ma 2fa: init and enable for gum

This commit is contained in:
makefu 2017-06-30 23:49:05 +02:00
parent d9cc50653d
commit 7cd2ff2679
No known key found for this signature in database
GPG Key ID: 36F7711F3FC0F225
2 changed files with 21 additions and 0 deletions

View File

@ -26,6 +26,9 @@ in {
../2configs/tinc/retiolum.nix ../2configs/tinc/retiolum.nix
../2configs/urlwatch.nix ../2configs/urlwatch.nix
# Security
../2configs/sshd-totp.nix
# Tools # Tools
../2configs/tools/core.nix ../2configs/tools/core.nix
../2configs/tools/dev.nix ../2configs/tools/dev.nix

View File

@ -0,0 +1,18 @@
{ pkgs, ... }:
# Enables second factor for ssh password login
## Usage:
# gen-oath-safe <username> totp
## scan the qrcode with google authenticator (or FreeOTP)
## copy last line into secrets/<host>/users.oath (chmod 700)
{
security.pam.oath = {
# enabling it will make it a requisite of `all` services
# enable = true;
digits = 6;
# TODO assert existing
usersFile = (toString <secrets>) + "/users.oath";
};
# I want TFA only active for sshd with password-auth
security.pam.services.sshd.oathAuth = true;
}