From d2901e979db48c6bba1b0847d319d0995af0692c Mon Sep 17 00:00:00 2001
From: Nicolas Pierron <nicolas.b.pierron@gmail.com>
Date: Sun, 3 Jan 2010 11:59:08 +0000
Subject: [PATCH] * Add support for pam_usb.

svn path=/nixos/trunk/; revision=19185
---
 modules/module-list.nix      |  1 +
 modules/security/pam.nix     |  7 +++++-
 modules/security/pam_usb.nix | 41 ++++++++++++++++++++++++++++++++++++
 3 files changed, 48 insertions(+), 1 deletion(-)
 create mode 100644 modules/security/pam_usb.nix

diff --git a/modules/module-list.nix b/modules/module-list.nix
index 702822f506ab..0f8b47eb7640 100644
--- a/modules/module-list.nix
+++ b/modules/module-list.nix
@@ -33,6 +33,7 @@
   ./rename.nix
   ./security/consolekit.nix
   ./security/pam.nix
+  ./security/pam_usb.nix
   ./security/policykit.nix
   #./security/polkit.nix # Currently disabled; using the old policykit.
   ./security/setuid-wrappers.nix
diff --git a/modules/security/pam.nix b/modules/security/pam.nix
index 904cf438bffb..d693255a55bd 100644
--- a/modules/security/pam.nix
+++ b/modules/security/pam.nix
@@ -7,7 +7,7 @@ with pkgs.lib;
 
 let
 
-  inherit (pkgs) pam_unix2 pam_ldap;
+  inherit (pkgs) pam_unix2 pam_usb pam_ldap;
 
   otherService = pkgs.writeText "other.pam"
     ''
@@ -26,6 +26,9 @@ let
     , # If set, root doesn't need to authenticate (e.g. for the "chsh"
       # service).
       rootOK ? false
+    , # If set, user listed in /etc/pamusb.conf are able to log in with
+      # the associated usb key.
+      usbAuth ? config.security.pam.usb.enable
     , # If set, use ConsoleKit's PAM connector module to claim
       # ownership of audio devices etc.
       ownDevices ? false
@@ -55,6 +58,8 @@ let
           # Authentication management.
           ${optionalString rootOK
               "auth sufficient pam_rootok.so"}
+          ${optionalString usbAuth
+              "auth sufficient ${pam_usb}/lib/security/pam_usb.so"}
           ${optionalString config.users.ldap.enable
               "auth sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
           auth sufficient ${pam_unix2}/lib/security/pam_unix2.so ${
diff --git a/modules/security/pam_usb.nix b/modules/security/pam_usb.nix
new file mode 100644
index 000000000000..1c2a6a05f261
--- /dev/null
+++ b/modules/security/pam_usb.nix
@@ -0,0 +1,41 @@
+{config, pkgs, ...}:
+
+with pkgs.lib;
+
+let
+
+  inherit (pkgs) pam_usb;
+
+  cfg = config.security.pam.usb;
+
+  anyUsbAuth = any (attrByPath ["usbAuth"] false) config.security.pam.services;
+
+in
+
+{
+  options = {
+
+    security.pam.usb = {
+      enable = mkOption {
+        default = false;
+        description = ''
+          Enable USB login for all login system unless the service disabled
+          it.  For more information, visit <link
+          xlink:href="http://pamusb.org/doc/quickstart#setting_up" />.
+        '';
+      };
+
+    };
+
+  };
+
+  config = mkIf (cfg.enable || anyUsbAuth) {
+
+    # pmount need to have a set-uid bit to make pam_usb works in user
+    # environment. (like su, sudo)
+
+    security.setuidPrograms = [ "pmount" "pumount" ];
+    environment.systemPackages = [ pkgs.pmount ];
+
+  };
+}