{ pkgs, ... }: # Enables second factor for ssh password login ## Usage: # gen-oath-safe <username> totp ## scan the qrcode with google authenticator (or FreeOTP) ## copy last line into secrets/<host>/users.oath (chmod 700) { security.pam.oath = { # enabling it will make it a requisite of `all` services # enable = true; digits = 6; # TODO assert existing usersFile = (toString <secrets>) + "/users.oath"; }; # I want TFA only active for sshd with password-auth security.pam.services.sshd.oathAuth = true; }