diff options
-rw-r--r-- | lass/1systems/mors/config.nix | 1 | ||||
-rw-r--r-- | lass/2configs/otp-ssh.nix | 18 |
2 files changed, 19 insertions, 0 deletions
diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix index b93ead6db..29dacf8dc 100644 --- a/lass/1systems/mors/config.nix +++ b/lass/1systems/mors/config.nix @@ -24,6 +24,7 @@ with import <stockholm/lib>; <stockholm/lass/2configs/ircd.nix> <stockholm/lass/2configs/logf.nix> <stockholm/lass/2configs/syncthing.nix> + <stockholm/lass/2configs/otp-ssh.nix> { #risk of rain port krebs.iptables.tables.filter.INPUT.rules = [ diff --git a/lass/2configs/otp-ssh.nix b/lass/2configs/otp-ssh.nix new file mode 100644 index 000000000..f9984e245 --- /dev/null +++ b/lass/2configs/otp-ssh.nix @@ -0,0 +1,18 @@ +{ pkgs, ... }: +# Enables second factor for ssh password login + +## Usage: +# gen-oath-safe <username> totp +## scan the qrcode with google authenticator (or FreeOTP) +## copy last line into secrets/<host>/users.oath (chmod 700) +{ + security.pam.oath = { + # enabling it will make it a requisite of `all` services + # enable = true; + digits = 6; + # TODO assert existing + usersFile = (toString <secrets>) + "/users.oath"; + }; + # I want TFA only active for sshd with password-auth + security.pam.services.sshd.oathAuth = true; +} |