Merge pull request #83171 from rnhmjoj/hash

nixos/users: validate password hashes

1 files changed, 32 insertions, 0 deletions

diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix
index 141e43fec39b..7fbbfcec7510 100644
--- a/nixos/modules/config/users-groups.nix
+++ b/nixos/modules/config/users-groups.nix
@@ -600,6 +600,38 @@ in {
       }
     ];
 
+    warnings =
+      builtins.filter (x: x != null) (
+        flip mapAttrsToList cfg.users (name: user:
+        # This regex matches a subset of the Modular Crypto Format (MCF)[1]
+        # informal standard. Since this depends largely on the OS or the
+        # specific implementation of crypt(3) we only support the (sane)
+        # schemes implemented by glibc and BSDs. In particular the original
+        # DES hash is excluded since, having no structure, it would validate
+        # common mistakes like typing the plaintext password.
+        #
+        # [1]: https://en.wikipedia.org/wiki/Crypt_(C)
+        let
+          sep = "\\$";
+          base64 = "[a-zA-Z0-9./]+";
+          id = "[a-z0-9-]+";
+          value = "[a-zA-Z0-9/+.-]+";
+          options = "${id}(=${value})?(,${id}=${value})*";
+          scheme  = "${id}(${sep}${options})?";
+          content = "${base64}${sep}${base64}";
+          mcf = "^${sep}${scheme}${sep}${content}$";
+        in
+        if (user.hashedPassword != null
+            && builtins.match mcf user.hashedPassword == null)
+        then
+        ''
+          The password hash of user "${name}" may be invalid. You must set a
+          valid hash or the user will be locked out of his account. Please
+          check the value of option `users.users."${name}".hashedPassword`.
+        ''
+        else null
+      ));
+
   };
 
 }