diff options
| author | rnhmjoj <rnhmjoj@inventati.org> | 2020-06-25 02:02:29 +0200 |
|---|---|---|
| committer | Alyssa Ross <hi@alyssa.is> | 2020-07-13 23:48:19 +0000 |
| commit | 41506ce61355a87417c7656140fd24f2c0186d5c (patch) | |
| tree | e02e5bbf3816a4f08fedf50d5680f3b62a9476fb | |
| parent | 45223989b7d9f4652bf1f6389a004b087e145c68 (diff) | |
| download | nixlib-41506ce61355a87417c7656140fd24f2c0186d5c.tar nixlib-41506ce61355a87417c7656140fd24f2c0186d5c.tar.gz nixlib-41506ce61355a87417c7656140fd24f2c0186d5c.tar.bz2 nixlib-41506ce61355a87417c7656140fd24f2c0186d5c.tar.lz nixlib-41506ce61355a87417c7656140fd24f2c0186d5c.tar.xz nixlib-41506ce61355a87417c7656140fd24f2c0186d5c.tar.zst nixlib-41506ce61355a87417c7656140fd24f2c0186d5c.zip | |
nixos/users-groups: handle password hashes with special meaning
(cherry picked from commit c37347af7eaa0177e3a374dd94158ff546f20fdb)
| -rw-r--r-- | nixpkgs/nixos/modules/config/users-groups.nix | 20 |
1 files changed, 14 insertions, 6 deletions
diff --git a/nixpkgs/nixos/modules/config/users-groups.nix b/nixpkgs/nixos/modules/config/users-groups.nix index 278f9ab6d25a..e0a77b08b7e9 100644 --- a/nixpkgs/nixos/modules/config/users-groups.nix +++ b/nixpkgs/nixos/modules/config/users-groups.nix @@ -6,6 +6,16 @@ let ids = config.ids; cfg = config.users; + # Check whether a password hash will allow login. + allowsLogin = hash: + hash == "" # login without password + || !(lib.elem hash + [ null # password login disabled + "!" # password login disabled + "!!" # a variant of "!" + "*" # password unset + ]); + passwordDescription = '' The options <option>hashedPassword</option>, <option>password</option> and <option>passwordFile</option> @@ -585,7 +595,7 @@ in { || cfg.group == "wheel" || elem "wheel" cfg.extraGroups) && - (cfg.hashedPassword != null + (allowsLogin cfg.hashedPassword || cfg.password != null || cfg.passwordFile != null || cfg.openssh.authorizedKeys.keys != [] @@ -618,15 +628,13 @@ in { content = "${base64}${sep}${base64}"; mcf = "^${sep}${scheme}${sep}${content}$"; in - if (user.hashedPassword != null # login disabled + if (allowsLogin user.hashedPassword && user.hashedPassword != "" # login without password && builtins.match mcf user.hashedPassword == null) - then - '' + then '' The password hash of user "${name}" may be invalid. You must set a valid hash or the user will be locked out of their account. Please - check the value of option `users.users."${name}".hashedPassword`. - '' + check the value of option `users.users."${name}".hashedPassword`.'' else null )); |