From 7cd2ff2679b688e8fa0c98bc9ecf1d99602c0421 Mon Sep 17 00:00:00 2001 From: makefu Date: Fri, 30 Jun 2017 23:49:05 +0200 Subject: ma 2fa: init and enable for gum --- makefu/1systems/gum.nix | 3 +++ makefu/2configs/sshd-totp.nix | 18 ++++++++++++++++++ 2 files changed, 21 insertions(+) create mode 100644 makefu/2configs/sshd-totp.nix diff --git a/makefu/1systems/gum.nix b/makefu/1systems/gum.nix index 519313f57..6e57d1404 100644 --- a/makefu/1systems/gum.nix +++ b/makefu/1systems/gum.nix @@ -26,6 +26,9 @@ in { ../2configs/tinc/retiolum.nix ../2configs/urlwatch.nix + # Security + ../2configs/sshd-totp.nix + # Tools ../2configs/tools/core.nix ../2configs/tools/dev.nix diff --git a/makefu/2configs/sshd-totp.nix b/makefu/2configs/sshd-totp.nix new file mode 100644 index 000000000..f9984e245 --- /dev/null +++ b/makefu/2configs/sshd-totp.nix @@ -0,0 +1,18 @@ +{ pkgs, ... }: +# Enables second factor for ssh password login + +## Usage: +# gen-oath-safe totp +## scan the qrcode with google authenticator (or FreeOTP) +## copy last line into secrets//users.oath (chmod 700) +{ + security.pam.oath = { + # enabling it will make it a requisite of `all` services + # enable = true; + digits = 6; + # TODO assert existing + usersFile = (toString ) + "/users.oath"; + }; + # I want TFA only active for sshd with password-auth + security.pam.services.sshd.oathAuth = true; +} -- cgit v1.2.3