From 41506ce61355a87417c7656140fd24f2c0186d5c Mon Sep 17 00:00:00 2001 From: rnhmjoj Date: Thu, 25 Jun 2020 02:02:29 +0200 Subject: nixos/users-groups: handle password hashes with special meaning (cherry picked from commit c37347af7eaa0177e3a374dd94158ff546f20fdb) --- nixpkgs/nixos/modules/config/users-groups.nix | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/nixpkgs/nixos/modules/config/users-groups.nix b/nixpkgs/nixos/modules/config/users-groups.nix index 278f9ab6d25a..e0a77b08b7e9 100644 --- a/nixpkgs/nixos/modules/config/users-groups.nix +++ b/nixpkgs/nixos/modules/config/users-groups.nix @@ -6,6 +6,16 @@ let ids = config.ids; cfg = config.users; + # Check whether a password hash will allow login. + allowsLogin = hash: + hash == "" # login without password + || !(lib.elem hash + [ null # password login disabled + "!" # password login disabled + "!!" # a variant of "!" + "*" # password unset + ]); + passwordDescription = '' The options , and @@ -585,7 +595,7 @@ in { || cfg.group == "wheel" || elem "wheel" cfg.extraGroups) && - (cfg.hashedPassword != null + (allowsLogin cfg.hashedPassword || cfg.password != null || cfg.passwordFile != null || cfg.openssh.authorizedKeys.keys != [] @@ -618,15 +628,13 @@ in { content = "${base64}${sep}${base64}"; mcf = "^${sep}${scheme}${sep}${content}$"; in - if (user.hashedPassword != null # login disabled + if (allowsLogin user.hashedPassword && user.hashedPassword != "" # login without password && builtins.match mcf user.hashedPassword == null) - then - '' + then '' The password hash of user "${name}" may be invalid. You must set a valid hash or the user will be locked out of their account. Please - check the value of option `users.users."${name}".hashedPassword`. - '' + check the value of option `users.users."${name}".hashedPassword`.'' else null )); -- cgit 1.4.1