refactor pam-u2f: add keysPath, verbose, fix docs about u2f_keys path #11886
Conversation
spinus
commented
Dec 22, 2015
•
spinus
commented
- change enableU2F option to U2F.* set
- added few pam-u2f options
- fix documentation about default u2f_keys locations
|
By analyzing the blame information on this pull request, we identified @philandstuff, @edolstra and @obadz to be potential reviewers |
nixos/modules/security/pam.nix
Outdated
| <filename>~/.yubico/u2f_keys</filename> are able to log in | ||
| with the associated U2F key. | ||
| ''; | ||
| U2F = { |
There was a problem hiding this comment.
Not a fan of starting the module name with uppercase, but am not sure if we have any official guidelines on that.
There was a problem hiding this comment.
I'm big fan of "this-notation" or "this_notation" but I'm not sure we want that here. Some packages are using this convention, but I didn't see that for options.
Here I followed something like, camelCase but if the first letter is big I'm making it smaller just for naming sake. the same I would do if the name would started with API I wouldn't do apiSomething.
But I can use whatever convention is agreed :-)
There was a problem hiding this comment.
https://github.com/Yubico/pam-u2f Yubico themselves seem to have no trouble keeping it lowercase
There was a problem hiding this comment.
True.
Is that good occasion to move that decision to mailing list or ticket and make some naming convention agreements? I saw one ticket about that but as far as I remember it stucked.
|
Why the duplicate module? |
|
What do you mean? |
|
@spinus as far as I can tell, you have two copies of all the U2F options, first in the |
|
The reason for this is (I guess), the "top" layer works as defaults for all pam services, the other one is per service. example: So you can enable it globally and disable for particular modules. The problem I have here, I have no idea how to grab description from "outer" scope the same I grabbed the default value so I copy pasted as "good" start :) |
|
hey, can we move it a little? What I should do/fix to make this happen? |
|
@copumpkin hey, updated the name (U2F -> u2f), is it better now? |
|
@philandstuff @edolstra @obadz do you think this is good direction? Any idea how I could use description only once in current situation (I know I could extract it level up as variable, but that would be confusing probably) |
|
ping @copumpkin |
|
@grahamc security :) |
nixos/modules/security/pam.nix
Outdated
| with the associated U2F key. | ||
| ''; | ||
| u2f = { | ||
| enabled = mkOption { |
There was a problem hiding this comment.
The attribute shoud be called enable like in every other module.
nixos/modules/security/pam.nix
Outdated
| <literal>cue</literal> option is added to <literal>pam-u2f</literal> | ||
| module and reminder message will be displayed. | ||
| ''; | ||
| }; |
There was a problem hiding this comment.
Both u2f options should be generated by a function instead auf copy-paste.
There was a problem hiding this comment.
@fpletz now, one year after I pushed that, I know lot more about nix :-) I try to refactor.
Thank you for your review.
nixos/modules/security/pam.nix
Outdated
| If you sen this option to <literal>true</literal>, | ||
| <literal>cue</literal> option is added to <literal>pam-u2f</literal> | ||
| module and reminder message will be displayed. | ||
| ''; |
|
status of this? |
|
@jb55 waits for me to refactor it, my current estimation is I'll take a look in next 2 weeks. |
|
any update on this? would love to see this in master 👍 |
|
Yeah, I started working on it again in January, but during that year stuff has changed a little and I started doing it again rather then rebasing or anything. In the meantime I stuck somewhere there (I had a problem with nix expression evaluation). I was also wondering if the name should be changed to yubico (from u2f). Yubico has pam module named u2f but it looks like yubikey is supported but I'm not sure if that is universal or not. If it's universal, it's kine of unfortunate that default key files are named yubikey. What do you think? |
|
Tomasz Czyż <notifications@github.com> writes:
I was also wondering if the name should be changed to yubico (from u2f). Yubico has pam module named u2f but it looks like yubikey is supported but I'm not sure if that is universal or not. If it's universal, it's kine of unfortunate that default key files are named yubikey. What do you think?
It is universal, I have a trezor which works with pam-u2f.
|
|
@jb55 thanks for info. In that case I'll just continue to refactor it as u2f. If I won't finish it to the end of mid-April, I'll post what I have until then and maybe somebody can continue. |
|
btw, I was thinking about writing a test for that module but I have no idea how to test that in the vm without the key :-) Any idea how we can test that module? |
* change enableU2F option to u2f.* set * add few u2f options (not all) to customize pam-u2f module * document default u2f_keys locations
|
OK, I understood a little better the structure in pam.nix and tried to extend it rather than changing convention like in my previous PR. So security.pam.u2f defines the options and they are set for all applications that use pam. Particular pam applications can use of not u2f by setting u2fAuth attribute (looks like that's how all other modules are set). I added few (but not all) pam-u2f options. Please review :) |
|
Tomasz Czyż <notifications@github.com> writes:
Please review :)
I got around to testing this today. It seems to work for the initial
login and password prompts, but for some reason it breaks systemd user
services...
|
|
@jb55 could you describe a little more the use case? I'll try to test that and fix. |
|
Sure, if I remember correctly all I did was set it to `required` and
tried logging in. That worked fine but I noticed redshift wasn't
running. So I tried `systemctl start --user redshift` and I got an
error. I didn't have time to look into it further.
We could merge this and open a separate issue, as it seemed to work fine
other than that small hiccup.
|
|
ah no, I would like not to break anything what is working, give me some time, I'll try to test it or even write test case or try to look if it's possible to limit u2f module to affect only "human" users (if it's affecting system users or whatever) |
|
I wanted to give my encouragement for this PR and that I'm willing to help if needed and where my spare time permits. |
|
(triage) @spinus, do you still plan to rebase this PR and have a look at whether the issue with systemd user services still happens? :) |
|
@fpletz please take a look |
1 similar comment
|
@fpletz please take a look |
|
@spinus can you please rebase? |
| @@ -37,12 +37,11 @@ let | |||
| }; | |||
|
|
|||
| u2fAuth = mkOption { | |||
| default = config.security.pam.enableU2F; | |||
| default = config.security.pam.u2f.enable; | |||
There was a problem hiding this comment.
can you please update https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/rename.nix to reflect this rename?
| <literal>https://developers.yubico.com/pam-u2f/</literal>. | ||
| ''; | ||
| }; | ||
| authfile = mkOption { |
There was a problem hiding this comment.
can you add a new line between options? See above (same file) for examples.
| ''; | ||
| }; | ||
| control = mkOption { | ||
| default = "required"; |
There was a problem hiding this comment.
It's currently set to sufficient, setting it to required might unexpectedly change the behavior for everyone. Please set this back to sufficient
| interactive=true; | ||
| control="sufficient"; | ||
| cue=true; | ||
| debug=true; |
There was a problem hiding this comment.
please leave a space around the = signs
| '' | ||
| $machine->waitForUnit('multi-user.target'); | ||
| $machine->succeed('egrep "auth sufficient .*u2f.*" /etc/pam.d/ -R '); | ||
|
|
|
closing this PR in favor of #54756. |
