nixos/users: validate password hashes
This commit is contained in:
parent
fecdbda978
commit
470ce4784e
1 changed files with 32 additions and 0 deletions
|
@ -600,6 +600,38 @@ in {
|
|||
}
|
||||
];
|
||||
|
||||
warnings =
|
||||
builtins.filter (x: x != null) (
|
||||
flip mapAttrsToList cfg.users (name: user:
|
||||
# This regex matches a subset of the Modular Crypto Format (MCF)[1]
|
||||
# informal standard. Since this depends largely on the OS or the
|
||||
# specific implementation of crypt(3) we only support the (sane)
|
||||
# schemes implemented by glibc and BSDs. In particular the original
|
||||
# DES hash is excluded since, having no structure, it would validate
|
||||
# common mistakes like typing the plaintext password.
|
||||
#
|
||||
# [1]: https://en.wikipedia.org/wiki/Crypt_(C)
|
||||
let
|
||||
sep = "\\$";
|
||||
base64 = "[a-zA-Z0-9./]+";
|
||||
id = "[a-z0-9-]+";
|
||||
value = "[a-zA-Z0-9/+.-]+";
|
||||
options = "${id}(=${value})?(,${id}=${value})*";
|
||||
scheme = "${id}(${sep}${options})?";
|
||||
content = "${base64}${sep}${base64}";
|
||||
mcf = "^${sep}${scheme}${sep}${content}$";
|
||||
in
|
||||
if (user.hashedPassword != null
|
||||
&& builtins.match mcf user.hashedPassword == null)
|
||||
then
|
||||
''
|
||||
The password hash of user "${name}" may be invalid. You must set a
|
||||
valid hash or the user will be locked out of his account. Please
|
||||
check the value of option `users.users."${name}".hashedPassword`.
|
||||
''
|
||||
else null
|
||||
));
|
||||
|
||||
};
|
||||
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue