diff options
| author | lassulus <lassulus@lassul.us> | 2017-07-17 15:11:54 +0200 |
|---|---|---|
| committer | lassulus <lassulus@lassul.us> | 2017-07-17 15:11:54 +0200 |
| commit | 5f743cbd32572a25e0df73b823cd866f1d80f01a (patch) | |
| tree | 965ff88cdfbe0962ffeae0c687255b9dc43d86e5 /lass/2configs | |
| parent | 53f8fa81e58c426d2a88b1bba4bfc0524dcb9387 (diff) | |
lass: init otp-ssh
Diffstat (limited to 'lass/2configs')
| -rw-r--r-- | lass/2configs/otp-ssh.nix | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/lass/2configs/otp-ssh.nix b/lass/2configs/otp-ssh.nix new file mode 100644 index 000000000..f9984e245 --- /dev/null +++ b/lass/2configs/otp-ssh.nix @@ -0,0 +1,18 @@ +{ pkgs, ... }: +# Enables second factor for ssh password login + +## Usage: +# gen-oath-safe <username> totp +## scan the qrcode with google authenticator (or FreeOTP) +## copy last line into secrets/<host>/users.oath (chmod 700) +{ + security.pam.oath = { + # enabling it will make it a requisite of `all` services + # enable = true; + digits = 6; + # TODO assert existing + usersFile = (toString <secrets>) + "/users.oath"; + }; + # I want TFA only active for sshd with password-auth + security.pam.services.sshd.oathAuth = true; +} |