From unknown Tue Jun 17 20:19:16 2025
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailer: MIME-tools 5.509 (Entity 5.509)
Content-Type: text/plain; charset=utf-8
From: bug#77885 <77885@debbugs.gnu.org>
To: bug#77885 <77885@debbugs.gnu.org>
Subject: Status: [PATCH] gnu: security-token: create pam-u2f service with
 pam extension
Reply-To: bug#77885 <77885@debbugs.gnu.org>
Date: Wed, 18 Jun 2025 03:19:16 +0000

retitle 77885 [PATCH] gnu: security-token: create pam-u2f service with pam =
extension
reassign 77885 guix-patches
submitter 77885 scmorris.dev@gmail.com
severity 77885 normal
tag 77885 patch

thanks


From debbugs-submit-bounces@debbugs.gnu.org Fri Apr 18 00:50:33 2025
Received: (at submit) by debbugs.gnu.org; 18 Apr 2025 04:50:34 +0000
Received: from localhost ([127.0.0.1]:49218 helo=debbugs.gnu.org)
	by debbugs.gnu.org with esmtp (Exim 4.84_2)
	(envelope-from <debbugs-submit-bounces@debbugs.gnu.org>)
	id 1u5dgL-0005RV-W3
	for submit@debbugs.gnu.org; Fri, 18 Apr 2025 00:50:33 -0400
Received: from lists.gnu.org ([2001:470:142::17]:54404)
 by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.84_2) (envelope-from <scmorris.dev@gmail.com>)
 id 1u5TFy-0003SR-2m
 for submit@debbugs.gnu.org; Thu, 17 Apr 2025 13:42:36 -0400
Received: from eggs.gnu.org ([2001:470:142:3::10])
 by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
 (Exim 4.90_1) (envelope-from <scmorris.dev@gmail.com>)
 id 1u5TFX-0006Jp-00
 for guix-patches@gnu.org; Thu, 17 Apr 2025 13:42:09 -0400
Received: from mail-qk1-x729.google.com ([2607:f8b0:4864:20::729])
 by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128)
 (Exim 4.90_1) (envelope-from <scmorris.dev@gmail.com>)
 id 1u5TFQ-0003XM-9d
 for guix-patches@gnu.org; Thu, 17 Apr 2025 13:42:06 -0400
Received: by mail-qk1-x729.google.com with SMTP id
 af79cd13be357-7c5b8d13f73so106679985a.0
 for <guix-patches@gnu.org>; Thu, 17 Apr 2025 10:41:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1744911717; x=1745516517; darn=gnu.org;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:from:to:cc:subject:date:message-id:reply-to;
 bh=6hE6QD6YbUmh09Radf4HvAPwrfFs/5R1fGyYBzBnd/s=;
 b=BPOGnU3JJrE9X9kTORM4t3ZpPbMAAw1YeFolucnViWpHL4PJUSEYKLnQSDY54bWUjH
 Z3iTDAGP2VJuvlTKzbYb8D7YjrCE+MKZWHDaogfinWSzFsHwvLI7G3hzfXcagsRJO2N/
 sD3wBK7Zo5tqfDf3q9TDILbML9MXDWCNg8J0FvxOAhCD4I9ZalCdlAeHoIP5V2S5gZAP
 lg1I0K/NFW30IHcaLVRrK2svdd5M1skiNhVwrD9fb3WgeQxU0JK7pACK4yFiPDJ9DsZ0
 4oJWE4nfJDE4Baqgsjo1xcn1Y/jUFot7ZJy/oVi+pqqJN1Xq8SsZRJdQuChyC0bb9jS7
 xhPw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1744911717; x=1745516517;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
 :reply-to;
 bh=6hE6QD6YbUmh09Radf4HvAPwrfFs/5R1fGyYBzBnd/s=;
 b=SeNRNZtRNPEWgKdEz+rIGjZx0Buxu1/hNpLORADwwTj+QN0pQVV1v0oVUHHKswwWPZ
 osk1TpZaUESwajYMRVAdg+/f/EU4WTEoyAFzOMWWLYYGH3nyzx6TYQ97QqAvypLv1nnZ
 ecbWDWCQwiuCHUfcHwXwtVx7uSUBjsH7Fit+hVXe7RmwX5+2sZng+LSQI/0dPo2SVogQ
 8BAaiMaeqk/HMO1GIgEq0zR0Bh2MzxoAA8atORE58P8rknueBe0bz3vxg5VBZ91kIv8H
 o3cXP42MpGF4R8tVfr2y/b1UemMoiMVaoQfsKcVK8WyamPRh+3+JKgtfLDFjRVrA2Tg9
 zebg==
X-Gm-Message-State: AOJu0YxUSjpoiv3Zkzql1B0aMpEv4nwIojHEeTxKA4ooTvOgMRu5ZMGg
 VHC6hG0qQ8qpPJWSzUH3QaOG2RgKKXJWIw1/rUgbANSz0sxcQrEZuk0+hQ==
X-Gm-Gg: ASbGncvnPeSBy0UYNEPDDGBRvlU2YDSVURh8koMtHKuWEPoMkzh247MU8DntwZ0L8K7
 jx4Ic8C61qOs1kc+6049XbeirhCBPjYJ2G5aCyWu0bM0ZX1thMVcYmUNv9qpoB2qAR3xeSoevLW
 srAeCDooAgatNk4yibutKjEkXopvWMNGkNu1gJXoRpC2QqeLJ53fW4/PesQPVeoprv4YHNeN/9m
 aBnPT69AU1ZvWVQY3b8oDfp+qbZZHFitO7Q0pL3PNjn7vyxDwDxPt2pr1/BMOi6RES1Xh48XzfV
 +Pvc2g2H9v9FqhxZJG62Q3pwSdajzuPI/uc+8OILEKveWKja2MJ58j3ONxOmq5FgQWlGbgRgHkB
 oi3b+2nH82Ifsuxo=
X-Google-Smtp-Source: AGHT+IEvPJXDHS6gglfNscqQD+siojh+4YZqLdLbt7oCbwiY3AQSiSL1CQmdy1tlU+vnTN1wL91lIA==
X-Received: by 2002:a05:620a:bcc:b0:7c7:62b4:91f8 with SMTP id
 af79cd13be357-7c918febeedmr1104974185a.13.1744911717126; 
 Thu, 17 Apr 2025 10:41:57 -0700 (PDT)
Received: from pride.localdomain (syn-074-136-049-106.res.spectrum.com.
 [74.136.49.106]) by smtp.gmail.com with ESMTPSA id
 af79cd13be357-7c925b69d7fsm14299785a.93.2025.04.17.10.41.56
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 17 Apr 2025 10:41:56 -0700 (PDT)
From: scmorris.dev@gmail.com
To: guix-patches@gnu.org
Subject: [PATCH] gnu: security-token: create pam-u2f service with pam extension
Date: Thu, 17 Apr 2025 13:41:18 -0400
Message-ID: <c91b9020282549e425a9c6db992ffa23f950f11c.1744911678.git.scmorris.dev@gmail.com>
X-Mailer: git-send-email 2.49.0
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Received-SPF: pass client-ip=2607:f8b0:4864:20::729;
 envelope-from=scmorris.dev@gmail.com; helo=mail-qk1-x729.google.com
X-Spam_score_int: -20
X-Spam_score: -2.1
X-Spam_bar: --
X-Spam_report: (-2.1 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1,
 DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
 RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001,
 SPF_PASS=-0.001 autolearn=ham autolearn_force=no
X-Spam_action: no action
X-Spam-Score: 1.0 (+)
X-Debbugs-Envelope-To: submit
X-Mailman-Approved-At: Fri, 18 Apr 2025 00:50:28 -0400
Cc: Samuel Morris <scmorris.dev@gmail.com>
X-BeenThere: debbugs-submit@debbugs.gnu.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: <debbugs-submit.debbugs.gnu.org>
List-Unsubscribe: <https://debbugs.gnu.org/cgi-bin/mailman/options/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=unsubscribe>
List-Archive: <https://debbugs.gnu.org/cgi-bin/mailman/private/debbugs-submit/>
List-Post: <mailto:debbugs-submit@debbugs.gnu.org>
List-Help: <mailto:debbugs-submit-request@debbugs.gnu.org?subject=help>
List-Subscribe: <https://debbugs.gnu.org/cgi-bin/mailman/listinfo/debbugs-submit>, 
 <mailto:debbugs-submit-request@debbugs.gnu.org?subject=subscribe>
Errors-To: debbugs-submit-bounces@debbugs.gnu.org
Sender: "Debbugs-submit" <debbugs-submit-bounces@debbugs.gnu.org>
X-Spam-Score: -0.0 (/)

From: Samuel Morris <scmorris.dev@gmail.com>

Adding this pam extension allows users to configure their security
key to authenticate in various ways through PAM modules, such as
accessing root privileges.

The pam_u2f module has many arguments. I have only exposed the control
level and the cue_prompt for now. See the module documentation for more
details: https://developers.yubico.com/pam-u2f/

Also, this is my first time contributing. I had a very hard time
getting my Yubikey working properly, so I thought I’d share my changes. I
am booting guix on my framework and currently using my Yubikey with these
changes for login/sudo/su authentication. That's about the extent of my
testing. If this basically looks right, then I can add some documentation
as well and extend the service configuration with more arguments from the
module.


Change-Id: I9a0ba767d7f9288892868f71c0f2595d70df237d
---
 gnu/services/security-token.scm | 47 ++++++++++++++++++++++++++++++++-
 1 file changed, 46 insertions(+), 1 deletion(-)

diff --git a/gnu/services/security-token.scm b/gnu/services/security-token.scm
index 7d6c0e0f8d..dcff42933b 100644
--- a/gnu/services/security-token.scm
+++ b/gnu/services/security-token.scm
@@ -20,17 +20,25 @@
 
 (define-module (gnu services security-token)
   #:use-module (gnu services)
+  #:use-module (gnu services configuration)
   #:use-module (gnu services shepherd)
   #:use-module (gnu packages admin)
   #:use-module (gnu packages base)
   #:use-module (gnu packages security-token)
+  #:use-module (gnu system pam)
   #:use-module (gnu system shadow)
   #:use-module (guix gexp)
   #:use-module (guix modules)
   #:use-module (guix records)
   #:use-module (ice-9 match)
   #:use-module (srfi srfi-26)
-  #:export (pcscd-configuration
+  #:export (pam-u2f-configuration
+            pam-u2f-configuration?
+            pam-u2f-configuration-prompt
+            pam-u2f-configuration-module
+            pam-u2f-configuration-control
+            pam-u2f-service-type
+            pcscd-configuration
             pcscd-configuration?
             pcscd-configuration-pcsc-lite
             pcscd-configuration-usb-drivers
@@ -90,3 +98,40 @@ (define pcscd-service-type
           (service-extension activation-service-type
                              pcscd-activation)))
    (default-value (pcscd-configuration))))
+
+(define-configuration/no-serialization pam-u2f-configuration
+  (control
+   (string "sufficient")
+   "Control level for this pam module [sufficient, required]")
+  (prompt
+   (string "Tap your security key")
+   "Cue prompt to be printed when the security key is accessed."))
+
+(define (pam-u2f-extension-procedure config)
+  "Return an extension for PAM-ROOT-SERVICE-TYPE that ensures that all the PAM
+services use 'pam_u2f.so', a module implementing PAM over U2F, providing an
+easy way to integrate the YubiKey (or other U2F compliant authenticators) into
+your existing infrastructure.)"
+  (match-record config <pam-u2f-configuration>
+                (control prompt)
+    (let ((pam-u2f-entry
+           (pam-entry
+            (control control)
+            (module (file-append pam-u2f "/lib/security/pam_u2f.so"))
+            (arguments `("cue" (simple-format #f "[cue_prompt=~A]" ,prompt))))))
+      (list (pam-extension
+             (transformer
+              (lambda (pam)
+                (pam-service
+                 (inherit pam)
+                 (auth (cons pam-u2f-entry (pam-service-auth pam)))))))))))
+
+(define pam-u2f-service-type
+  (service-type
+   (name 'pam-u2f)
+   (description "Configure and integrate u2f with pam.")
+   (extensions
+    (list
+     (service-extension pam-root-service-type
+                        pam-u2f-extension-procedure)))
+   (default-value (pam-u2f-configuration))))

base-commit: 812f972f046e521eabc3ddd76e790d7a69d426b5
-- 
2.49.0