2 files changed, 86 insertions, 0 deletions

diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix
index 60370b230..6e1e20dd3 100644
--- a/lass/3modules/default.nix
+++ b/lass/3modules/default.nix
@@ -6,6 +6,7 @@ _:
     ./mysql-backup.nix
     ./umts.nix
     ./urxvtd.nix
+    ./usershadow.nix
     ./wordpress_nginx.nix
     ./xresources.nix
   ];
diff --git a/lass/3modules/usershadow.nix b/lass/3modules/usershadow.nix
new file mode 100644
index 000000000..0e7e718a4
--- /dev/null
+++ b/lass/3modules/usershadow.nix
@@ -0,0 +1,85 @@
+{ config, lib, pkgs, ... }@args: with config.krebs.lib; let
+
+  cfg = config.lass.usershadow;
+
+  out = {
+    options.lass.usershadow = api;
+    config = lib.mkIf cfg.enable imp;
+  };
+
+  api = {
+    enable = mkEnableOption "usershadow";
+    pattern = mkOption {
+      type = types.str;
+      default = "/home/%/.shadow";
+    };
+  };
+
+  imp = {
+    environment.systemPackages = [ usershadow ];
+    security.pam.services.sshd.text = ''
+      auth required pam_exec.so expose_authtok ${usershadow}/bin/verify ${cfg.pattern}
+      auth required pam_permit.so
+      account required pam_permit.so
+      session required pam_permit.so
+    '';
+
+    security.pam.services.exim.text = ''
+      auth required pam_exec.so expose_authtok ${usershadow}/bin/verify ${cfg.pattern}
+      auth required pam_permit.so
+      account required pam_permit.so
+      session required pam_permit.so
+    '';
+  };
+
+  usershadow = let {
+    deps = [
+      "pwstore-fast"
+      "bytestring"
+    ];
+    body = pkgs.writeHaskell "passwords" {
+      executables.verify = {
+        extra-depends = deps;
+        text = ''
+          import Data.Monoid
+          import System.IO
+          import Data.Char (chr)
+          import System.Environment (getEnv, getArgs)
+          import Crypto.PasswordStore (verifyPasswordWith, pbkdf2)
+          import qualified Data.ByteString.Char8 as BS8
+          import System.Exit (exitFailure, exitSuccess)
+
+          main :: IO ()
+          main = do
+            user <- getEnv "PAM_USER"
+            shadowFilePattern <- head <$> getArgs
+            let shadowFile = lhs <> user <> tail rhs
+                (lhs, rhs) = span (/= '%') shadowFilePattern
+            hash <- readFile shadowFile
+            password <- takeWhile (/= (chr 0)) <$> hGetLine stdin
+            let res = verifyPasswordWith pbkdf2 (2^) (BS8.pack password) (BS8.pack hash)
+            if res then exitSuccess else exitFailure
+        '';
+      };
+      executables.passwd = {
+        extra-depends = deps;
+        text = ''
+          import System.Environment (getEnv)
+          import Crypto.PasswordStore (makePasswordWith, pbkdf2)
+          import qualified Data.ByteString.Char8 as BS8
+          import System.IO (stdin, hSetEcho, putStr)
+
+          main :: IO ()
+          main = do
+            home <- getEnv "HOME"
+            putStr "password:"
+            hSetEcho stdin False
+            password <- BS8.hGetLine stdin
+            hash <- makePasswordWith pbkdf2 password 10
+            BS8.writeFile (home ++ "/.shadow") hash
+        '';
+      };
+    };
+  };
+
+in out