lass: init otp-ssh

2017-07-17 15:11:54 +02:00 · 2017-07-17 15:11:54 +02:00 · 5f743cbd32
commit 5f743cbd32
parent 53f8fa81e5
2 changed files with 19 additions and 0 deletions
--- a/lass/1systems/mors/config.nix
+++ b/lass/1systems/mors/config.nix
@ -24,6 +24,7 @@ with import <stockholm/lib>;
    <stockholm/lass/2configs/ircd.nix>
    <stockholm/lass/2configs/logf.nix>
    <stockholm/lass/2configs/syncthing.nix>
+    <stockholm/lass/2configs/otp-ssh.nix>
    {
      #risk of rain port
      krebs.iptables.tables.filter.INPUT.rules = [
--- a/lass/2configs/otp-ssh.nix
+++ b/lass/2configs/otp-ssh.nix
@ -0,0 +1,18 @@
+{ pkgs, ... }:
+# Enables second factor for ssh password login
+
+## Usage:
+#  gen-oath-safe <username> totp
+## scan the qrcode with google authenticator (or FreeOTP)
+## copy last line into secrets/<host>/users.oath (chmod 700)
+{
+  security.pam.oath = {
+    # enabling it will make it a requisite of `all` services
+    # enable = true;
+    digits = 6;
+    # TODO assert existing
+    usersFile = (toString <secrets>) + "/users.oath";
+  };
+  # I want TFA only active for sshd with password-auth
+  security.pam.services.sshd.oathAuth = true;
+}