From e31f212f6b6a46e28b8d0d77d22767432f4a2b44 Mon Sep 17 00:00:00 2001
From: Austin Seipp <aseipp@pobox.com>
Date: Tue, 20 May 2014 02:42:31 -0500
Subject: [PATCH] nixos/duosec: Add an option to allow TCP forwarding

Signed-off-by: Austin Seipp <aseipp@pobox.com>
---
 nixos/modules/security/duosec.nix | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/nixos/modules/security/duosec.nix b/nixos/modules/security/duosec.nix
index bd9611384828..9893e63fb24f 100644
--- a/nixos/modules/security/duosec.nix
+++ b/nixos/modules/security/duosec.nix
@@ -165,6 +165,17 @@ in
           whitelist.
         '';
       };
+
+      allowTcpForwarding = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          By default, when SSH forwarding, enabling Duo Security will
+          disable TCP forwarding. By enabling this, you potentially
+          undermine some of the SSH based login security. Note this is
+          not needed if you use PAM.
+        '';
+      };
     };
   };
 
@@ -192,7 +203,9 @@ in
        # Duo Security configuration
        ForceCommand ${config.security.wrapperDir}/login_duo
        PermitTunnel no
-       AllowTcpForwarding no
+       ${optionalString (!cfg.allowTcpForwarding) ''
+         AllowTcpForwarding no
+       ''}
      '');
   };
 }