Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

WIP: Windows Hello Authentication #83

Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

WIP: Windows Hello Authentication #83

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
6d0ead5
windows-hello module
nzbr Apr 21, 2022
1677949
Add warning
nzbr Apr 27, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
3 changes: 3 additions & 0 deletions configuration.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,9 @@ in

# Enable integration with Docker Desktop (needs to be installed)
# docker.enable = true;

# Enable authenticating sudo prompts with Windows Hello
# windowsHello.enable = true;
};

# Enable nix flakes
Expand Down
3 changes: 2 additions & 1 deletion flake.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,10 @@
nixosModules.wsl = {
imports = [
./modules/build-tarball.nix
./modules/wsl-distro.nix
./modules/docker-desktop.nix
./modules/installer.nix
./modules/windows-hello.nix
./modules/wsl-distro.nix
];
};

Expand Down
50 changes: 50 additions & 0 deletions modules/windows-hello.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
{ lib, pkgs, config, ... }:

with builtins; with lib;
{

options.wsl.windowsHello = {
enable = mkEnableOption "Authentication using Windows Hello";
};

config =
let
cfg = config.wsl.windowsHello;
in
mkIf (config.wsl.enable && cfg.enable) {

security.sudo.wheelNeedsPassword = true;
security.sudo.extraConfig = ''
Defaults rootpw
'';

# Hijack the pam_usb module, because NixOS does not allow for adding custom PAM modules at the moment
security.pam.usb.enable = true;
nixpkgs.overlays = [
(self: super: {
pam_usb =
let
authenticator = pkgs.stdenv.mkDerivation {
name = "WindowsHelloAuthenticator.exe";
src = pkgs.fetchurl {
url = "https://github.com/nzbr/PAM-WindowsHello/releases/download/v1/WindowsHelloAuthenticator.exe";
sha256 = "4856a1fefa5c869b78890f9313a560d310e9c11f2a2a212c2868cf292792ff7f";
};
dontUnpack = true;
buildCommand = ''
install -m 0755 $src $out
'';
};
wrapper = pkgs.writeShellScript "wrapper" ''
export PATH=${pkgs.coreutils}/bin # The PAM environment does not include the default PATH
export WSL_INTEROP="/run/WSL/$(ls -tr /run/WSL | tail -n1)" # Find the correct WSL_INTEROP socket to be able to start the EXE
exec ${authenticator} [$PAM_SERVICE] $PAM_RUSER wants to authenticate as $PAM_USER
'';
Comment on lines +27 to +42
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should make a proper package out of that. Could we build it from source, too?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think it'd be possible to build from source. The program has build-time dependencies against Windows.winmd and System.Runtime.WindowsRuntime.dll
If there's any way to get those files into the nix store, it might be possible to build with Mono though

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Both are on nuget https://www.nuget.org/packages/Microsoft.Windows.WinMD/ https://www.nuget.org/packages/System.Runtime.WindowsRuntime/

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't expect that, thanks! I'll look into it

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tried it now (the correct package is https://www.nuget.org/packages/Microsoft.Windows.SDK.Contracts btw. The one above seems to be for parsing WinMD files), however I could not get msbuild on Linux to compile the executable. It always threw an error about a missing assembly reference. I also tried porting the helper to .NET 6, but that wouldn't build on Linux either because NETSDK1100: Windows is required to build Windows desktop applications. I had initially meant to build it in .NET 6, but couldn't figure out how to import WinRT then. In retrospect that was fortunate, because now I learned that .NET 6 would require having an additional .dll in the same directory as the .exe, whereas .NET Framework only requires the .exe to be present

TL;DR Unfortunately it looks like there is no way to build the helper on linux

in
"${pkgs.pam}/lib/security/pam_exec.so ${wrapper} \n# ";
})
];

};

}