Add a module to make options to pam_oath module configurable. These are: - enable - enable the OATH pam module - window - number of OTPs to check - digits - length of the OTP (adds support for two-factor auth) - usersFile - filename to store OATH credentials inwip/yesman
parent
bd9f128cc2
commit
d09c7986de
@ -0,0 +1,50 @@ |
||||
# This module provides configuration for the OATH PAM modules. |
||||
|
||||
{ config, lib, pkgs, ... }: |
||||
|
||||
with lib; |
||||
|
||||
{ |
||||
options = { |
||||
|
||||
security.pam.oath = { |
||||
enable = mkOption { |
||||
type = types.bool; |
||||
default = false; |
||||
description = '' |
||||
Enable the OATH (one-time password) PAM module. |
||||
''; |
||||
}; |
||||
|
||||
digits = mkOption { |
||||
type = types.enum [ 6 7 8 ]; |
||||
default = 6; |
||||
description = '' |
||||
Specify the length of the one-time password in number of |
||||
digits. |
||||
''; |
||||
}; |
||||
|
||||
window = mkOption { |
||||
type = types.int; |
||||
default = 5; |
||||
description = '' |
||||
Specify the number of one-time passwords to check in order |
||||
to accommodate for situations where the system and the |
||||
client are slightly out of sync (iteration for HOTP or time |
||||
steps for TOTP). |
||||
''; |
||||
}; |
||||
|
||||
usersFile = mkOption { |
||||
type = types.path; |
||||
default = "/etc/users.oath"; |
||||
description = '' |
||||
Set the path to file where the user's credentials are |
||||
stored. This file must not be world readable! |
||||
''; |
||||
}; |
||||
}; |
||||
|
||||
}; |
||||
} |
Loading…
Reference in new issue