From patchwork Thu Apr 17 17:41:18 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: scmorris.dev@gmail.com X-Patchwork-Id: 41774 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id E3A4127BC4A; Fri, 18 Apr 2025 16:51:57 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-6.4 required=5.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED, DKIM_INVALID,DKIM_SIGNED,FREEMAIL_FROM,MAILING_LIST_MULTI, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL, RCVD_IN_VALIDITY_SAFE,SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 7308E27BC49 for ; Fri, 18 Apr 2025 16:51:57 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1u5lpi-0005kH-Ny; Fri, 18 Apr 2025 09:32:42 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u5dgw-00040K-K0 for guix-patches@gnu.org; Fri, 18 Apr 2025 00:51:06 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1u5dgw-0006GE-8J for guix-patches@gnu.org; Fri, 18 Apr 2025 00:51:06 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:Date:From:To:Subject; bh=6hE6QD6YbUmh09Radf4HvAPwrfFs/5R1fGyYBzBnd/s=; b=bQUvv7rGe37vsZFxMEfcM57NN6vukj/6UIrZZujrYKlXY5dkRgw2nsamtVNrz5FbLCcUKEzh9O88D+e1u7QeTQY8XeHOMmgf3kbzDtMpKzSQythXxR3Km7GEcg4/zW0YZGCP+zstvrjw6lSOJwF0wEspYCvKH+m1VZ2o8VLbbpU9kvs5TDyiLYp58YTfyS5sOGKpTI9rD7eFCt5OpMhBJwYcIQIabix2qvbSIf8q3xNTHp6uU4UyLvvpjDDv/8w3z/f8ULBvvao9162XGI8zOvJmtOYZ/OyEIGEmwor015fXm+Vy08vgP/aiOEvtPRrEByvefq7L+RQBl0d2Dygzgw==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1u5dgv-0005Z1-Mx for guix-patches@gnu.org; Fri, 18 Apr 2025 00:51:05 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#77885] [PATCH] gnu: security-token: create pam-u2f service with pam extension Resent-From: scmorris.dev@gmail.com Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 18 Apr 2025 04:51:04 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 77885 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 77885@debbugs.gnu.org Cc: Samuel Morris X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.174495183421047 (code B ref -1); Fri, 18 Apr 2025 04:51:04 +0000 Received: (at submit) by debbugs.gnu.org; 18 Apr 2025 04:50:34 +0000 Received: from localhost ([127.0.0.1]:49218 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1u5dgL-0005RV-W3 for submit@debbugs.gnu.org; Fri, 18 Apr 2025 00:50:33 -0400 Received: from lists.gnu.org ([2001:470:142::17]:54404) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1u5TFy-0003SR-2m for submit@debbugs.gnu.org; Thu, 17 Apr 2025 13:42:36 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u5TFX-0006Jp-00 for guix-patches@gnu.org; Thu, 17 Apr 2025 13:42:09 -0400 Received: from mail-qk1-x729.google.com ([2607:f8b0:4864:20::729]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1u5TFQ-0003XM-9d for guix-patches@gnu.org; Thu, 17 Apr 2025 13:42:06 -0400 Received: by mail-qk1-x729.google.com with SMTP id af79cd13be357-7c5b8d13f73so106679985a.0 for ; Thu, 17 Apr 2025 10:41:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1744911717; x=1745516517; darn=gnu.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=6hE6QD6YbUmh09Radf4HvAPwrfFs/5R1fGyYBzBnd/s=; b=BPOGnU3JJrE9X9kTORM4t3ZpPbMAAw1YeFolucnViWpHL4PJUSEYKLnQSDY54bWUjH Z3iTDAGP2VJuvlTKzbYb8D7YjrCE+MKZWHDaogfinWSzFsHwvLI7G3hzfXcagsRJO2N/ sD3wBK7Zo5tqfDf3q9TDILbML9MXDWCNg8J0FvxOAhCD4I9ZalCdlAeHoIP5V2S5gZAP lg1I0K/NFW30IHcaLVRrK2svdd5M1skiNhVwrD9fb3WgeQxU0JK7pACK4yFiPDJ9DsZ0 4oJWE4nfJDE4Baqgsjo1xcn1Y/jUFot7ZJy/oVi+pqqJN1Xq8SsZRJdQuChyC0bb9jS7 xhPw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744911717; x=1745516517; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=6hE6QD6YbUmh09Radf4HvAPwrfFs/5R1fGyYBzBnd/s=; b=SeNRNZtRNPEWgKdEz+rIGjZx0Buxu1/hNpLORADwwTj+QN0pQVV1v0oVUHHKswwWPZ osk1TpZaUESwajYMRVAdg+/f/EU4WTEoyAFzOMWWLYYGH3nyzx6TYQ97QqAvypLv1nnZ ecbWDWCQwiuCHUfcHwXwtVx7uSUBjsH7Fit+hVXe7RmwX5+2sZng+LSQI/0dPo2SVogQ 8BAaiMaeqk/HMO1GIgEq0zR0Bh2MzxoAA8atORE58P8rknueBe0bz3vxg5VBZ91kIv8H o3cXP42MpGF4R8tVfr2y/b1UemMoiMVaoQfsKcVK8WyamPRh+3+JKgtfLDFjRVrA2Tg9 zebg== X-Gm-Message-State: AOJu0YxUSjpoiv3Zkzql1B0aMpEv4nwIojHEeTxKA4ooTvOgMRu5ZMGg VHC6hG0qQ8qpPJWSzUH3QaOG2RgKKXJWIw1/rUgbANSz0sxcQrEZuk0+hQ== X-Gm-Gg: ASbGncvnPeSBy0UYNEPDDGBRvlU2YDSVURh8koMtHKuWEPoMkzh247MU8DntwZ0L8K7 jx4Ic8C61qOs1kc+6049XbeirhCBPjYJ2G5aCyWu0bM0ZX1thMVcYmUNv9qpoB2qAR3xeSoevLW srAeCDooAgatNk4yibutKjEkXopvWMNGkNu1gJXoRpC2QqeLJ53fW4/PesQPVeoprv4YHNeN/9m aBnPT69AU1ZvWVQY3b8oDfp+qbZZHFitO7Q0pL3PNjn7vyxDwDxPt2pr1/BMOi6RES1Xh48XzfV +Pvc2g2H9v9FqhxZJG62Q3pwSdajzuPI/uc+8OILEKveWKja2MJ58j3ONxOmq5FgQWlGbgRgHkB oi3b+2nH82Ifsuxo= X-Google-Smtp-Source: AGHT+IEvPJXDHS6gglfNscqQD+siojh+4YZqLdLbt7oCbwiY3AQSiSL1CQmdy1tlU+vnTN1wL91lIA== X-Received: by 2002:a05:620a:bcc:b0:7c7:62b4:91f8 with SMTP id af79cd13be357-7c918febeedmr1104974185a.13.1744911717126; Thu, 17 Apr 2025 10:41:57 -0700 (PDT) Received: from pride.localdomain (syn-074-136-049-106.res.spectrum.com. [74.136.49.106]) by smtp.gmail.com with ESMTPSA id af79cd13be357-7c925b69d7fsm14299785a.93.2025.04.17.10.41.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 17 Apr 2025 10:41:56 -0700 (PDT) From: scmorris.dev@gmail.com Date: Thu, 17 Apr 2025 13:41:18 -0400 Message-ID: X-Mailer: git-send-email 2.49.0 MIME-Version: 1.0 Received-SPF: pass client-ip=2607:f8b0:4864:20::729; envelope-from=scmorris.dev@gmail.com; helo=mail-qk1-x729.google.com X-Spam_score_int: -20 X-Spam_score: -2.1 X-Spam_bar: -- X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Mailman-Approved-At: Fri, 18 Apr 2025 00:50:28 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-Mailman-Approved-At: Fri, 18 Apr 2025 09:32:31 -0400 X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches From: Samuel Morris Adding this pam extension allows users to configure their security key to authenticate in various ways through PAM modules, such as accessing root privileges. The pam_u2f module has many arguments. I have only exposed the control level and the cue_prompt for now. See the module documentation for more details: https://developers.yubico.com/pam-u2f/ Also, this is my first time contributing. I had a very hard time getting my Yubikey working properly, so I thought I’d share my changes. I am booting guix on my framework and currently using my Yubikey with these changes for login/sudo/su authentication. That's about the extent of my testing. If this basically looks right, then I can add some documentation as well and extend the service configuration with more arguments from the module. Change-Id: I9a0ba767d7f9288892868f71c0f2595d70df237d --- gnu/services/security-token.scm | 47 ++++++++++++++++++++++++++++++++- 1 file changed, 46 insertions(+), 1 deletion(-) base-commit: 812f972f046e521eabc3ddd76e790d7a69d426b5 diff --git a/gnu/services/security-token.scm b/gnu/services/security-token.scm index 7d6c0e0f8d..dcff42933b 100644 --- a/gnu/services/security-token.scm +++ b/gnu/services/security-token.scm @@ -20,17 +20,25 @@ (define-module (gnu services security-token) #:use-module (gnu services) + #:use-module (gnu services configuration) #:use-module (gnu services shepherd) #:use-module (gnu packages admin) #:use-module (gnu packages base) #:use-module (gnu packages security-token) + #:use-module (gnu system pam) #:use-module (gnu system shadow) #:use-module (guix gexp) #:use-module (guix modules) #:use-module (guix records) #:use-module (ice-9 match) #:use-module (srfi srfi-26) - #:export (pcscd-configuration + #:export (pam-u2f-configuration + pam-u2f-configuration? + pam-u2f-configuration-prompt + pam-u2f-configuration-module + pam-u2f-configuration-control + pam-u2f-service-type + pcscd-configuration pcscd-configuration? pcscd-configuration-pcsc-lite pcscd-configuration-usb-drivers @@ -90,3 +98,40 @@ (define pcscd-service-type (service-extension activation-service-type pcscd-activation))) (default-value (pcscd-configuration)))) + +(define-configuration/no-serialization pam-u2f-configuration + (control + (string "sufficient") + "Control level for this pam module [sufficient, required]") + (prompt + (string "Tap your security key") + "Cue prompt to be printed when the security key is accessed.")) + +(define (pam-u2f-extension-procedure config) + "Return an extension for PAM-ROOT-SERVICE-TYPE that ensures that all the PAM +services use 'pam_u2f.so', a module implementing PAM over U2F, providing an +easy way to integrate the YubiKey (or other U2F compliant authenticators) into +your existing infrastructure.)" + (match-record config + (control prompt) + (let ((pam-u2f-entry + (pam-entry + (control control) + (module (file-append pam-u2f "/lib/security/pam_u2f.so")) + (arguments `("cue" (simple-format #f "[cue_prompt=~A]" ,prompt)))))) + (list (pam-extension + (transformer + (lambda (pam) + (pam-service + (inherit pam) + (auth (cons pam-u2f-entry (pam-service-auth pam))))))))))) + +(define pam-u2f-service-type + (service-type + (name 'pam-u2f) + (description "Configure and integrate u2f with pam.") + (extensions + (list + (service-extension pam-root-service-type + pam-u2f-extension-procedure))) + (default-value (pam-u2f-configuration))))