blob: 9ebbe0dc4844374a0b422e0e8eefaf2a3b420839 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
{ pkgs, config, ... }:
# Enables second factor for ssh password login
## Usage:
# gen-oath-safe <username> totp
## scan the qrcode with google authenticator (or FreeOTP)
## copy last line into secrets/<host>/users.oath (chmod 700)
{
sops.secrets."users.oath" = {};
security.pam.oath = {
# enabling it will make it a requisite of `all` services
# enable = true;
digits = 6;
usersFile = config.sops.secrets."users.oath".path;
};
# I want TFA only active for sshd with password-auth
security.pam.services.sshd.oathAuth = true;
}
|