summaryrefslogtreecommitdiffstats
path: root/lass/3modules/usershadow.nix
diff options
context:
space:
mode:
authorlassulus <lass@aidsballs.de>2016-09-09 09:43:00 +0200
committerlassulus <lass@aidsballs.de>2016-09-09 09:43:00 +0200
commitaaf595998e94aa5d0a46333326fcd5e327b58ae6 (patch)
tree4df80f405d8799399fe5689aa8b7813c423d9b5c /lass/3modules/usershadow.nix
parentc298a6769dbb05ecb760049836e73c55703c23ee (diff)
l 3: add usershadow
Diffstat (limited to 'lass/3modules/usershadow.nix')
-rw-r--r--lass/3modules/usershadow.nix85
1 files changed, 85 insertions, 0 deletions
diff --git a/lass/3modules/usershadow.nix b/lass/3modules/usershadow.nix
new file mode 100644
index 000000000..0e7e718a4
--- /dev/null
+++ b/lass/3modules/usershadow.nix
@@ -0,0 +1,85 @@
+{ config, lib, pkgs, ... }@args: with config.krebs.lib; let
+
+ cfg = config.lass.usershadow;
+
+ out = {
+ options.lass.usershadow = api;
+ config = lib.mkIf cfg.enable imp;
+ };
+
+ api = {
+ enable = mkEnableOption "usershadow";
+ pattern = mkOption {
+ type = types.str;
+ default = "/home/%/.shadow";
+ };
+ };
+
+ imp = {
+ environment.systemPackages = [ usershadow ];
+ security.pam.services.sshd.text = ''
+ auth required pam_exec.so expose_authtok ${usershadow}/bin/verify ${cfg.pattern}
+ auth required pam_permit.so
+ account required pam_permit.so
+ session required pam_permit.so
+ '';
+
+ security.pam.services.exim.text = ''
+ auth required pam_exec.so expose_authtok ${usershadow}/bin/verify ${cfg.pattern}
+ auth required pam_permit.so
+ account required pam_permit.so
+ session required pam_permit.so
+ '';
+ };
+
+ usershadow = let {
+ deps = [
+ "pwstore-fast"
+ "bytestring"
+ ];
+ body = pkgs.writeHaskell "passwords" {
+ executables.verify = {
+ extra-depends = deps;
+ text = ''
+ import Data.Monoid
+ import System.IO
+ import Data.Char (chr)
+ import System.Environment (getEnv, getArgs)
+ import Crypto.PasswordStore (verifyPasswordWith, pbkdf2)
+ import qualified Data.ByteString.Char8 as BS8
+ import System.Exit (exitFailure, exitSuccess)
+
+ main :: IO ()
+ main = do
+ user <- getEnv "PAM_USER"
+ shadowFilePattern <- head <$> getArgs
+ let shadowFile = lhs <> user <> tail rhs
+ (lhs, rhs) = span (/= '%') shadowFilePattern
+ hash <- readFile shadowFile
+ password <- takeWhile (/= (chr 0)) <$> hGetLine stdin
+ let res = verifyPasswordWith pbkdf2 (2^) (BS8.pack password) (BS8.pack hash)
+ if res then exitSuccess else exitFailure
+ '';
+ };
+ executables.passwd = {
+ extra-depends = deps;
+ text = ''
+ import System.Environment (getEnv)
+ import Crypto.PasswordStore (makePasswordWith, pbkdf2)
+ import qualified Data.ByteString.Char8 as BS8
+ import System.IO (stdin, hSetEcho, putStr)
+
+ main :: IO ()
+ main = do
+ home <- getEnv "HOME"
+ putStr "password:"
+ hSetEcho stdin False
+ password <- BS8.hGetLine stdin
+ hash <- makePasswordWith pbkdf2 password 10
+ BS8.writeFile (home ++ "/.shadow") hash
+ '';
+ };
+ };
+ };
+
+in out