From e18ad25efd2768e597aaa9f94071ed47cb65803f Mon Sep 17 00:00:00 2001
From: Ben Sima <ben@bsima.me>
Date: Mon, 31 Jan 2022 16:45:55 -0500
Subject: yubikey login on helium

This allows me to login and sudo with *either* a password or my yubikey.

I also had to setup my yubikey with the instructions here:
https://nixos.wiki/wiki/Yubikey#Logging-in

Basically use ykman and ykpamcfg to generate a challenge-response setup
on slot 2 of my yubikey. The pam config compares the key response with
the ~/.yubico/challenge-* file in order to authenticate. I think pam
uses the ~/.yubico/authorized_keys file to know to which yubikey to send
the challenge, but I'm not sure on that one.
---
 machines/helium.nix | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

(limited to 'machines/helium.nix')

diff --git a/machines/helium.nix b/machines/helium.nix
index dda6569..564dd28 100644
--- a/machines/helium.nix
+++ b/machines/helium.nix
@@ -7,7 +7,11 @@ let
 in {
   imports = [ ./users.nix ];
 
-  security.sudo.wheelNeedsPassword = false;
+  security.sudo.wheelNeedsPassword = true;
+  security.pam.yubico.enable = true;
+  security.pam.yubico.debug = false;
+  security.pam.yubico.control = "sufficient";  # use yubikey in lieu of password
+  security.pam.yubico.mode = "challenge-response";
 
   boot.initrd.availableKernelModules = [
     "ehci_pci" "ahci"
@@ -39,7 +43,10 @@ in {
     fira fira-code fira-code-symbols
   ];
 
-  environment.systemPackages = [
+  environment.systemPackages = with pkgs; [
+    yubioath-desktop
+    yubico-pam
+    yubikey-manager
   ];
 
   nixpkgs = {
-- 
cgit v1.2.3