Merge pull request #195497 from mweinelt/crypt-hash-deprecations

This commit is contained in:
Martin Weinelt 2022-11-19 14:28:44 +01:00 committed by GitHub
commit 6c1b52297d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 23 additions and 4 deletions

View file

@ -32,8 +32,7 @@ account will cease to exist. Also, imperative commands for managing users and
groups, such as useradd, are no longer available. Passwords may still be
assigned by setting the user\'s
[hashedPassword](#opt-users.users._name_.hashedPassword) option. A
hashed password can be generated using `mkpasswd -m
sha-512`.
hashed password can be generated using `mkpasswd`.
A user ID (uid) is assigned automatically. You can also specify a uid
manually by adding

View file

@ -39,7 +39,7 @@ users.users.alice = {
Passwords may still be assigned by setting the user's
<link linkend="opt-users.users._name_.hashedPassword">hashedPassword</link>
option. A hashed password can be generated using
<literal>mkpasswd -m sha-512</literal>.
<literal>mkpasswd</literal>.
</para>
<para>
A user ID (uid) is assigned automatically. You can also specify a

View file

@ -35,7 +35,7 @@ let
'';
hashedPasswordDescription = ''
To generate a hashed password run `mkpasswd -m sha-512`.
To generate a hashed password run `mkpasswd`.
If set to an empty string (`""`), this user will
be able to log in without being asked for a password (but not via remote
@ -592,6 +592,26 @@ in {
'';
};
# Warn about user accounts with deprecated password hashing schemes
system.activationScripts.hashes = {
deps = [ "users" ];
text = ''
users=()
while IFS=: read -r user hash tail; do
if [[ "$hash" = "$"* && ! "$hash" =~ ^\$(y|gy|7|2b|2y|2a|6)\$ ]]; then
users+=("$user")
fi
done </etc/shadow
if (( "''${#users[@]}" )); then
echo "
WARNING: The following user accounts rely on password hashes that will
be removed in NixOS 23.05. They should be renewed as soon as possible."
printf ' - %s\n' "''${users[@]}"
fi
'';
};
# for backwards compatibility
system.activationScripts.groups = stringAfter [ "users" ] "";