From df9009f987a901feedd921429034855b1484025c Mon Sep 17 00:00:00 2001
From: Ming Di Leom <2809763-curben@users.noreply.gitlab.com>
Date: Thu, 25 Jul 2024 10:41:43 +0000
Subject: [PATCH] post(nixos): enable totp for ssh

---
 source/_posts/caddy-nixos-part-2.md | 35 +++++++++++++++++++++++------
 1 file changed, 28 insertions(+), 7 deletions(-)

diff --git a/source/_posts/caddy-nixos-part-2.md b/source/_posts/caddy-nixos-part-2.md
index 5d4e5c9..8539020 100644
--- a/source/_posts/caddy-nixos-part-2.md
+++ b/source/_posts/caddy-nixos-part-2.md
@@ -2,7 +2,7 @@
 title: "Setup Caddy as a reverse proxy on NixOS (Part 2: Hardening)"
 excerpt: "Part 2: Securing NixOS"
 date: 2020-03-04
-updated: 2022-12-03
+updated: 2024-07-25
 tags:
   - server
   - linux
@@ -163,7 +163,7 @@ $ google-authenticator
 ```
 
 1. Yes to time-based
-2. Import the generated QR code or secret key to OTP app (recommends Aegis for Android)
+2. Import the generated QR code or secret key to an OTP app or password manager.
 3. Enter OTP
 4. Backup scratch codes
 5. Yes to saving the key to ~/.google_authenticator
@@ -171,13 +171,34 @@ $ google-authenticator
 7. No to increasing window
 8. Yes to rate-limiting login attempts
 
-Once the secret is generated, TOTP can be enabled using the following config. I configured it to require OTP when login and sudo, in addition to password.
+Once the secret is generated, TOTP can be enabled using the following config. I configured it to require OTP as the second-factor authentication when login and ssh. There is no security benefit of enabling it on sudo because the secret key is stored in the home folder (`$HOME/.google_authenticator`) that the user can write to.
 
 ```nix
-  ## Requires OTP to login & sudo
-  security.pam = {
-    services.login.googleAuthenticator.enable = true;
-    services.sudo.googleAuthenticator.enable = true;
+  services.openssh = {
+    settings = {
+      PermitRootLogin = "no";
+      PasswordAuthentication = false;
+      KbdInteractiveAuthentication = true;
+      # https://github.com/NixOS/nixpkgs/issues/115044#issuecomment-2244953944
+      AuthenticationMethods = "publickey,keyboard-interactive:pam";
+    };
+  };
+
+  ## Requires OTP to login & ssh
+  security.pam.services = {
+    login.googleAuthenticator.enable = true;
+    # https://github.com/NixOS/nixpkgs/issues/115044#issuecomment-2065409087
+    sshd.text = ''
+      account required pam_unix.so # unix (order 10900)
+
+      auth required ${pkgs.google-authenticator}/lib/security/pam_google_authenticator.so nullok no_increment_hotp # google_authenticator (order 12500)
+      auth sufficient pam_permit.so
+
+      session required pam_env.so conffile=/etc/pam/environment readenv=0 # env (order 10100)
+      session required pam_unix.so # unix (order 10200)
+      session required pam_loginuid.so # loginuid (order 10300)
+      session optional ${pkgs.systemd}/lib/security/pam_systemd.so # systemd (order 12000)
+    '';
   };
 ```