GNU bug report logs - #77885
[PATCH] gnu: security-token: create pam-u2f service with pam extension

Previous Next

Package: guix-patches;

Reported by: scmorris.dev <at> gmail.com

Date: Fri, 18 Apr 2025 04:51:04 UTC

Severity: normal

Tags: patch

To reply to this bug, email your comments to 77885 AT debbugs.gnu.org.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to guix-patches <at> gnu.org:
bug#77885; Package guix-patches. (Fri, 18 Apr 2025 04:51:05 GMT) Full text and rfc822 format available.
Acknowledgement sent to scmorris.dev <at> gmail.com:
New bug report received and forwarded. Copy sent to guix-patches <at> gnu.org. (Fri, 18 Apr 2025 04:51:05 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: scmorris.dev <at> gmail.com
To: guix-patches <at> gnu.org
Cc: Samuel Morris <scmorris.dev <at> gmail.com>
Subject: [PATCH] gnu: security-token: create pam-u2f service with pam extension
Date: Thu, 17 Apr 2025 13:41:18 -0400

From: Samuel Morris <scmorris.dev <at> gmail.com>

Adding this pam extension allows users to configure their security
key to authenticate in various ways through PAM modules, such as
accessing root privileges.

The pam_u2f module has many arguments. I have only exposed the control
level and the cue_prompt for now. See the module documentation for more
details: https://developers.yubico.com/pam-u2f/

Also, this is my first time contributing. I had a very hard time
getting my Yubikey working properly, so I thought I’d share my changes. I
am booting guix on my framework and currently using my Yubikey with these
changes for login/sudo/su authentication. That's about the extent of my
testing. If this basically looks right, then I can add some documentation
as well and extend the service configuration with more arguments from the
module.


Change-Id: I9a0ba767d7f9288892868f71c0f2595d70df237d
---
 gnu/services/security-token.scm | 47 ++++++++++++++++++++++++++++++++-
 1 file changed, 46 insertions(+), 1 deletion(-)

diff --git a/gnu/services/security-token.scm b/gnu/services/security-token.scm
index 7d6c0e0f8d..dcff42933b 100644
--- a/gnu/services/security-token.scm
+++ b/gnu/services/security-token.scm
@@ -20,17 +20,25 @@
 
 (define-module (gnu services security-token)
   #:use-module (gnu services)
+  #:use-module (gnu services configuration)
   #:use-module (gnu services shepherd)
   #:use-module (gnu packages admin)
   #:use-module (gnu packages base)
   #:use-module (gnu packages security-token)
+  #:use-module (gnu system pam)
   #:use-module (gnu system shadow)
   #:use-module (guix gexp)
   #:use-module (guix modules)
   #:use-module (guix records)
   #:use-module (ice-9 match)
   #:use-module (srfi srfi-26)
-  #:export (pcscd-configuration
+  #:export (pam-u2f-configuration
+            pam-u2f-configuration?
+            pam-u2f-configuration-prompt
+            pam-u2f-configuration-module
+            pam-u2f-configuration-control
+            pam-u2f-service-type
+            pcscd-configuration
             pcscd-configuration?
             pcscd-configuration-pcsc-lite
             pcscd-configuration-usb-drivers
@@ -90,3 +98,40 @@ (define pcscd-service-type
           (service-extension activation-service-type
                              pcscd-activation)))
    (default-value (pcscd-configuration))))
+
+(define-configuration/no-serialization pam-u2f-configuration
+  (control
+   (string "sufficient")
+   "Control level for this pam module [sufficient, required]")
+  (prompt
+   (string "Tap your security key")
+   "Cue prompt to be printed when the security key is accessed."))
+
+(define (pam-u2f-extension-procedure config)
+  "Return an extension for PAM-ROOT-SERVICE-TYPE that ensures that all the PAM
+services use 'pam_u2f.so', a module implementing PAM over U2F, providing an
+easy way to integrate the YubiKey (or other U2F compliant authenticators) into
+your existing infrastructure.)"
+  (match-record config <pam-u2f-configuration>
+                (control prompt)
+    (let ((pam-u2f-entry
+           (pam-entry
+            (control control)
+            (module (file-append pam-u2f "/lib/security/pam_u2f.so"))
+            (arguments `("cue" (simple-format #f "[cue_prompt=~A]" ,prompt))))))
+      (list (pam-extension
+             (transformer
+              (lambda (pam)
+                (pam-service
+                 (inherit pam)
+                 (auth (cons pam-u2f-entry (pam-service-auth pam)))))))))))
+
+(define pam-u2f-service-type
+  (service-type
+   (name 'pam-u2f)
+   (description "Configure and integrate u2f with pam.")
+   (extensions
+    (list
+     (service-extension pam-root-service-type
+                        pam-u2f-extension-procedure)))
+   (default-value (pam-u2f-configuration))))

base-commit: 812f972f046e521eabc3ddd76e790d7a69d426b5
-- 
2.49.0
This bug report was last modified 6 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.