2023-07-02 16:05:52 +02:00
|
|
|
{ pkgs, config, ... }:
|
2017-06-30 23:49:05 +02:00
|
|
|
# Enables second factor for ssh password login
|
|
|
|
|
|
|
|
## Usage:
|
|
|
|
# gen-oath-safe <username> totp
|
|
|
|
## scan the qrcode with google authenticator (or FreeOTP)
|
|
|
|
## copy last line into secrets/<host>/users.oath (chmod 700)
|
|
|
|
{
|
2023-07-02 16:05:52 +02:00
|
|
|
sops.secrets."users.oath" = {};
|
2017-06-30 23:49:05 +02:00
|
|
|
security.pam.oath = {
|
|
|
|
# enabling it will make it a requisite of `all` services
|
|
|
|
# enable = true;
|
|
|
|
digits = 6;
|
2023-07-02 16:05:52 +02:00
|
|
|
usersFile = config.sops.secrets."users.oath".path;
|
2017-06-30 23:49:05 +02:00
|
|
|
};
|
|
|
|
# I want TFA only active for sshd with password-auth
|
|
|
|
security.pam.services.sshd.oathAuth = true;
|
|
|
|
}
|