Merge pull request #195497 from mweinelt/crypt-hash-deprecations

2022-11-19 14:28:44 +01:00 · 2022-11-19 14:28:44 +01:00 · 6c1b52297d
commit 6c1b52297d
parent 218e2f5e14 78155df21d
3 changed files with 23 additions and 4 deletions
--- a/nixos/doc/manual/configuration/user-mgmt.chapter.md
+++ b/nixos/doc/manual/configuration/user-mgmt.chapter.md
@ -32,8 +32,7 @@ account will cease to exist. Also, imperative commands for managing users and
 groups, such as useradd, are no longer available. Passwords may still be
 assigned by setting the user\'s
 [hashedPassword](#opt-users.users._name_.hashedPassword) option. A
-hashed password can be generated using `mkpasswd -m
-  sha-512`.
+hashed password can be generated using `mkpasswd`.

 A user ID (uid) is assigned automatically. You can also specify a uid
 manually by adding
--- a/nixos/doc/manual/from_md/configuration/user-mgmt.chapter.xml
+++ b/nixos/doc/manual/from_md/configuration/user-mgmt.chapter.xml
@ -39,7 +39,7 @@ users.users.alice = {
    Passwords may still be assigned by setting the user's
    <link linkend="opt-users.users._name_.hashedPassword">hashedPassword</link>
    option. A hashed password can be generated using
-    <literal>mkpasswd -m sha-512</literal>.
+    <literal>mkpasswd</literal>.
  </para>
  <para>
    A user ID (uid) is assigned automatically. You can also specify a
--- a/nixos/modules/config/users-groups.nix
+++ b/nixos/modules/config/users-groups.nix
@ -35,7 +35,7 @@ let
  '';

  hashedPasswordDescription = ''
-    To generate a hashed password run `mkpasswd -m sha-512`.
+    To generate a hashed password run `mkpasswd`.

    If set to an empty string (`""`), this user will
    be able to log in without being asked for a password (but not via remote
@ -592,6 +592,26 @@ in {
      '';
    };

+    # Warn about user accounts with deprecated password hashing schemes
+    system.activationScripts.hashes = {
+      deps = [ "users" ];
+      text = ''
+        users=()
+        while IFS=: read -r user hash tail; do
+          if [[ "$hash" = "$"* && ! "$hash" =~ ^\$(y|gy|7|2b|2y|2a|6)\$ ]]; then
+            users+=("$user")
+          fi
+        done </etc/shadow
+
+        if (( "''${#users[@]}" )); then
+          echo "
+        WARNING: The following user accounts rely on password hashes that will
+        be removed in NixOS 23.05. They should be renewed as soon as possible."
+          printf ' - %s\n' "''${users[@]}"
+        fi
+      '';
+    };
+
    # for backwards compatibility
    system.activationScripts.groups = stringAfter [ "users" ] "";