* Add support for pam_usb.

svn path=/nixos/trunk/; revision=19185
15 years ago · d2901e979d
parent 64c75274e1
commit d2901e979d
3 changed files with 48 additions and 1 deletions
--- a/modules/module-list.nix
+++ b/modules/module-list.nix
@ -33,6 +33,7 @@
  ./rename.nix
  ./security/consolekit.nix
  ./security/pam.nix
+  ./security/pam_usb.nix
  ./security/policykit.nix
  #./security/polkit.nix # Currently disabled; using the old policykit.
  ./security/setuid-wrappers.nix
--- a/modules/security/pam.nix
+++ b/modules/security/pam.nix
@ -7,7 +7,7 @@ with pkgs.lib;

 let

-  inherit (pkgs) pam_unix2 pam_ldap;
+  inherit (pkgs) pam_unix2 pam_usb pam_ldap;

  otherService = pkgs.writeText "other.pam"
    ''
@ -26,6 +26,9 @@ let
    , # If set, root doesn't need to authenticate (e.g. for the "chsh"
      # service).
      rootOK ? false
+    , # If set, user listed in /etc/pamusb.conf are able to log in with
+      # the associated usb key.
+      usbAuth ? config.security.pam.usb.enable
    , # If set, use ConsoleKit's PAM connector module to claim
      # ownership of audio devices etc.
      ownDevices ? false
@ -55,6 +58,8 @@ let
          # Authentication management.
          ${optionalString rootOK
              "auth sufficient pam_rootok.so"}
+          ${optionalString usbAuth
+              "auth sufficient ${pam_usb}/lib/security/pam_usb.so"}
          ${optionalString config.users.ldap.enable
              "auth sufficient ${pam_ldap}/lib/security/pam_ldap.so"}
          auth sufficient ${pam_unix2}/lib/security/pam_unix2.so ${
--- a/modules/security/pam_usb.nix
+++ b/modules/security/pam_usb.nix
@ -0,0 +1,41 @@
+{config, pkgs, ...}:
+
+with pkgs.lib;
+
+let
+
+  inherit (pkgs) pam_usb;
+
+  cfg = config.security.pam.usb;
+
+  anyUsbAuth = any (attrByPath ["usbAuth"] false) config.security.pam.services;
+
+in
+
+{
+  options = {
+
+    security.pam.usb = {
+      enable = mkOption {
+        default = false;
+        description = ''
+          Enable USB login for all login system unless the service disabled
+          it.  For more information, visit <link
+          xlink:href="http://pamusb.org/doc/quickstart#setting_up" />.
+        '';
+      };
+
+    };
+
+  };
+
+  config = mkIf (cfg.enable || anyUsbAuth) {
+
+    # pmount need to have a set-uid bit to make pam_usb works in user
+    # environment. (like su, sudo)
+
+    security.setuidPrograms = [ "pmount" "pumount" ];
+    environment.systemPackages = [ pkgs.pmount ];
+
+  };
+}