lass: init otp-ssh
This commit is contained in:
parent
53f8fa81e5
commit
5f743cbd32
@ -24,6 +24,7 @@ with import <stockholm/lib>;
|
||||
<stockholm/lass/2configs/ircd.nix>
|
||||
<stockholm/lass/2configs/logf.nix>
|
||||
<stockholm/lass/2configs/syncthing.nix>
|
||||
<stockholm/lass/2configs/otp-ssh.nix>
|
||||
{
|
||||
#risk of rain port
|
||||
krebs.iptables.tables.filter.INPUT.rules = [
|
||||
|
18
lass/2configs/otp-ssh.nix
Normal file
18
lass/2configs/otp-ssh.nix
Normal file
@ -0,0 +1,18 @@
|
||||
{ pkgs, ... }:
|
||||
# Enables second factor for ssh password login
|
||||
|
||||
## Usage:
|
||||
# gen-oath-safe <username> totp
|
||||
## scan the qrcode with google authenticator (or FreeOTP)
|
||||
## copy last line into secrets/<host>/users.oath (chmod 700)
|
||||
{
|
||||
security.pam.oath = {
|
||||
# enabling it will make it a requisite of `all` services
|
||||
# enable = true;
|
||||
digits = 6;
|
||||
# TODO assert existing
|
||||
usersFile = (toString <secrets>) + "/users.oath";
|
||||
};
|
||||
# I want TFA only active for sshd with password-auth
|
||||
security.pam.services.sshd.oathAuth = true;
|
||||
}
|
Loading…
Reference in New Issue
Block a user