From 5f743cbd32572a25e0df73b823cd866f1d80f01a Mon Sep 17 00:00:00 2001 From: lassulus Date: Mon, 17 Jul 2017 15:11:54 +0200 Subject: lass: init otp-ssh --- lass/1systems/mors/config.nix | 1 + lass/2configs/otp-ssh.nix | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+) create mode 100644 lass/2configs/otp-ssh.nix (limited to 'lass') diff --git a/lass/1systems/mors/config.nix b/lass/1systems/mors/config.nix index b93ead6db..29dacf8dc 100644 --- a/lass/1systems/mors/config.nix +++ b/lass/1systems/mors/config.nix @@ -24,6 +24,7 @@ with import ; + { #risk of rain port krebs.iptables.tables.filter.INPUT.rules = [ diff --git a/lass/2configs/otp-ssh.nix b/lass/2configs/otp-ssh.nix new file mode 100644 index 000000000..f9984e245 --- /dev/null +++ b/lass/2configs/otp-ssh.nix @@ -0,0 +1,18 @@ +{ pkgs, ... }: +# Enables second factor for ssh password login + +## Usage: +# gen-oath-safe totp +## scan the qrcode with google authenticator (or FreeOTP) +## copy last line into secrets//users.oath (chmod 700) +{ + security.pam.oath = { + # enabling it will make it a requisite of `all` services + # enable = true; + digits = 6; + # TODO assert existing + usersFile = (toString ) + "/users.oath"; + }; + # I want TFA only active for sshd with password-auth + security.pam.services.sshd.oathAuth = true; +} -- cgit v1.2.3