diff options
Diffstat (limited to 'sys/auth')
| -rw-r--r-- | sys/auth/default.nix | 6 | ||||
| -rw-r--r-- | sys/auth/oath.nix | 34 | ||||
| -rw-r--r-- | sys/auth/openssh.nix | 86 |
3 files changed, 126 insertions, 0 deletions
diff --git a/sys/auth/default.nix b/sys/auth/default.nix new file mode 100644 index 0000000..4678da9 --- /dev/null +++ b/sys/auth/default.nix @@ -0,0 +1,6 @@ +{ + imports = [ + ./oath.nix + ./openssh.nix + ]; +} diff --git a/sys/auth/oath.nix b/sys/auth/oath.nix new file mode 100644 index 0000000..7030bab --- /dev/null +++ b/sys/auth/oath.nix @@ -0,0 +1,34 @@ +{ config, lib, pkgs, ... }: +with lib; let + cfg = config.local.auth.oath; +in +{ + options.local.auth.oath = { + enable = lib.mkEnableOption "pam-oath"; + }; + + config = lib.mkIf cfg.enable { + security.pam = { + oath = { + digits = 6; + window = 30; + + usersFile = "/var/trust/auth/users.oath"; + }; + + services.sshd.oathAuth = true; + }; + + users.users.tunnel = { + uid = 1100; + group = "nogroup"; + isSystemUser = true; + + # Requiere oath + password = "tunnel"; + + home = "/var/empty"; + shell = "${pkgs.coreutils}/bin/true"; + }; + }; +} diff --git a/sys/auth/openssh.nix b/sys/auth/openssh.nix new file mode 100644 index 0000000..2030682 --- /dev/null +++ b/sys/auth/openssh.nix @@ -0,0 +1,86 @@ +{ config, lib, pkgs, ... }: +with lib; let + cfg = config.local.auth.openssh; + withOath = config.local.auth.oath.enable; +in +{ + options.local.auth.openssh = { + enable = mkEnableOption "openssh"; + tunnel.enable = mkEnableOption "ssh tunnel user"; + + #TODO: Desfasar ecdsa, inseguro + hostKeys = listToAttrs (map + (name: { + inherit name; + + value = mkOption { + type = types.bool; + default = false; + }; + }) [ "ecdsa" "ed25519" "rsa" ]); + }; + + config = lib.mkIf cfg.enable { + assertions = [ + { + assertion = cfg.tunnel.enable -> withOath; + message = "SSH tunnel requires oath"; + } + ]; + + local.boot.impermanence.files = + flatten (map (key: [ key.path "${key.path}.pub" ]) config.services.openssh.hostKeys); + + services.openssh = { + enable = true; + openFirewall = true; + ports = [ 2234 ]; + startWhenNeeded = true; + + hostKeys = map + (name: { + path = "/etc/ssh/ssh_host_${name}_key"; + type = name; + } // optionalAttrs (name == "rsa") { + bits = 4096; + }) + (attrNames (filterAttrs (name: enable: enable) cfg.hostKeys)); + + settings = { + X11Forwarding = true; + PermitRootLogin = "prohibit-password"; + PasswordAuthentication = withOath; # Necesario para oath, no reemplaza a oath + }; + + extraConfig = optionalString cfg.tunnel.enable '' + # User 'tunnel' has no password. Use PAM OATH + # and connect with -N, forward with -R. + Match User tunnel + AllowTcpForwarding remote + AllowStreamLocalForwarding no + X11Forwarding no + PermitTunnel no + GatewayPorts no + AllowAgentForwarding no + PermitOpen none + PermitListen 60220 60221 60222 60223 60224 60225 60226 60227 60228 60229 + + Banner ${pkgs.writeText "tunnel-banner" '' + This is a reverse tunnel + ''} + ''; + }; + + users.users.tunnel = mkIf cfg.tunnel.enable { + uid = 1100; + group = "nogroup"; + isSystemUser = true; + + # Requiere oath + password = "tunnel"; + + home = "/var/empty"; + shell = "${pkgs.coreutils}/bin/true"; + }; + }; +} |