Merge branch 'master' of prism:stockholm

author: nin <nineinchnade@gmail.com> 2017-07-06 20:36:05 +0200
committer: nin <nineinchnade@gmail.com> 2017-07-06 20:36:05 +0200
commit: de8baa21bf122242c4ad6a4c17405259037149c8 (patch)
tree: 85e34f8040799313fa73a23eddb41ab5eec1d9e9 /makefu/2configs/sshd-totp.nix
parent: 060ae725c32e6490d47bc3153de076ace26b59fd (diff)
parent: 438fdd2bd8e363567f544966e49d00f728921301 (diff)
1 files changed, 18 insertions, 0 deletions
diff --git a/makefu/2configs/sshd-totp.nix b/makefu/2configs/sshd-totp.nix
new file mode 100644
index 000000000..f9984e245
--- /dev/null
+++ b/makefu/2configs/sshd-totp.nix
@@ -0,0 +1,18 @@
+{ pkgs, ... }:
+# Enables second factor for ssh password login
+
+## Usage:
+#  gen-oath-safe <username> totp
+## scan the qrcode with google authenticator (or FreeOTP)
+## copy last line into secrets/<host>/users.oath (chmod 700)
+{
+  security.pam.oath = {
+    # enabling it will make it a requisite of `all` services
+    # enable = true;
+    digits = 6;
+    # TODO assert existing
+    usersFile = (toString <secrets>) + "/users.oath";
+  };
+  # I want TFA only active for sshd with password-auth
+  security.pam.services.sshd.oathAuth = true;
+}
author	nin <nineinchnade@gmail.com>	2017-07-06 20:36:05 +0200
committer	nin <nineinchnade@gmail.com>	2017-07-06 20:36:05 +0200
commit	de8baa21bf122242c4ad6a4c17405259037149c8 (patch)
tree	85e34f8040799313fa73a23eddb41ab5eec1d9e9 /makefu/2configs/sshd-totp.nix
parent	060ae725c32e6490d47bc3153de076ace26b59fd (diff)
parent	438fdd2bd8e363567f544966e49d00f728921301 (diff)