summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--lass/3modules/default.nix1
-rw-r--r--lass/3modules/usershadow.nix85
2 files changed, 86 insertions, 0 deletions
diff --git a/lass/3modules/default.nix b/lass/3modules/default.nix
index 60370b230..6e1e20dd3 100644
--- a/lass/3modules/default.nix
+++ b/lass/3modules/default.nix
@@ -6,6 +6,7 @@ _:
./mysql-backup.nix
./umts.nix
./urxvtd.nix
+ ./usershadow.nix
./wordpress_nginx.nix
./xresources.nix
];
diff --git a/lass/3modules/usershadow.nix b/lass/3modules/usershadow.nix
new file mode 100644
index 000000000..0e7e718a4
--- /dev/null
+++ b/lass/3modules/usershadow.nix
@@ -0,0 +1,85 @@
+{ config, lib, pkgs, ... }@args: with config.krebs.lib; let
+
+ cfg = config.lass.usershadow;
+
+ out = {
+ options.lass.usershadow = api;
+ config = lib.mkIf cfg.enable imp;
+ };
+
+ api = {
+ enable = mkEnableOption "usershadow";
+ pattern = mkOption {
+ type = types.str;
+ default = "/home/%/.shadow";
+ };
+ };
+
+ imp = {
+ environment.systemPackages = [ usershadow ];
+ security.pam.services.sshd.text = ''
+ auth required pam_exec.so expose_authtok ${usershadow}/bin/verify ${cfg.pattern}
+ auth required pam_permit.so
+ account required pam_permit.so
+ session required pam_permit.so
+ '';
+
+ security.pam.services.exim.text = ''
+ auth required pam_exec.so expose_authtok ${usershadow}/bin/verify ${cfg.pattern}
+ auth required pam_permit.so
+ account required pam_permit.so
+ session required pam_permit.so
+ '';
+ };
+
+ usershadow = let {
+ deps = [
+ "pwstore-fast"
+ "bytestring"
+ ];
+ body = pkgs.writeHaskell "passwords" {
+ executables.verify = {
+ extra-depends = deps;
+ text = ''
+ import Data.Monoid
+ import System.IO
+ import Data.Char (chr)
+ import System.Environment (getEnv, getArgs)
+ import Crypto.PasswordStore (verifyPasswordWith, pbkdf2)
+ import qualified Data.ByteString.Char8 as BS8
+ import System.Exit (exitFailure, exitSuccess)
+
+ main :: IO ()
+ main = do
+ user <- getEnv "PAM_USER"
+ shadowFilePattern <- head <$> getArgs
+ let shadowFile = lhs <> user <> tail rhs
+ (lhs, rhs) = span (/= '%') shadowFilePattern
+ hash <- readFile shadowFile
+ password <- takeWhile (/= (chr 0)) <$> hGetLine stdin
+ let res = verifyPasswordWith pbkdf2 (2^) (BS8.pack password) (BS8.pack hash)
+ if res then exitSuccess else exitFailure
+ '';
+ };
+ executables.passwd = {
+ extra-depends = deps;
+ text = ''
+ import System.Environment (getEnv)
+ import Crypto.PasswordStore (makePasswordWith, pbkdf2)
+ import qualified Data.ByteString.Char8 as BS8
+ import System.IO (stdin, hSetEcho, putStr)
+
+ main :: IO ()
+ main = do
+ home <- getEnv "HOME"
+ putStr "password:"
+ hSetEcho stdin False
+ password <- BS8.hGetLine stdin
+ hash <- makePasswordWith pbkdf2 password 10
+ BS8.writeFile (home ++ "/.shadow") hash
+ '';
+ };
+ };
+ };
+
+in out