sys/auth: fix SSH OATH

1 files changed, 33 insertions, 2 deletions

diff --git a/sys/auth.nix b/sys/auth.nix
index e85543e..e9723a7 100644
--- a/sys/auth.nix
+++ b/sys/auth.nix
@@ -1,4 +1,4 @@
-{ lib, config, ... }:
+{ config, lib, pkgs, ... }:
 with lib; let
   cfg = config.local;
 in
@@ -18,10 +18,11 @@ in
       enable = true;
       openFirewall = false;
       ports = [ 2234 ];
+      startWhenNeeded = true;
 
       forwardX11 = true;
       permitRootLogin = "no";
-      passwordAuthentication = false;
+      passwordAuthentication = true; # Necesario para oath, no reemplaza a oath
 
       hostKeys = [
         {
@@ -39,8 +40,38 @@ in
           type = "ecdsa";
         }
       ];
+
+      extraConfig = ''
+        # User 'tunnel' has no password. Use PAM OATH
+        # and connect with -N, forward with -R.
+        Match User tunnel
+           AllowTcpForwarding remote
+           AllowStreamLocalForwarding no
+           X11Forwarding no
+           PermitTunnel no
+           GatewayPorts no
+           AllowAgentForwarding no
+           PermitOpen none
+           PermitListen 60220 60221 60222 60223 60224 60225 60226 60227 60228 60229
+
+           Banner ${pkgs.writeText "tunnel-banner" ''
+             This is a reverse tunnel
+           ''}
+      '';
     };
 
     networking.firewall.allowedTCPPorts = [ 2234 ];
+
+    users.users.tunnel = {
+      uid = 1100;
+      group = "nogroup";
+      isSystemUser = true;
+
+      # Requiere oath
+      password = "tunnel";
+
+      home = "/var/empty";
+      shell = "${pkgs.coreutils}/bin/true";
+    };
   };
 }