Add pam-watchid authentication to sudo command
#1216
Conversation
|
The package should live in Nixpkgs not in nix-darwin Also, I don’t think |
Simply adding it to Nixpkgs will not put the .pam file in place. For some reason my machine doesn't let me use my watch when |
|
First you’ll need to add the package to Nixpkgs, then you can use it through |
Enzime
changed the title
sudo commandpam-watchid authentication to sudo command
|
Have you enabled your Apple Watch to unlock your applications and your Mac in System Settings? It's under |
Yes, I have. No pop up to use apple watch. |
|
There was a discussion on Matrix about this and we're waiting on Logicer16/pam-watchid#5 before adding that repo to nixpkgs which will then allow this PR to progress. It hasn't been that long since I opened that PR, but if it really drags on for a while I might just add my fork to nixpkgs instead and then this PR will be able to move forwards |
|
This also probably depends on #1205 for linking the built |
|
cc: @Coosis to confirm, but iirc we confirmed on Matrix that it works to symlink the |
PAM libraries can be used directly from the Nix Store I believe |
|
You can just make a PR to nixpkgs and use your pull request as a patch on top of their repo |
oh great, even easier! (i have no experience with PAM stuff, just the Swift side)
Mostly I'm just wondering if the repo is being supported at all — it seems like it's a fork of a fork of a fork and I'm wondering if any in the chain are maintained or if they were made to fix one thing and then essentially abandoned. If so, I may just point the nixpkgs package to my repository so I can maintain it more easily |
For the record, I intend to maintain my fork for the foreseeable future. |
|
Okay, yay! I'll open a PR to nixpkgs when I get a chance and link it here |
|
Now that nixpkgs has merged @Samasaur1's PR, this should go fairly well, right? |
|
Depends on whether the library can be used directly from the Nix store or whether it needs to be linked into place. If it can be used directly, then there's no blockers. If it needs to be linked, we're waiting on #1205. |
I actually don't know how a pam module can be used from nix store directly. |
My guess is that you'd put the full path to the |
|
I was able to use the pam module directly from the store: etc = {
"pam.d/sudo_local".text = ''
auth sufficient pam_tid.so
auth sufficient ${pkgs.pam-watchid}/lib/pam_watchid.so
'';
}; |
Nice! I would say this could be the closest thing possible. But i do think this could override other pam modules if handled incorrectly. My laziness is kicking in and telling me to take this and call it a day |
|
Would this need to be added manually? |
|
At the moment, yes, you'll need to do it manually |
|
Now that #1344 is merged, you can rebase this PR and add an option similar to |
|
It seems the PR got closed, if that wasn't your intention, you'll need to push some new commits to this branch before you can reopen the branch |
I originally used master, and I was thinking about opening a feature branch for actual merging. Is that not necessary? Should I push to my fork/main directly? |
|
Yeah, it should be fine to keep using your |
|
Inside |
|
I think it should be after the Touch ID if you want it to run it if Touch ID fails |
|
done, waiting on checks |
With projects like pam-watchid, it's now possible to enable apple watches to authenticate
sudocommands, alongside withTouchID. This is mostly a raw idea, but I would love to see something like this innix-darwin.Because this is used to present an idea, there are couple things to note:
x86part fails to compile for some reason so that's now commented out so I'll need some help with thatI would love for others to pick this up as this is my first time contributing to the project, and I am unfamiliar with: