l 3 usershadow: more validators, expose path

author: lassulus <lass@aidsballs.de> 2016-10-27 13:29:03 +0200
committer: lassulus <lass@aidsballs.de> 2016-10-27 13:29:03 +0200
commit: d0198ecd07ac825ebb6841619c4d3039aa476c54 (patch)
tree: 6d1325d65eacc2b41ed117bc6513588f6884fefc /lass/3modules/usershadow.nix
parent: 809a42339d2fa3e52d69a5d6966e60ae45968be5 (diff)
1 files changed, 35 insertions, 6 deletions
diff --git a/lass/3modules/usershadow.nix b/lass/3modules/usershadow.nix
index 1ee01e8d..a8ab1c52 100644
--- a/lass/3modules/usershadow.nix
+++ b/lass/3modules/usershadow.nix
@@ -13,22 +13,27 @@
       type = types.str;
       default = "/home/%/.shadow";
     };
+    path = mkOption {
+      type = types.str;
+    };
   };
 
   imp = {
     environment.systemPackages = [ usershadow ];
+    lass.usershadow.path = "${usershadow}";
     security.pam.services.sshd.text = ''
-      auth required pam_exec.so expose_authtok ${usershadow}/bin/verify ${cfg.pattern}
+      auth required pam_exec.so expose_authtok ${usershadow}/bin/verify_pam ${cfg.pattern}
       auth required pam_permit.so
       account required pam_permit.so
       session required pam_permit.so
     '';
 
-    security.pam.services.exim.text = ''
-      auth required pam_exec.so expose_authtok ${usershadow}/bin/verify ${cfg.pattern}
+    security.pam.services.dovecot2.text = ''
+      auth required pam_exec.so expose_authtok ${usershadow}/bin/verify_pam ${cfg.pattern}
       auth required pam_permit.so
       account required pam_permit.so
       session required pam_permit.so
+      session required pam_env.so envfile=${config.system.build.pamEnvironment}
     '';
   };
 
@@ -38,7 +43,7 @@
       "bytestring"
     ];
     body = pkgs.writeHaskell "passwords" {
-      executables.verify = {
+      executables.verify_pam = {
         extra-depends = deps;
         text = ''
           import Data.Monoid
@@ -61,18 +66,42 @@
             if res then exitSuccess else exitFailure
         '';
       };
+      executables.verify_arg = {
+        extra-depends = deps;
+        text = ''
+          import Data.Monoid
+          import System.IO
+          import Data.Char (chr)
+          import System.Environment (getEnv, getArgs)
+          import Crypto.PasswordStore (verifyPasswordWith, pbkdf2)
+          import qualified Data.ByteString.Char8 as BS8
+          import System.Exit (exitFailure, exitSuccess)
+
+          main :: IO ()
+          main = do
+            argsList <- getArgs
+            let shadowFilePattern = argsList !! 0
+            let user = argsList !! 1
+            let password = argsList !! 2
+            let shadowFile = lhs <> user <> tail rhs
+                (lhs, rhs) = span (/= '%') shadowFilePattern
+            hash <- readFile shadowFile
+            let res = verifyPasswordWith pbkdf2 (2^) (BS8.pack password) (BS8.pack hash)
+            if res then do (putStr "yes") else exitFailure
+        '';
+      };
       executables.passwd = {
         extra-depends = deps;
         text = ''
           import System.Environment (getEnv)
           import Crypto.PasswordStore (makePasswordWith, pbkdf2)
           import qualified Data.ByteString.Char8 as BS8
-          import System.IO (stdin, hSetEcho, putStr)
+          import System.IO (stdin, hSetEcho, putStrLn)
 
           main :: IO ()
           main = do
             home <- getEnv "HOME"
-            putStr "password:"
+            putStrLn "password:"
             hSetEcho stdin False
             password <- BS8.hGetLine stdin
             hash <- makePasswordWith pbkdf2 password 10
author	lassulus <lass@aidsballs.de>	2016-10-27 13:29:03 +0200
committer	lassulus <lass@aidsballs.de>	2016-10-27 13:29:03 +0200
commit	d0198ecd07ac825ebb6841619c4d3039aa476c54 (patch)
tree	6d1325d65eacc2b41ed117bc6513588f6884fefc /lass/3modules/usershadow.nix
parent	809a42339d2fa3e52d69a5d6966e60ae45968be5 (diff)