auth/sudo: enable u2f for sudo via pam module

This commit is contained in:
Benjamin Bädorf 2024-02-03 15:01:56 +01:00
parent 2f3397354f
commit 5bc46fc64c
Signed by: b12f
GPG key ID: 729956E1124F8F26
4 changed files with 78 additions and 0 deletions

View file

@ -69,6 +69,8 @@ in {
"id_ed25519_sk-485.age".publicKeys = biolimoKeys ++ chocolatebarKeys ++ stroopwafelKeys ++ baseKeys;
"id_ed25519_sk-464.age".publicKeys = biolimoKeys ++ chocolatebarKeys ++ stroopwafelKeys ++ baseKeys;
"u2f_keys.age".publicKeys = biolimoKeys ++ chocolatebarKeys ++ stroopwafelKeys ++ baseKeys;
"firefly-secrets.env.age".publicKeys = pieKeys ++ baseKeys;
"firefly-db-secrets.env.age".publicKeys = pieKeys ++ baseKeys;
"firefly-importer-secrets.env.age".publicKeys = pieKeys ++ baseKeys;

53
secrets/u2f_keys.age Normal file
View file

@ -0,0 +1,53 @@
age-encryption.org/v1
-> ssh-ed25519 TnSWKQ OvFRHaP8biGy7VQ+XxrMZrE5Eh7QrvqeZ70xxFMOXyY
PG7nikQu62CTwQySa+izNiJnaF1VHO3c1vhYh7Zfb+k
-> ssh-rsa 8daibg
CPHcd9G2qk0IKQp1jDVDDRaeOy5w38f3EIzXqAL3b4sN9MTPbd9ahyEhXgmNLD+o
0ckrh4bvKO4q2cFH6CgXnSd2DfKxBZKvr8GU5ewThVsXcW1tl0XNq+wYQ3YJ6L1r
urgFOPgSpJLfSvkrTTPya0exM4AaVioWM9uwHcpVUeyOsJxkSagmxhWI8Fnx+Xlz
T8VUeyerlxCyrZbFoZIusX95n1NjLyFXzs8XjzVI8Ymy6Ce7X35hZDdcS+raHddP
JpPrbSxL6OyDAu0Fgt2dhwmmqCy2awtB/xItbZWPVKluyVdfBnXtcMIIlZnsFrNo
H+8ywckaBysJP186s762zCggX8ykslJKTrjRFlsKYbS6Wvv/D6l223O6VXS0AaVY
1mlKMhd88PLsqD8XVIahgB+i0z1bYTPwILCbxdBX2iee2wkfBbeXmrNhz7bIc+1h
/6QVb8dAjPGXHKbNkUsBf5tL1Omi07pXApclqI/Ohx0azIvDar4ldPZpybuAKt1i
bmjRF+l28ZF8++DmDUj97yugH3CCaJxAyQkyPvXWhle78lZwqe3XAfgao/zSZ000
5QziRNlXhUobyuSypq9XhUMQvJQsezm22MEeyCa+kas5iZiyk9gJRXql8foZxj0o
YPIVawLjnbujzv2j0KQEbMLtiWwX0b2FlpV70mwxaBI
-> ssh-ed25519 2Ca8Kg Gb3ZhQ3a/Ss/c6F5OpnGwiT6X88XxWjUiisVS3dcaBE
qEeHjKKBlgJIOhDVCkpdWYY1SYi1oL/0GD6qXWL9pTg
-> ssh-rsa 2ggJWw
CbdhxfuuynuYWnTv7Suyj1FbaSWaM6XOA35xNp5FHiwl7cQIQtIk/ZxK1CYV1Jfh
tEFiKyEKoBMyT5GUgtDJVQWaLx8Mp/30ceyLO81hiRHZnndX09qH4fjM46sDXIJK
0rYP70THidHcJ1rmrtJxmZkP+6pSNyaIAcljOw8W9A6t0zNpGHKKU4VCZB/Ox9PT
raG8QDJIV93vp6aIFDGJ5+8jwwvP89vcMJPNEBc0e9/EB1tbioZTml8qBZs40p9S
/evW0KaxT9DKkwZ6mXdXQC0lm2cz5ulXeVq9n5d1UeB4V1rQCkcv4xr+Hy8YcGX2
PR6UDQUL1V/jsHSN0wQKCOOCr2sJJglSSxDU9RY/PJ12o4NNjcL1FZMFGHwCl0hB
ldQZ2UK+B/yxU7q1uL0maV2ToCkjoESem1eeimHj+FnHt6gTShV+d4VfK7MrysSV
KmaigRMFIzEuD6K0tZhwojgHLGlOVHDbjqZUJ0SvYGNm4Y1A4P7QiF3fs02vtq4b
-> ssh-ed25519 b0WFDg QvQnLb9Vzq1eGGB99N62MexOdnhrCsmhMHtb2BdjuiM
FHBpBedd3EmYjjmDMMC930tthGgXRpE24a4Hnbonppc
-> ssh-rsa kFDS0A
IFolANSnhs53peU20XvvcPP/pZoIVHDmZZtutRVWzGEb6Wp7lo3UbzGMHCSW2eTb
3k0CikfKgDcXXeM4LuXH86oJMZdxZO2LlPGmsMQmDRAWkQZjhpMcrmYrlIyWLgPO
IcAnOpLmzgUizfQVfk4Kujoxwwb7Zu9Oa2MA57hLQz2IYxQUYlUq6Iixax2x8SUG
A4GMq5VOxq7qXZY+hhSaPwsPJBPAnqEIPnvyUtSgqlJUQaK7OoS/0zPQ+iqDJwIb
XASGol0PMsTRn/ARK1uERii+Q+nmztkrL9Ox2K9UMT6wfNmjtLAxvfRuTwZTIVtU
9X59BO42A50pOGudUa9xRYCnOiLhF9PG85e1dJrDEEnTVLYWeIPZAxOOTmoxBz4L
05HWtAP141PxusMNFAMJmR5Nvo/DcNsYMQYxTEESJ+GAx7+PkUeFaQIeoGCDulWf
Z9c1GiHXOOY8DDF9d3LM1bRxRGLy83IuY1ftC9NAjv2NDHAHKn4wehb9A8azzIOR
prMBBvdvq9l5jV/kqqXhVeM0fqK6hvjaL9WT+QpikKxo9D3MtgwLdekVGzEXY55+
PUE8r9HCISnu19BKNE5OcSQeWdMYbp1o6+0ir6ptVgAnUyrNxfJuGYx+hhrjhNKz
IboPTZqENSoCjmwRQhJJTDqD2e7gt5SclisT+1pV8S4
-> piv-p256 zqq/iw AreftGlpT4XE6oLF2JqGJZ9z0J+aA24f/mV3912onZpq
lSyQYv/9fsHGK+efOqDSDrv7LtNMgRs3S+pzLwkCiSY
-> piv-p256 vRzPNw Ai3RqqfpqtuB/7cKXHdthbsn0YCzIHeGTPvnKFRqVlDQ
5dPhR3h50HP/gr7W4UWBeASunL/L/+HmZ1SYaRNfIY4
-> Kq,X^3-grease H#p,? S#JCB
L1KYQeakH6Y7Lo+yueCY4QwW7Ihan9KkyInY9tzjrZV8Ofu2OA
--- BGyJ+z3FEuyKiWdR1VC7PUEhgT9WWLvGPfck73aC6FI
iF솳3GrœIœ9˜iM¿üš·%¬
V#5{ÒìÈ©tyU·n.š•<10>ô\Î,#äØ)¨ÂDx«UðÈ$&ƒ)sÙÃëJÄTØÅÔ(wû/ا‰F˄Ya¤=\V_êàg§ØK®YRŒá·5o4ì;qj£ˆ<C2A3>
½¹¥FfG\<5C>µk4xÓ§CZ<>âwÚ)ñúíÏd[¿ˆþæV+ôKª,ú<Ô°'´Îºù“ÐF' Ä#E7°µa™Ä6}Jú7 ?L6É°ˆ¯âE÷e‰z<6"<16>b<62>¦ÌŽµÄÏZºø”W41á<31>7nËI<C38B>*|ÜlŠWñfáÄ^tòêŽf;§Æ ¤OÐ÷ß<C3B7>ГÑ@üÕùÆpmõJrBKr øù€¢<E282AC>ÙÆk<C386>þyuR@ Ëí'ðz© ÜP¯ e¢ÈF¦qÂ
SØpê¶%<25>ýÃßcáŸv<C5B8>3<1D>¤ø÷VŒxÖóÈûò¤¸<C2A4>ÿ‡Û9¼Ò­¿͆wqÊ<71> €à
çËÜšîí`™Û±

View file

@ -11,6 +11,7 @@ in {
imports = [
./home.nix
./session-variables.nix
./u2f.nix
./concepts-and-training.nix
./ehex.nix
./email

22
users/b12f/u2f.nix Normal file
View file

@ -0,0 +1,22 @@
{
config,
pkgs,
lib,
flake,
...
}: let
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in {
age.secrets.u2f_keys = {
file = "${flake.self}/secrets/u2f_keys.age";
mode = "400";
owner = psCfg.user.name;
path = "${xdg.configHome}/Yubico/u2f_keys";
};
security.pam.services = {
login.u2fAuth = false;
sudo.u2fAuth = true;
};
}