curben
/
blog
mirror of https://gitlab.com/curben/blog
1
0
Fork 0
Code Issues Releases Wiki Activity

post(nixos): enable totp for ssh

This commit is contained in:
Ming Di Leom 2024-07-25 10:41:43 +00:00
parent 1ec281168b
commit df9009f987
No known key found for this signature in database
GPG Key ID: 32D3E28E96A695E8
1 changed files with 28 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
source/_posts/caddy-nixos-part-2.md
View File

@ -2,7 +2,7 @@
title: "Setup Caddy as a reverse proxy on NixOS (Part 2: Hardening)" title: "Setup Caddy as a reverse proxy on NixOS (Part 2: Hardening)"
excerpt: "Part 2: Securing NixOS" excerpt: "Part 2: Securing NixOS"
date: 2020-03-04 date: 2020-03-04
updated: 2022-12-03 updated: 2024-07-25
tags: tags:
- server - server
- linux - linux
@ -163,7 +163,7 @@ $ google-authenticator
``` ```
1. Yes to time-based 1. Yes to time-based
2. Import the generated QR code or secret key to OTP app (recommends Aegis for Android) 2. Import the generated QR code or secret key to an OTP app or password manager.
3. Enter OTP 3. Enter OTP
4. Backup scratch codes 4. Backup scratch codes
5. Yes to saving the key to ~/.google_authenticator 5. Yes to saving the key to ~/.google_authenticator
@ -171,13 +171,34 @@ $ google-authenticator
7. No to increasing window 7. No to increasing window
8. Yes to rate-limiting login attempts 8. Yes to rate-limiting login attempts
Once the secret is generated, TOTP can be enabled using the following config. I configured it to require OTP when login and sudo, in addition to password. Once the secret is generated, TOTP can be enabled using the following config. I configured it to require OTP as the second-factor authentication when login and ssh. There is no security benefit of enabling it on sudo because the secret key is stored in the home folder (`$HOME/.google_authenticator`) that the user can write to.
```nix ```nix
## Requires OTP to login & sudo services.openssh = {
security.pam = { settings = {
services.login.googleAuthenticator.enable = true; PermitRootLogin = "no";
services.sudo.googleAuthenticator.enable = true; PasswordAuthentication = false;
KbdInteractiveAuthentication = true;
# https://github.com/NixOS/nixpkgs/issues/115044#issuecomment-2244953944
AuthenticationMethods = "publickey,keyboard-interactive:pam";
};
};
## Requires OTP to login & ssh
security.pam.services = {
login.googleAuthenticator.enable = true;
# https://github.com/NixOS/nixpkgs/issues/115044#issuecomment-2065409087
sshd.text = ''
account required pam_unix.so # unix (order 10900)
auth required ${pkgs.google-authenticator}/lib/security/pam_google_authenticator.so nullok no_increment_hotp # google_authenticator (order 12500)
auth sufficient pam_permit.so
session required pam_env.so conffile=/etc/pam/environment readenv=0 # env (order 10100)
session required pam_unix.so # unix (order 10200)
session required pam_loginuid.so # loginuid (order 10300)
session optional ${pkgs.systemd}/lib/security/pam_systemd.so # systemd (order 12000)
'';
}; };
``` ```