ma 2fa: init and enable for gum
This commit is contained in:
parent
d9cc50653d
commit
7cd2ff2679
@ -26,6 +26,9 @@ in {
|
|||||||
../2configs/tinc/retiolum.nix
|
../2configs/tinc/retiolum.nix
|
||||||
../2configs/urlwatch.nix
|
../2configs/urlwatch.nix
|
||||||
|
|
||||||
|
# Security
|
||||||
|
../2configs/sshd-totp.nix
|
||||||
|
|
||||||
# Tools
|
# Tools
|
||||||
../2configs/tools/core.nix
|
../2configs/tools/core.nix
|
||||||
../2configs/tools/dev.nix
|
../2configs/tools/dev.nix
|
||||||
|
18
makefu/2configs/sshd-totp.nix
Normal file
18
makefu/2configs/sshd-totp.nix
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
{ pkgs, ... }:
|
||||||
|
# Enables second factor for ssh password login
|
||||||
|
|
||||||
|
## Usage:
|
||||||
|
# gen-oath-safe <username> totp
|
||||||
|
## scan the qrcode with google authenticator (or FreeOTP)
|
||||||
|
## copy last line into secrets/<host>/users.oath (chmod 700)
|
||||||
|
{
|
||||||
|
security.pam.oath = {
|
||||||
|
# enabling it will make it a requisite of `all` services
|
||||||
|
# enable = true;
|
||||||
|
digits = 6;
|
||||||
|
# TODO assert existing
|
||||||
|
usersFile = (toString <secrets>) + "/users.oath";
|
||||||
|
};
|
||||||
|
# I want TFA only active for sshd with password-auth
|
||||||
|
security.pam.services.sshd.oathAuth = true;
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user