summaryrefslogtreecommitdiffstats
path: root/makefu/2configs/sshd-totp.nix
diff options
context:
space:
mode:
authormakefu <github@syntax-fehler.de>2017-06-30 23:49:05 +0200
committermakefu <github@syntax-fehler.de>2017-06-30 23:49:05 +0200
commit7cd2ff2679b688e8fa0c98bc9ecf1d99602c0421 (patch)
treeed545eb1c08d53bad29fa08ea66369494d3c1f1e /makefu/2configs/sshd-totp.nix
parentd9cc50653d0c7998052284cfb66b2229e0ce849b (diff)
ma 2fa: init and enable for gum
Diffstat (limited to 'makefu/2configs/sshd-totp.nix')
-rw-r--r--makefu/2configs/sshd-totp.nix18
1 files changed, 18 insertions, 0 deletions
diff --git a/makefu/2configs/sshd-totp.nix b/makefu/2configs/sshd-totp.nix
new file mode 100644
index 000000000..f9984e245
--- /dev/null
+++ b/makefu/2configs/sshd-totp.nix
@@ -0,0 +1,18 @@
+{ pkgs, ... }:
+# Enables second factor for ssh password login
+
+## Usage:
+# gen-oath-safe <username> totp
+## scan the qrcode with google authenticator (or FreeOTP)
+## copy last line into secrets/<host>/users.oath (chmod 700)
+{
+ security.pam.oath = {
+ # enabling it will make it a requisite of `all` services
+ # enable = true;
+ digits = 6;
+ # TODO assert existing
+ usersFile = (toString <secrets>) + "/users.oath";
+ };
+ # I want TFA only active for sshd with password-auth
+ security.pam.services.sshd.oathAuth = true;
+}