Commit graph

39248 commits

Author SHA1 Message Date
Shea Levy
80cc2697b1 user-groups: Sidestep all password escaping issues
Now passwords are written to a file first
2014-02-10 10:12:34 -05:00
Thomas Tuegel
3dc6168b31 Properly escape passwords sent to chpasswd
The mutableUsers feature uses `chpasswd` to set users passwords.
Passwords and their hashes were being piped into the program using
double quotes ("") to escape. This causes any `$` characters to be
expanded as shell variables. This is a serious problem because all the
password hash methods besides DES use multiple `$` in the hashes. Single
quotes ('') should be used instead to prevent shell variable expansion.
2014-02-10 08:16:22 -06:00
Shea Levy
6a8cc9ab11 mediawiki: Fix some references to /bin/bash 2014-02-10 09:14:30 -05:00
Shea Levy
42df6fcee9 mediawiki: Run update script after initializing the database 2014-02-10 08:56:16 -05:00
Domen Kožar
e5017d8239 springlobby: add unitsync patch 2014-02-10 14:21:42 +01:00
Domen Kožar
e5124e7a0e springlobby: specify spring run-time dependency paths 2014-02-10 14:19:57 +01:00
Peter Simons
e37afbf53c Merge pull request #1712 from PkmX/pr-taffybar
Add haskell packages 'gtk-traymanager' and 'taffybar'
2014-02-10 10:53:08 +01:00
Peter Simons
cc8c7f61da Merge pull request #1715 from ocharles/haskellPackages.jsonAssertions
haskellPackages.jsonAssertions: New expression
2014-02-10 10:52:37 +01:00
Peter Simons
1c5647c817 Merge pull request #1716 from ocharles/haskellPackages.diff3
haskellPackages.diff3: New expression
2014-02-10 10:52:11 +01:00
Domen Kožar
8e9f61995e spring: don't pass glibc 2014-02-10 09:41:30 +01:00
Domen Kožar
0f79534aa7 spring: use wrapper to set gcc lib path 2014-02-09 23:53:11 +01:00
Shea Levy
258c7536be Force a rebuild 2014-02-09 11:59:02 -05:00
Shea Levy
56b87f44ec Merge branch 'master' of git://github.com/ashalkhakov/nixpkgs
Bumping ATS/Postiats version to 0.0.5. #1719
2014-02-09 10:48:46 -05:00
Artyom Shalkhakov
52e99bc723 Bumping ATS/Postiats version to 0.0.5. 2014-02-09 16:26:46 +01:00
Tomasz Kontusz
fe38031168 Upgrade bumblebee and add nixos module
* Bump bumblebee to 3.2.1
 * Remove config.patch - options it added can be passed to ./configure now
 * Remove the provided xorg.conf
   Provided xorg.conf was causing problems for some users,
   and Bumblebee provides its own default configuration anyway.
 * Make secondary X11 log to /var/log/X.bumblebee.log
 * Add a module for bumblebee
2014-02-09 15:09:41 +01:00
Bjørn Forsman
48851fa749 nixos/memtest: use docbook formatting
Without this the HTML manual and manpage is quite unreadable (newlines
are squashed so it doesn't look like a list anymore).

(Unfortunately, this makes the source unreadable.)
2014-02-09 13:56:09 +01:00
Ricardo M. Correia
cba2444d11 nixos/memtest: Allow user to specify memtest86 boot parameters 2014-02-09 13:55:37 +01:00
Oliver Charles
cf5513f240 haskellPackages.diff3: New expression 2014-02-09 12:27:41 +00:00
Oliver Charles
de6222577a haskellPackages.jsonAssertions: New expression 2014-02-09 12:26:39 +00:00
Moritz Ulrich
c3df9e21c0 Weechat: Update to 0.4.3 2014-02-09 12:42:26 +01:00
Linquize
5b41db9765 git: update to 1.8.5.4 (close #1714) 2014-02-09 10:06:22 +01:00
PkmX
807d01debd Add Haskell package 'gtk-traymanager' 2014-02-09 06:24:22 +08:00
PkmX
3f30c971c8 Add haskell package 'taffybar' 2014-02-09 06:24:22 +08:00
Domen Kožar
b95b70c7a6 firefox: whitespace change to trigger a rebuild 2014-02-08 23:05:57 +01:00
Moritz Ulrich
18a03d7285 Leiningen: Update to 2.3.4 2014-02-08 21:48:50 +01:00
Domen Kožar
028379be28 nixos: add most basic gnome3 test and take a screenshot 2014-02-08 21:47:39 +01:00
Domen Kožar
9c95b1151a Merge pull request #1705 from wkennington/master.mumble
Upgrade murmur + mumble to 1.2.5
2014-02-08 21:22:50 +01:00
Shea Levy
84a7a09bc8 Try to improve naming of list elements in loaOf types
Signed-off-by: Shea Levy <shea@shealevy.com>
2014-02-08 15:20:25 -05:00
Domen Kožar
ee14f8da9a remove references to isSystemUser and fix eval of tested job 2014-02-08 21:10:00 +01:00
Shea Levy
dea562b6b9 services.mesa -> hardware.opengl
Signed-off-by: Shea Levy <shea@shealevy.com>
2014-02-08 14:45:37 -05:00
Domen Kožar
4a1e74673a pypy: support only linux for now 2014-02-08 20:27:57 +01:00
Domen Kožar
a23b87a13a pypy: disable a test with transient error #1634 2014-02-08 20:26:23 +01:00
Domen Kožar
b17edbac57 ModemManager: 0.5.4.0 -> 0.7.991 2014-02-08 20:17:00 +01:00
Domen Kožar
61f20ca45e libqmi: 1.0 -> 1.8.0, move outside gnome3 namespace, fix build 2014-02-08 20:17:00 +01:00
Moritz Ulrich
bb66a3ff6c Anki: Update to 2.0.22. 2014-02-08 19:19:50 +01:00
Moritz Ulrich
c983d23e33 elixir: Update to 0.12.3. 2014-02-08 19:05:31 +01:00
Moritz Ulrich
93f45ad2e5 Rebar: update to 2.2.0 2014-02-08 18:54:34 +01:00
Domen Kožar
4baa1197dd spring: add missing function parameters 2014-02-08 18:16:28 +01:00
Domen Kožar
64a8ae3692 SpringRTS: fix runtime dependencies and maintain 2014-02-08 18:11:59 +01:00
Vladimír Čunát
94ae555c06 Merge #1654: grsecurity: fix build and update 2014-02-08 17:46:27 +01:00
Vladimír Čunát
e78351cf3a llvm: revert to _33 default on darwin as a temp workaround
_34 doesn't build and I don't have a clue what to do about it
(and I don't have a machine to test it anyway).
2014-02-08 17:24:17 +01:00
Ricardo M. Correia
979473a17b chromium: Update stable channel from 32.0.1700.102 -> 32.0.1700.107 2014-02-08 15:40:25 +00:00
Ricardo M. Correia
b31547654d grsecurity: Update stable and test patches
stable: 3.0-3.2.54-201401191012 -> 3.0-3.2.54-201402062221
test:   3.0-3.12.8-201401191015 -> 3.0-3.13.2-201402062224
2014-02-08 16:16:58 +01:00
Ricardo M. Correia
31fa2cd52b grsecurity: Fix building grsec-3.x.0 kernels 2014-02-08 15:16:40 +00:00
Petr Rockai
12315a278c Merge branch 'yubikey' of git://github.com/Calrama/nixpkgs 2014-02-08 16:01:22 +01:00
Moritz Maxeiner
09f9af17b4 Update to the Yubikey PBA
Security-relevant changes:
 * No (salted) passphrase hash send to the yubikey, only hash of the salt (as it was in the original implementation).
 * Derive $k_luks with PBKDF2 from the yubikey $response (as the PBKDF2 salt) and the passphrase $k_user
   (as the PBKDF2 password), so that if two-factor authentication is enabled
   (a) a USB-MITM attack on the yubikey itself is not enough to break the system
   (b) the potentially low-entropy $k_user is better protected against brute-force attacks
 * Instead of using uuidgen, gather the salt (previously random uuid / uuid_r) directly from /dev/random.
 * Length of the new salt in byte added as the parameter "saltLength", defaults to 16 byte.
   Note: Length of the challenge is 64 byte, so saltLength > 64 may have no benefit over saltLengh = 64.
 * Length of $k_luks derived with PBKDF2 in byte added as the parameter "keyLength", defaults to 64 byte.
   Example: For a luks device with a 512-bit key, keyLength should be 64.
 * Increase of the PBKDF2 iteration count per successful authentication added as the
   parameter "iterationStep", defaults to 0.

Other changes:
 * Add optional grace period before trying to find the yubikey, defaults to 2 seconds.

Full overview of the yubikey authentication process:

  (1) Read $salt and $iterations from unencrypted device (UD).
  (2) Calculate the $challenge from the $salt with a hash function.
      Chosen instantiation: SHA-512($salt).
  (3) Challenge the yubikey with the $challenge and receive the $response.
  (4) Repeat three times:
    (a) Prompt for the passphrase $k_user.
    (b) Derive the key $k_luks for the luks device with a key derivation function from $k_user and $response.
        Chosen instantiation: PBKDF2(HMAC-SHA-512, $k_user, $response, $iterations, keyLength).
    (c) Try to open the luks device with $k_luks and escape loop (4) only on success.
  (5) Proceed only if luks device was opened successfully, fail otherwise.

  (6) Gather $new_salt from a cryptographically secure pseudorandom number generator
      Chosen instantiation: /dev/random
  (7) Calculate the $new_challenge from the $new_salt with the same hash function as (2).
  (8) Challenge the yubikey with the $new_challenge and receive the $new_response.
  (9) Derive the new key $new_k_luks for the luks device in the same manner as in (4) (b),
      but with more iterations as given by iterationStep.
 (10) Try to change the luks device's key $k_luks to $new_k_luks.
 (11) If (10) was successful, write the $new_salt and the $new_iterations to the UD.
      Note: $new_iterations = $iterations + iterationStep

Known (software) attack vectors:

 * A MITM attack on the keyboard can recover $k_user. This, combined with a USB-MITM
   attack on the yubikey for the $response (1) or the $new_response (2) will result in
   (1) $k_luks being recovered,
   (2) $new_k_luks being recovered.
 * Any attacker with access to the RAM state of stage-1 at mid- or post-authentication
   can recover $k_user, $k_luks, and  $new_k_luks
 * If an attacker has recovered $response or $new_response, he can perform a brute-force
   attack on $k_user with it without the Yubikey needing to be present (using cryptsetup's
   "luksOpen --verify-passphrase" oracle. He could even make a copy of the luks device's
   luks header and run the brute-force attack without further access to the system.
 * A USB-MITM attack on the yubikey will allow an attacker to attempt to brute-force
   the yubikey's internal key ("shared secret") without it needing to be present anymore.

Credits:

 * Florian Klien,
   for the original concept and the reference implementation over at
   https://github.com/flowolf/initramfs_ykfde
 * Anthony Thysse,
   for the reference implementation of accessing OpenSSL's PBKDF2 over at
   http://www.ict.griffith.edu.au/anthony/software/pbkdf2.c
2014-02-08 14:59:52 +01:00
Petr Rockai
8d877463f6 rpm: Build python bindings (--enable-python). 2014-02-08 14:38:09 +01:00
Petr Rockai
63478d9590 Add fedpkg, koji &c. + their python dependencies. 2014-02-08 14:37:53 +01:00
Petr Rockai
140e06f9aa osc: Add an OBS (open build system) CLI client. 2014-02-08 14:36:51 +01:00
Domen Kožar
5ffab7710d gnome3.gnome_control_center: build and fix runtime deps 2014-02-08 12:30:23 +01:00