pyrox.dev / nixpkgs
lol
fork atom

nixos/users-groups: Warn about deprecated hashes at activation

To allow for a reasonably fast deprecation of weak password hashing
schemes we provide an activation script that checks existing hashes in
/etc/shadow and issues a warning for user accounts that still rely on
deprecated hashes.

Co-Authored-By: oxalica <oxalicc@pm.me>

Martin Weinelt 78155df2 f391e6db

options
unified split
Changed files
+20
nixos
modules
config
users-groups.nix
+20
nixos/modules/config/users-groups.nix 
···

       
592

       
592

       
 

       
      '';


     

       
593

       
593

       
 

       
    };


     

       
594

       
594

       
 

       



     

       

       
595

       
+

       
    # Warn about user accounts with deprecated password hashing schemes


     

       

       
596

       
+

       
    system.activationScripts.hashes = {


     

       

       
597

       
+

       
      deps = [ "users" ];


     

       

       
598

       
+

       
      text = ''


     

       

       
599

       
+

       
        users=()


     

       

       
600

       
+

       
        while IFS=: read -r user hash tail; do


     

       

       
601

       
+

       
          if [[ "$hash" = "$"* && ! "$hash" =~ ^\$(y|gy|7|2b|2y|2a|6)\$ ]]; then


     

       

       
602

       
+

       
            users+=("$user")


     

       

       
603

       
+

       
          fi


     

       

       
604

       
+

       
        done </etc/shadow


     

       

       
605

       
+

       



     

       

       
606

       
+

       
        if (( "''${#users[@]}" )); then


     

       

       
607

       
+

       
          echo "


     

       

       
608

       
+

       
        WARNING: The following user accounts rely on password hashes that will


     

       

       
609

       
+

       
        be removed in NixOS 23.05. They should be renewed as soon as possible."


     

       

       
610

       
+

       
          printf ' - %s\n' "''${users[@]}"


     

       

       
611

       
+

       
        fi


     

       

       
612

       
+

       
      '';


     

       

       
613

       
+

       
    };


     

       

       
614

       
+

       



     

       
595

       
615

       
 

       
    # for backwards compatibility


     

       
596

       
616

       
 

       
    system.activationScripts.groups = stringAfter [ "users" ] "";


     

       
597

       
617