;
options = {
authfile = mkOption {
default = null;
type = with types; nullOr path;
description = ''
@ -1165,7 +1193,7 @@ in
'';
};
appId = mkOption {
appid = mkOption {
default = null;
type = with types; nullOr str;
description = ''
@ -1195,20 +1223,6 @@ in
'';
};
control = mkOption {
default = "sufficient";
type = types.enum [ "required" "requisite" "sufficient" "optional" ];
description = ''
This option sets pam "control".
If you want to have multi factor authentication, use "required".
If you want to use U2F device instead of regular password, use "sufficient".
Read
{manpage}`pam.conf(5)`
for better understanding of this option.
'';
};
debug = mkOption {
default = false;
type = types.bool;
@ -1239,6 +1253,21 @@ in
'';
};
};
};
default = { };
example = {
authfile = "/etc/u2f_keys";
authpending_file = "";
userpresence = 0;
pinverification = 1;
};
description = ''
Options to pass to the PAM module.
${moduleSettingsDescription}
'';
};
};
security.pam.ussh = {
enable = mkOption {

8
nixos/tests/pam/pam-u2f.nix
View file

@ -7,12 +7,16 @@ import ../make-test-python.nix ({ ... }:
{ ... }:
{
security.pam.u2f = {
enable = true;
control = "required";
settings = {
cue = true;
debug = true;
enable = true;
interactive = true;
origin = "nixos-test";
# Freeform option
userpresence = 1;
};
};
};
@ -20,7 +24,7 @@ import ../make-test-python.nix ({ ... }:
''
machine.wait_for_unit("multi-user.target")
machine.succeed(
'egrep "auth required .*/lib/security/pam_u2f.so.*cue.*debug.*interactive.*origin=nixos-test" /etc/pam.d/ -R'
'egrep "auth required .*/lib/security/pam_u2f.so.*cue.*debug.*interactive.*origin=nixos-test.*userpresence=1" /etc/pam.d/ -R'
)
'';
})