diff options
author | Michele Guerini Rocco <rnhmjoj@users.noreply.github.com> | 2020-06-17 17:25:34 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-06-17 17:25:34 +0200 |
commit | 4ddf9b763bd764c4338c05cabdf8e94d0e56065a (patch) | |
tree | df5975efc980959381e8a6830b662649468050d8 /nixos | |
parent | 705b85c3017664d6e26430df4d28d12b9df7b55b (diff) | |
parent | 470ce4784e825663dd3357c4e8de07b8012e354f (diff) | |
download | nixlib-4ddf9b763bd764c4338c05cabdf8e94d0e56065a.tar nixlib-4ddf9b763bd764c4338c05cabdf8e94d0e56065a.tar.gz nixlib-4ddf9b763bd764c4338c05cabdf8e94d0e56065a.tar.bz2 nixlib-4ddf9b763bd764c4338c05cabdf8e94d0e56065a.tar.lz nixlib-4ddf9b763bd764c4338c05cabdf8e94d0e56065a.tar.xz nixlib-4ddf9b763bd764c4338c05cabdf8e94d0e56065a.tar.zst nixlib-4ddf9b763bd764c4338c05cabdf8e94d0e56065a.zip |
Merge pull request #83171 from rnhmjoj/hash
nixos/users: validate password hashes
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/config/users-groups.nix | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index 141e43fec39b..7fbbfcec7510 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -600,6 +600,38 @@ in { } ]; + warnings = + builtins.filter (x: x != null) ( + flip mapAttrsToList cfg.users (name: user: + # This regex matches a subset of the Modular Crypto Format (MCF)[1] + # informal standard. Since this depends largely on the OS or the + # specific implementation of crypt(3) we only support the (sane) + # schemes implemented by glibc and BSDs. In particular the original + # DES hash is excluded since, having no structure, it would validate + # common mistakes like typing the plaintext password. + # + # [1]: https://en.wikipedia.org/wiki/Crypt_(C) + let + sep = "\\$"; + base64 = "[a-zA-Z0-9./]+"; + id = "[a-z0-9-]+"; + value = "[a-zA-Z0-9/+.-]+"; + options = "${id}(=${value})?(,${id}=${value})*"; + scheme = "${id}(${sep}${options})?"; + content = "${base64}${sep}${base64}"; + mcf = "^${sep}${scheme}${sep}${content}$"; + in + if (user.hashedPassword != null + && builtins.match mcf user.hashedPassword == null) + then + '' + The password hash of user "${name}" may be invalid. You must set a + valid hash or the user will be locked out of his account. Please + check the value of option `users.users."${name}".hashedPassword`. + '' + else null + )); + }; } |