diff options
Diffstat (limited to '')
| -rw-r--r-- | sys/auth.nix | 82 |
1 files changed, 0 insertions, 82 deletions
diff --git a/sys/auth.nix b/sys/auth.nix deleted file mode 100644 index 835f836..0000000 --- a/sys/auth.nix +++ /dev/null @@ -1,82 +0,0 @@ -{ config, lib, pkgs, ... }: -with lib; let - cfg = config.local; -in -{ - config = { - security.pam = { - oath = { - usersFile = "/var/trust/auth/users.oath"; - digits = 6; - window = 30; - }; - - services.sshd.oathAuth = true; - }; - - services.openssh = { - enable = true; - openFirewall = false; - ports = [ 2234 ]; - startWhenNeeded = true; - - hostKeys = [ - { - bits = 4096; - path = "/etc/ssh/ssh_host_rsa_key"; - type = "rsa"; - } - { - path = "/etc/ssh/ssh_host_ed25519_key"; - type = "ed25519"; - } - #TODO: Desfasar, inseguro - { - path = "/etc/ssh/ssh_host_ecdsa_key"; - type = "ecdsa"; - } - ]; - - settings = { - X11Forwarding = true; - PermitRootLogin = "no"; - PasswordAuthentication = true; # Necesario para oath, no reemplaza a oath - }; - - extraConfig = '' - # User 'tunnel' has no password. Use PAM OATH - # and connect with -N, forward with -R. - Match User tunnel - AllowTcpForwarding remote - AllowStreamLocalForwarding no - X11Forwarding no - PermitTunnel no - GatewayPorts no - AllowAgentForwarding no - PermitOpen none - PermitListen 60220 60221 60222 60223 60224 60225 60226 60227 60228 60229 - - Banner ${pkgs.writeText "tunnel-banner" '' - This is a reverse tunnel - ''} - ''; - }; - - services.pcscd.enable = true; - services.udev.packages = [ pkgs.yubikey-personalization ]; - - networking.firewall.allowedTCPPorts = [ 2234 ]; - - users.users.tunnel = { - uid = 1100; - group = "nogroup"; - isSystemUser = true; - - # Requiere oath - password = "tunnel"; - - home = "/var/empty"; - shell = "${pkgs.coreutils}/bin/true"; - }; - }; -} |