As the title indicates, I’m trying to enable PAM in combination with DUO.
I’ve found nix files for both PAM and DUO on GitHub.
The DUO nix file has options, so I configured my /etc/nixos/configuration.nix like this:
security.duosec = {
ssh.enable = true;
pam.enable = true;
integrationKey = "my integration key";
secretKeyFile = /run/duo_key_file;
host = "api-XXXXXXXX.duosecurity.com";
failmode = "safe";
pushinfo = true;
autopush = false;
};
Likewise, the PAM nix file has options.
The trouble starts when I want to configure PAM.
Currently I have it configured like this:
security.pam = {
name = "duosec"; # Not sure what value this is supposed to be. The example of "sshd" isn't very helpful here.
unixAuth = true;
# p11Auth = true; # ssh access is a nice to have but not of immediate concern
# usshAuth = true; # ssh access is a nice to have but not of immediate concern
# sshAgentAuth = true; # ssh access is a nice to have but not of immediate concern
duoSecurity.enable = true; # Yields a build error; I'm not sure why
startSession = true;
# setEnvironment = true; # not sure I need this
forwardXAuth = true;
# requireWheel = false; not sure I need this
# enableKwallet = true; # nice to have but not of immediate concern
text = ''
.
.
.
.
.
''; # What should go in here?
}
The duoSecurity option is defined a little differently relative to the other options, and yields an unexpected build error:
error: The option `security.pam.duoSecurity` does not exist.
My questions are:
- How do I resolve the build error if the option doesn’t exist? The PAM nix file linked above directly states that it exists if I’m reading it right, so I’m not sure what the proper resolution is here.
- What should the value of
security.pam.textbe? Something like the PAM examples given here for other Linux OSes? Or something else entirely?