nixos/users-groups: handle password hashes with special meaning
This commit is contained in:
parent
99899e2e46
commit
c37347af7e
1 changed files with 14 additions and 6 deletions
|
@ -6,6 +6,16 @@ let
|
|||
ids = config.ids;
|
||||
cfg = config.users;
|
||||
|
||||
# Check whether a password hash will allow login.
|
||||
allowsLogin = hash:
|
||||
hash == "" # login without password
|
||||
|| !(lib.elem hash
|
||||
[ null # password login disabled
|
||||
"!" # password login disabled
|
||||
"!!" # a variant of "!"
|
||||
"*" # password unset
|
||||
]);
|
||||
|
||||
passwordDescription = ''
|
||||
The options <option>hashedPassword</option>,
|
||||
<option>password</option> and <option>passwordFile</option>
|
||||
|
@ -596,7 +606,7 @@ in {
|
|||
|| cfg.group == "wheel"
|
||||
|| elem "wheel" cfg.extraGroups)
|
||||
&&
|
||||
(cfg.hashedPassword != null
|
||||
(allowsLogin cfg.hashedPassword
|
||||
|| cfg.password != null
|
||||
|| cfg.passwordFile != null
|
||||
|| cfg.openssh.authorizedKeys.keys != []
|
||||
|
@ -639,15 +649,13 @@ in {
|
|||
content = "${base64}${sep}${base64}";
|
||||
mcf = "^${sep}${scheme}${sep}${content}$";
|
||||
in
|
||||
if (user.hashedPassword != null # login disabled
|
||||
if (allowsLogin user.hashedPassword
|
||||
&& user.hashedPassword != "" # login without password
|
||||
&& builtins.match mcf user.hashedPassword == null)
|
||||
then
|
||||
''
|
||||
then ''
|
||||
The password hash of user "${name}" may be invalid. You must set a
|
||||
valid hash or the user will be locked out of their account. Please
|
||||
check the value of option `users.users."${name}".hashedPassword`.
|
||||
''
|
||||
check the value of option `users.users."${name}".hashedPassword`.''
|
||||
else null
|
||||
));
|
||||
|
||||
|
|
Loading…
Reference in a new issue