Add pam-watchid authentication to sudo command

[Coosis]

With projects like pam-watchid, it's now possible to enable apple watches to authenticate sudo commands, alongside with TouchID. This is mostly a raw idea, but I would love to see something like this in nix-darwin.

Because this is used to present an idea, there are couple things to note:

1. I did not add any tests
2. I straight up embedded a package in the source code
3. The x86 part fails to compile for some reason so that's now commented out so I'll need some help with that

I would love for others to pick this up as this is my first time contributing to the project, and I am unfamiliar with:

1. How to use apple's toolchains when building packages
2. Which packages should I include
3. The best practices

[Enzime]

The package should live in Nixpkgs not in nix-darwin

Also, I don’t think pam-watchid is necessary. I have pam_tid enabled through security.pam.enableSudoTouchIdAuth and I went into System Settings and allowed my Apple Watch to unlock my laptop and every time I’m prompted for my fingerprint for sudo it also asks on my Apple Watch

[Coosis]

The package should live in Nixpkgs not in nix-darwin

Also, I don’t think pam-watchid is necessary. I have pam_tid enabled through security.pam.enableSudoTouchIdAuth and I went into System Settings and allowed my Apple Watch to unlock my laptop and every time I’m prompted for my fingerprint for sudo it also asks on my Apple Watch

Simply adding it to Nixpkgs will not put the .pam file in place. For some reason my machine doesn't let me use my watch when security.pam.enableSudoTouchIdAuth is enabled, I believe this happens to machines that doesn't have a touchid(also laptops that have lids closed).

[Enzime]

First you’ll need to add the package to Nixpkgs, then you can use it through pkgs from a nix-darwin module

[Enzime]

Have you enabled your Apple Watch to unlock your applications and your Mac in System Settings? It's under Login Password on non-Touch ID devices

[Coosis]

Have you enabled your Apple Watch to unlock your applications and your Mac in System Settings? It's under Login Password on non-Touch ID devices

Yes, I have. No pop up to use apple watch.

[Samasaur1]

There was a discussion on Matrix about this and we're waiting on Logicer16/pam-watchid#5 before adding that repo to nixpkgs which will then allow this PR to progress.

It hasn't been that long since I opened that PR, but if it really drags on for a while I might just add my fork to nixpkgs instead and then this PR will be able to move forwards

[Samasaur1]

This also probably depends on #1205 for linking the built .so file into /usr/local/lib/pam

[Samasaur1]

cc: @Coosis to confirm, but iirc we confirmed on Matrix that it works to symlink the .so file into place and we don't have to copy it

[Enzime]

This also probably depends on #1205 for linking the built .so file into /usr/local/lib/pam

PAM libraries can be used directly from the Nix Store I believe

[Coosis]

cc: @Coosis to confirm, but iirc we confirmed on Matrix that it works to symlink the .so file into place and we don't have to copy it

Yes symlink will work just fine. Still waiting for #1205 and I definitely think you should just fork it and add fork to nixpkgs.

[Enzime]

You can just make a PR to nixpkgs and use your pull request as a patch on top of their repo

[Samasaur1]

PAM libraries can be used directly from the Nix Store I believe

oh great, even easier! (i have no experience with PAM stuff, just the Swift side)

You can just make a PR to nixpkgs and use your pull request as a patch on top of their repo

Mostly I'm just wondering if the repo is being supported at all — it seems like it's a fork of a fork of a fork and I'm wondering if any in the chain are maintained or if they were made to fix one thing and then essentially abandoned. If so, I may just point the nixpkgs package to my repository so I can maintain it more easily

[Logicer16]

I'm wondering if any in the chain are maintained

For the record, I intend to maintain my fork for the foreseeable future.

[Samasaur1]

Okay, yay! I'll open a PR to nixpkgs when I get a chance and link it here

[Samasaur1]

NixOS/nixpkgs#368071

[tymscar]

Now that nixpkgs has merged @Samasaur1's PR, this should go fairly well, right?

[Samasaur1]

Depends on whether the library can be used directly from the Nix store or whether it needs to be linked into place. If it can be used directly, then there's no blockers. If it needs to be linked, we're waiting on #1205.

[Coosis]

Depends on whether the library can be used directly from the Nix store or whether it needs to be linked into place. If it can be used directly, then there's no blockers. If it needs to be linked, we're waiting on #1205.

I actually don't know how a pam module can be used from nix store directly.