summaryrefslogtreecommitdiffstats
path: root/lass/3modules
diff options
context:
space:
mode:
Diffstat (limited to 'lass/3modules')
-rw-r--r--lass/3modules/default.nix1
-rw-r--r--lass/3modules/umts.nix4
-rw-r--r--lass/3modules/usershadow.nix85
3 files changed, 86 insertions, 4 deletions
diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix
index 60370b230..6e1e20dd3 100644
--- a/lass/3modules/default.nix
+++ b/lass/3modules/default.nix
@@ -6,6 +6,7 @@ _:
./mysql-backup.nix
./umts.nix
./urxvtd.nix
+ ./usershadow.nix
./wordpress_nginx.nix
./xresources.nix
];
diff --git a/lass/3modules/umts.nix b/lass/3modules/umts.nix
index 01adc0409..7daaba89e 100644
--- a/lass/3modules/umts.nix
+++ b/lass/3modules/umts.nix
@@ -41,10 +41,6 @@ let
wvdial = nixpkgs-1509.wvdial; # https://github.com/NixOS/nixpkgs/issues/16113
- #modem-device = "/dev/serial/by-id/usb-Lenovo_F5521gw_38214921FBBBC7B0-if09";
- modem-device = "/dev/serial/by-id/usb-HUAWEI_Technologies_HUAWEI_Mobile-if00-port0";
-
- # TODO: currently it is only netzclub
umts-bin = pkgs.writeScriptBin "umts" ''
#!/bin/sh
set -euf
diff --git a/lass/3modules/usershadow.nix b/lass/3modules/usershadow.nix
new file mode 100644
index 000000000..0e7e718a4
--- /dev/null
+++ b/lass/3modules/usershadow.nix
@@ -0,0 +1,85 @@
+{ config, lib, pkgs, ... }@args: with config.krebs.lib; let
+
+ cfg = config.lass.usershadow;
+
+ out = {
+ options.lass.usershadow = api;
+ config = lib.mkIf cfg.enable imp;
+ };
+
+ api = {
+ enable = mkEnableOption "usershadow";
+ pattern = mkOption {
+ type = types.str;
+ default = "/home/%/.shadow";
+ };
+ };
+
+ imp = {
+ environment.systemPackages = [ usershadow ];
+ security.pam.services.sshd.text = ''
+ auth required pam_exec.so expose_authtok ${usershadow}/bin/verify ${cfg.pattern}
+ auth required pam_permit.so
+ account required pam_permit.so
+ session required pam_permit.so
+ '';
+
+ security.pam.services.exim.text = ''
+ auth required pam_exec.so expose_authtok ${usershadow}/bin/verify ${cfg.pattern}
+ auth required pam_permit.so
+ account required pam_permit.so
+ session required pam_permit.so
+ '';
+ };
+
+ usershadow = let {
+ deps = [
+ "pwstore-fast"
+ "bytestring"
+ ];
+ body = pkgs.writeHaskell "passwords" {
+ executables.verify = {
+ extra-depends = deps;
+ text = ''
+ import Data.Monoid
+ import System.IO
+ import Data.Char (chr)
+ import System.Environment (getEnv, getArgs)
+ import Crypto.PasswordStore (verifyPasswordWith, pbkdf2)
+ import qualified Data.ByteString.Char8 as BS8
+ import System.Exit (exitFailure, exitSuccess)
+
+ main :: IO ()
+ main = do
+ user <- getEnv "PAM_USER"
+ shadowFilePattern <- head <$> getArgs
+ let shadowFile = lhs <> user <> tail rhs
+ (lhs, rhs) = span (/= '%') shadowFilePattern
+ hash <- readFile shadowFile
+ password <- takeWhile (/= (chr 0)) <$> hGetLine stdin
+ let res = verifyPasswordWith pbkdf2 (2^) (BS8.pack password) (BS8.pack hash)
+ if res then exitSuccess else exitFailure
+ '';
+ };
+ executables.passwd = {
+ extra-depends = deps;
+ text = ''
+ import System.Environment (getEnv)
+ import Crypto.PasswordStore (makePasswordWith, pbkdf2)
+ import qualified Data.ByteString.Char8 as BS8
+ import System.IO (stdin, hSetEcho, putStr)
+
+ main :: IO ()
+ main = do
+ home <- getEnv "HOME"
+ putStr "password:"
+ hSetEcho stdin False
+ password <- BS8.hGetLine stdin
+ hash <- makePasswordWith pbkdf2 password 10
+ BS8.writeFile (home ++ "/.shadow") hash
+ '';
+ };
+ };
+ };
+
+in out