nixos/duosec: Add an option to allow TCP forwarding

Signed-off-by: Austin Seipp <aseipp@pobox.com>
2024-12-26 21:33:03 +03:00 · 2014-05-20 02:42:31 -05:00 · 2014-05-20 02:42:31 -05:00 · e31f212f6b
commit e31f212f6b
parent 010833c634
1 changed files with 14 additions and 1 deletions
--- a/nixos/modules/security/duosec.nix
+++ b/nixos/modules/security/duosec.nix
@ -165,6 +165,17 @@ in
          whitelist.
        '';
      };
+
+      allowTcpForwarding = mkOption {
+        type = types.bool;
+        default = false;
+        description = ''
+          By default, when SSH forwarding, enabling Duo Security will
+          disable TCP forwarding. By enabling this, you potentially
+          undermine some of the SSH based login security. Note this is
+          not needed if you use PAM.
+        '';
+      };
    };
  };

@ -192,7 +203,9 @@ in
       # Duo Security configuration
       ForceCommand ${config.security.wrapperDir}/login_duo
       PermitTunnel no
-       AllowTcpForwarding no
+       ${optionalString (!cfg.allowTcpForwarding) ''
+         AllowTcpForwarding no
+       ''}
     '');
  };
 }