nixos/users-groups: Update password scheme validation
Updates the warnings message for statefully set up passwords, now that weak algorithms have been removed from our libxcrypt package. Additionall we now add proper validation for hashing schemes used in `hashedPassword`. Neither will prevent a rebuiild, but instead issue a warning, that this requires immediate remediation, or else users will be unable to login. Reuses the crypt scheme ids as provided by the libxcrypt package.
This commit is contained in:
parent
4e300e071b
commit
0d7cd66652
@ -539,7 +539,9 @@ in {
|
||||
|
||||
###### implementation
|
||||
|
||||
config = {
|
||||
config = let
|
||||
cryptSchemeIdPatternGroup = "(${lib.concatStringsSep "|" pkgs.libxcrypt.enabledCryptSchemeIds})";
|
||||
in {
|
||||
|
||||
users.users = {
|
||||
root = {
|
||||
@ -601,15 +603,16 @@ in {
|
||||
text = ''
|
||||
users=()
|
||||
while IFS=: read -r user hash tail; do
|
||||
if [[ "$hash" = "$"* && ! "$hash" =~ ^\$(y|gy|7|2b|2y|2a|6)\$ ]]; then
|
||||
if [[ "$hash" = "$"* && ! "$hash" =~ ^\''$${cryptSchemeIdPatternGroup}\$ ]]; then
|
||||
users+=("$user")
|
||||
fi
|
||||
done </etc/shadow
|
||||
|
||||
if (( "''${#users[@]}" )); then
|
||||
echo "
|
||||
WARNING: The following user accounts rely on password hashes that will
|
||||
be removed in NixOS 23.05. They should be renewed as soon as possible."
|
||||
WARNING: The following user accounts rely on password hashing algorithms
|
||||
that have been removed. They need to be renewed as soon as possible, as
|
||||
they do prevent their users from logging in."
|
||||
printf ' - %s\n' "''${users[@]}"
|
||||
fi
|
||||
'';
|
||||
@ -716,7 +719,7 @@ in {
|
||||
let
|
||||
sep = "\\$";
|
||||
base64 = "[a-zA-Z0-9./]+";
|
||||
id = "[a-z0-9-]+";
|
||||
id = cryptSchemeIdPatternGroup;
|
||||
value = "[a-zA-Z0-9/+.-]+";
|
||||
options = "${id}(=${value})?(,${id}=${value})*";
|
||||
scheme = "${id}(${sep}${options})?";
|
||||
|
Loading…
Reference in New Issue
Block a user