stockholm/lass/3modules/usershadow.nix

{ config, lib, pkgs, ... }@args: with import <stockholm/lib>; let

  cfg = config.lass.usershadow;

  out = {
    options.lass.usershadow = api;
    config = lib.mkIf cfg.enable imp;
  };

  api = {
    enable = mkEnableOption "usershadow";
    pattern = mkOption {
      type = types.str;
      default = "/home/%/.shadow";
    };
    path = mkOption {
      type = types.str;
    };
  };

  imp = {
    environment.systemPackages = [ usershadow ];
    lass.usershadow.path = "${usershadow}";
    security.pam.services.sshd.text = ''
      account required pam_permit.so
      auth required pam_env.so envfile=${config.system.build.pamEnvironment}
      auth sufficient pam_exec.so quiet expose_authtok ${usershadow}/bin/verify_pam ${cfg.pattern}
      auth sufficient pam_unix.so likeauth try_first_pass
      session required pam_env.so envfile=${config.system.build.pamEnvironment}
      session required pam_permit.so
      session required pam_loginuid.so
    '';

    security.pam.services.dovecot2.text = ''
      auth required pam_exec.so expose_authtok ${usershadow}/bin/verify_pam ${cfg.pattern}
      auth required pam_permit.so
      account required pam_permit.so
      session required pam_permit.so
      session required pam_env.so envfile=${config.system.build.pamEnvironment}
    '';
  };

  usershadow = let {
    deps = [
      "pwstore-fast"
      "bytestring"
    ];
    body = pkgs.writeHaskellPackage "passwords" {
      executables.verify_pam = {
        extra-depends = deps;
        text = ''
          import Data.Monoid
          import System.IO
          import Data.Char (chr)
          import System.Environment (getEnv, getArgs)
          import Crypto.PasswordStore (verifyPasswordWith, pbkdf2)
          import qualified Data.ByteString.Char8 as BS8
          import System.Exit (exitFailure, exitSuccess)

          main :: IO ()
          main = do
            user <- getEnv "PAM_USER"
            shadowFilePattern <- head <$> getArgs
            let shadowFile = lhs <> user <> tail rhs
                (lhs, rhs) = span (/= '%') shadowFilePattern
            hash <- readFile shadowFile
            password <- takeWhile (/= (chr 0)) <$> hGetLine stdin
            let res = verifyPasswordWith pbkdf2 (2^) (BS8.pack password) (BS8.pack hash)
            if res then exitSuccess else exitFailure
        '';
      };
      executables.verify_arg = {
        extra-depends = deps;
        text = ''
          import Data.Monoid
          import System.Environment (getArgs)
          import Crypto.PasswordStore (verifyPasswordWith, pbkdf2)
          import qualified Data.ByteString.Char8 as BS8
          import System.Exit (exitFailure, exitSuccess)

          main :: IO ()
          main = do
            argsList <- getArgs
            let shadowFilePattern = argsList !! 0
            let user = argsList !! 1
            let password = argsList !! 2
            let shadowFile = lhs <> user <> tail rhs
                (lhs, rhs) = span (/= '%') shadowFilePattern
            hash <- readFile shadowFile
            let res = verifyPasswordWith pbkdf2 (2^) (BS8.pack password) (BS8.pack hash)
            if res then do (putStr "yes") else exitFailure
        '';
      };
      executables.passwd = {
        extra-depends = deps;
        text = ''
          import System.Environment (getEnv)
          import Crypto.PasswordStore (makePasswordWith, pbkdf2)
          import qualified Data.ByteString.Char8 as BS8
          import System.IO (stdin, stdout, hSetEcho, hFlush, putStr, putStrLn)
          import Control.Exception (bracket_)

          main :: IO ()
          main = do
            home <- getEnv "HOME"
            mb_password <- bracket_ (hSetEcho stdin False) (hSetEcho stdin True) $ do
              putStr "Enter new UNIX password: "
              hFlush stdout
              password <- BS8.hGetLine stdin
              putStrLn ""
              putStr "Retype new UNIX password: "
              hFlush stdout
              password2 <- BS8.hGetLine stdin
              return $ if password == password2
                then Just password
                else Nothing
            case mb_password of
              Just password -> do
                hash <- makePasswordWith pbkdf2 password 10
                BS8.writeFile (home ++ "/.shadow") hash
                putStrLn "passwd: all authentication tokens updated successfully."
              Nothing -> putStrLn "Sorry, passwords do not match"
        '';
      };
    };
  };

in out
drop config.krebs.lib 2016-10-20 18:54:38 +00:00			`{ config, lib, pkgs, ... }@args: with import <stockholm/lib>; let`
l 3: add usershadow 2016-09-09 07:43:00 +00:00
			`cfg = config.lass.usershadow;`

			`out = {`
			`options.lass.usershadow = api;`
			`config = lib.mkIf cfg.enable imp;`
			`};`

			`api = {`
			`enable = mkEnableOption "usershadow";`
			`pattern = mkOption {`
			`type = types.str;`
			`default = "/home/%/.shadow";`
			`};`
l 3 usershadow: more validators, expose path 2016-10-27 11:29:03 +00:00			`path = mkOption {`
			`type = types.str;`
			`};`
l 3: add usershadow 2016-09-09 07:43:00 +00:00			`};`

			`imp = {`
			`environment.systemPackages = [ usershadow ];`
l 3 usershadow: more validators, expose path 2016-10-27 11:29:03 +00:00			`lass.usershadow.path = "${usershadow}";`
l 3: add usershadow 2016-09-09 07:43:00 +00:00			`security.pam.services.sshd.text = ''`
			`account required pam_permit.so`
l 3 usershadow: user passwd passwords for sshd 2017-01-22 16:48:27 +00:00			`auth required pam_env.so envfile=${config.system.build.pamEnvironment}`
			`auth sufficient pam_exec.so quiet expose_authtok ${usershadow}/bin/verify_pam ${cfg.pattern}`
			`auth sufficient pam_unix.so likeauth try_first_pass`
			`session required pam_env.so envfile=${config.system.build.pamEnvironment}`
l 3: add usershadow 2016-09-09 07:43:00 +00:00			`session required pam_permit.so`
l 3 usershadow: user passwd passwords for sshd 2017-01-22 16:48:27 +00:00			`session required pam_loginuid.so`
l 3: add usershadow 2016-09-09 07:43:00 +00:00			`'';`

l 3 usershadow: more validators, expose path 2016-10-27 11:29:03 +00:00			`security.pam.services.dovecot2.text = ''`
			`auth required pam_exec.so expose_authtok ${usershadow}/bin/verify_pam ${cfg.pattern}`
l 3: add usershadow 2016-09-09 07:43:00 +00:00			`auth required pam_permit.so`
			`account required pam_permit.so`
			`session required pam_permit.so`
l 3 usershadow: more validators, expose path 2016-10-27 11:29:03 +00:00			`session required pam_env.so envfile=${config.system.build.pamEnvironment}`
l 3: add usershadow 2016-09-09 07:43:00 +00:00			`'';`
			`};`

			`usershadow = let {`
			`deps = [`
			`"pwstore-fast"`
			`"bytestring"`
			`];`
nix-writers: init submodule 2018-06-19 19:23:35 +00:00			`body = pkgs.writeHaskellPackage "passwords" {`
l 3 usershadow: more validators, expose path 2016-10-27 11:29:03 +00:00			`executables.verify_pam = {`
l 3: add usershadow 2016-09-09 07:43:00 +00:00			`extra-depends = deps;`
			`text = ''`
			`import Data.Monoid`
			`import System.IO`
			`import Data.Char (chr)`
			`import System.Environment (getEnv, getArgs)`
			`import Crypto.PasswordStore (verifyPasswordWith, pbkdf2)`
			`import qualified Data.ByteString.Char8 as BS8`
			`import System.Exit (exitFailure, exitSuccess)`

			`main :: IO ()`
			`main = do`
			`user <- getEnv "PAM_USER"`
			`shadowFilePattern <- head <$> getArgs`
			`let shadowFile = lhs <> user <> tail rhs`
			`(lhs, rhs) = span (/= '%') shadowFilePattern`
			`hash <- readFile shadowFile`
			`password <- takeWhile (/= (chr 0)) <$> hGetLine stdin`
			`let res = verifyPasswordWith pbkdf2 (2^) (BS8.pack password) (BS8.pack hash)`
			`if res then exitSuccess else exitFailure`
			`'';`
			`};`
l 3 usershadow: more validators, expose path 2016-10-27 11:29:03 +00:00			`executables.verify_arg = {`
			`extra-depends = deps;`
			`text = ''`
			`import Data.Monoid`
l 3 usershadow: update passwd to behave correctly 2016-11-24 23:07:55 +00:00			`import System.Environment (getArgs)`
l 3 usershadow: more validators, expose path 2016-10-27 11:29:03 +00:00			`import Crypto.PasswordStore (verifyPasswordWith, pbkdf2)`
			`import qualified Data.ByteString.Char8 as BS8`
			`import System.Exit (exitFailure, exitSuccess)`

			`main :: IO ()`
			`main = do`
			`argsList <- getArgs`
			`let shadowFilePattern = argsList !! 0`
			`let user = argsList !! 1`
			`let password = argsList !! 2`
			`let shadowFile = lhs <> user <> tail rhs`
			`(lhs, rhs) = span (/= '%') shadowFilePattern`
			`hash <- readFile shadowFile`
			`let res = verifyPasswordWith pbkdf2 (2^) (BS8.pack password) (BS8.pack hash)`
			`if res then do (putStr "yes") else exitFailure`
			`'';`
			`};`
l 3: add usershadow 2016-09-09 07:43:00 +00:00			`executables.passwd = {`
			`extra-depends = deps;`
			`text = ''`
			`import System.Environment (getEnv)`
			`import Crypto.PasswordStore (makePasswordWith, pbkdf2)`
			`import qualified Data.ByteString.Char8 as BS8`
l 3 usershadow: update passwd to behave correctly 2016-11-24 23:07:55 +00:00			`import System.IO (stdin, stdout, hSetEcho, hFlush, putStr, putStrLn)`
			`import Control.Exception (bracket_)`
l 3: add usershadow 2016-09-09 07:43:00 +00:00
			`main :: IO ()`
			`main = do`
			`home <- getEnv "HOME"`
l 3 usershadow: update passwd to behave correctly 2016-11-24 23:07:55 +00:00			`mb_password <- bracket_ (hSetEcho stdin False) (hSetEcho stdin True) $ do`
			`putStr "Enter new UNIX password: "`
			`hFlush stdout`
			`password <- BS8.hGetLine stdin`
			`putStrLn ""`
			`putStr "Retype new UNIX password: "`
			`hFlush stdout`
			`password2 <- BS8.hGetLine stdin`
			`return $ if password == password2`
			`then Just password`
			`else Nothing`
			`case mb_password of`
			`Just password -> do`
			`hash <- makePasswordWith pbkdf2 password 10`
			`BS8.writeFile (home ++ "/.shadow") hash`
			`putStrLn "passwd: all authentication tokens updated successfully."`
			`Nothing -> putStrLn "Sorry, passwords do not match"`
l 3: add usershadow 2016-09-09 07:43:00 +00:00			`'';`
			`};`
			`};`
			`};`

			`in out`