diff --git a/lib/maintainers.nix b/lib/maintainers.nix index 8f148ba91c40..6f4a7be21f6e 100644 --- a/lib/maintainers.nix +++ b/lib/maintainers.nix @@ -153,6 +153,7 @@ pakhfn = "Fedor Pakhomov "; pashev = "Igor Pashev "; phausmann = "Philipp Hausmann "; + philandstuff = "Philip Potter "; phreedom = "Evgeny Egorochkin "; pierron = "Nicolas B. Pierron "; piotr = "Piotr Pietraszkiewicz "; diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 631e8317cb4c..35622b12ea33 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -36,6 +36,16 @@ let ''; }; + u2fAuth = mkOption { + default = config.security.pam.enableU2F; + type = types.bool; + description = '' + If set, users listed in + ~/.yubico/u2f_keys are able to log in + with the associated U2F key. + ''; + }; + usbAuth = mkOption { default = config.security.pam.usb.enable; type = types.bool; @@ -209,6 +219,8 @@ let "auth sufficient ${pkgs.pam_ssh_agent_auth}/libexec/pam_ssh_agent_auth.so file=~/.ssh/authorized_keys:~/.ssh/authorized_keys2:/etc/ssh/authorized_keys.d/%u"} ${optionalString cfg.fprintAuth "auth sufficient ${pkgs.fprintd}/lib/security/pam_fprintd.so"} + ${optionalString cfg.u2fAuth + "auth sufficient ${pkgs.pam_u2f}/lib/security/pam_u2f.so"} ${optionalString cfg.usbAuth "auth sufficient ${pkgs.pam_usb}/lib/security/pam_usb.so"} ${optionalString cfg.unixAuth @@ -364,6 +376,13 @@ in ''; }; + security.pam.enableU2F = mkOption { + default = false; + description = '' + Enable the U2F PAM module. + ''; + }; + security.pam.enableEcryptfs = mkOption { default = false; description = '' @@ -392,6 +411,7 @@ in ++ optionals config.krb5.enable [pam_krb5 pam_ccreds] ++ optionals config.security.pam.enableOTPW [ pkgs.otpw ] ++ optionals config.security.pam.enableOATH [ pkgs.oathToolkit ] + ++ optionals config.security.pam.enableU2F [ pkgs.pam_u2f ] ++ optionals config.security.pam.enableEcryptfs [ pkgs.ecryptfs ]; security.setuidPrograms = diff --git a/pkgs/development/libraries/libu2f-host/default.nix b/pkgs/development/libraries/libu2f-host/default.nix index f996216826ac..cda18e4e9bd6 100644 --- a/pkgs/development/libraries/libu2f-host/default.nix +++ b/pkgs/development/libraries/libu2f-host/default.nix @@ -12,7 +12,7 @@ stdenv.mkDerivation rec { meta = with stdenv.lib; { homepage = https://developers.yubico.com/libu2f-host; - description = "a C library and command-line tool thati mplements the host-side of the U2F protocol"; + description = "A C library and command-line tool thati mplements the host-side of the U2F protocol"; license = licenses.bsd2; platforms = platforms.unix; maintainers = with maintainers; [ wkennington ]; diff --git a/pkgs/development/libraries/libu2f-server/default.nix b/pkgs/development/libraries/libu2f-server/default.nix new file mode 100644 index 000000000000..6ac4eb29d134 --- /dev/null +++ b/pkgs/development/libraries/libu2f-server/default.nix @@ -0,0 +1,20 @@ +{ stdenv, fetchurl, pkgconfig, json_c, hidapi, openssl, check }: + +stdenv.mkDerivation rec { + name = "libu2f-server-0.0.0"; + + src = fetchurl { + url = "https://developers.yubico.com/libu2f-server/Releases/libu2f-server-0.0.0.tar.xz"; + sha256 = "1vdl3qavzfpi6p6h48zw17md9wykfzpay5c4l1c08id46m560wp0"; + }; + + buildInputs = [ pkgconfig json_c hidapi openssl check ]; + + meta = with stdenv.lib; { + homepage = https://developers.yubico.com/libu2f-server/; + description = "A C library that implements the server-side of the U2F protocol"; + license = licenses.bsd2; + platforms = platforms.unix; + maintainers = with maintainers; [ philandstuff ]; + }; +} diff --git a/pkgs/os-specific/linux/pam_u2f/default.nix b/pkgs/os-specific/linux/pam_u2f/default.nix new file mode 100644 index 000000000000..458d171ec683 --- /dev/null +++ b/pkgs/os-specific/linux/pam_u2f/default.nix @@ -0,0 +1,22 @@ +{ pkgs, fetchurl, stdenv }: +stdenv.mkDerivation rec { + name = "pam_u2f-${version}"; + version = "0.0.1"; + src = fetchurl { + url = "https://developers.yubico.com/pam-u2f/Releases/${name}.tar.gz"; + sha256 = "0p1wia4nfw5h0pmy1lcgwsbrlm7z39v1n37692lgqfzyg1kmpv7l"; + }; + buildInputs = with pkgs; [ asciidoc autoconf automake docbook_xml_dtd_45 libtool libu2f-host libu2f-server libxml2 libxslt pkgconfig pam ]; + + installFlags = [ + "PAMDIR=$(out)/lib/security" + ]; + + meta = with stdenv.lib; { + homepage = https://developers.yubico.com/pam-u2f/; + description = "A PAM module for allowing authentication with a U2F device"; + license = licenses.bsd2; + platforms = platforms.unix; + maintainers = with maintainers; [ philandstuff ]; + }; +} diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index 920bbc006211..0eab47c68d4f 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -6920,6 +6920,8 @@ let libu2f-host = callPackage ../development/libraries/libu2f-host { }; + libu2f-server = callPackage ../development/libraries/libu2f-server { }; + libunistring = callPackage ../development/libraries/libunistring { }; libupnp = callPackage ../development/libraries/pupnp { }; @@ -9573,6 +9575,8 @@ let pam_ssh_agent_auth = callPackage ../os-specific/linux/pam_ssh_agent_auth { }; + pam_u2f = callPackage ../os-specific/linux/pam_u2f { }; + pam_usb = callPackage ../os-specific/linux/pam_usb { }; paxctl = callPackage ../os-specific/linux/paxctl { };