nixos/users: validate password hashes

This commit is contained in:
rnhmjoj 2020-03-23 02:13:02 +01:00
parent fecdbda978
commit 470ce4784e
No known key found for this signature in database
GPG key ID: BFBAF4C975F76450

View file

@ -600,6 +600,38 @@ in {
}
];
warnings =
builtins.filter (x: x != null) (
flip mapAttrsToList cfg.users (name: user:
# This regex matches a subset of the Modular Crypto Format (MCF)[1]
# informal standard. Since this depends largely on the OS or the
# specific implementation of crypt(3) we only support the (sane)
# schemes implemented by glibc and BSDs. In particular the original
# DES hash is excluded since, having no structure, it would validate
# common mistakes like typing the plaintext password.
#
# [1]: https://en.wikipedia.org/wiki/Crypt_(C)
let
sep = "\\$";
base64 = "[a-zA-Z0-9./]+";
id = "[a-z0-9-]+";
value = "[a-zA-Z0-9/+.-]+";
options = "${id}(=${value})?(,${id}=${value})*";
scheme = "${id}(${sep}${options})?";
content = "${base64}${sep}${base64}";
mcf = "^${sep}${scheme}${sep}${content}$";
in
if (user.hashedPassword != null
&& builtins.match mcf user.hashedPassword == null)
then
''
The password hash of user "${name}" may be invalid. You must set a
valid hash or the user will be locked out of his account. Please
check the value of option `users.users."${name}".hashedPassword`.
''
else null
));
};
}