summaryrefslogtreecommitdiffstats
path: root/lass
diff options
context:
space:
mode:
Diffstat (limited to 'lass')
-rw-r--r--lass/1systems/mors/config.nix1
-rw-r--r--lass/2configs/otp-ssh.nix18
2 files changed, 19 insertions, 0 deletions
diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix
index b93ead6db..29dacf8dc 100644
--- a/lass/1systems/mors/config.nix
+++ b/lass/1systems/mors/config.nix
@@ -24,6 +24,7 @@ with import <stockholm/lib>;
<stockholm/lass/2configs/ircd.nix>
<stockholm/lass/2configs/logf.nix>
<stockholm/lass/2configs/syncthing.nix>
+ <stockholm/lass/2configs/otp-ssh.nix>
{
#risk of rain port
krebs.iptables.tables.filter.INPUT.rules = [
diff --git a/lass/2configs/otp-ssh.nix b/lass/2configs/otp-ssh.nix
new file mode 100644
index 000000000..f9984e245
--- /dev/null
+++ b/lass/2configs/otp-ssh.nix
@@ -0,0 +1,18 @@
+{ pkgs, ... }:
+# Enables second factor for ssh password login
+
+## Usage:
+# gen-oath-safe <username> totp
+## scan the qrcode with google authenticator (or FreeOTP)
+## copy last line into secrets/<host>/users.oath (chmod 700)
+{
+ security.pam.oath = {
+ # enabling it will make it a requisite of `all` services
+ # enable = true;
+ digits = 6;
+ # TODO assert existing
+ usersFile = (toString <secrets>) + "/users.oath";
+ };
+ # I want TFA only active for sshd with password-auth
+ security.pam.services.sshd.oathAuth = true;
+}