diff options
| author | github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> | 2022-11-19 18:01:53 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-11-19 18:01:53 +0000 |
| commit | 14b4aa3fd447fb64d688a385e4e1639e8d51d65c (patch) | |
| tree | 664ee9807f3934d8585158bf12a42e4c5329ed2a /nixos/modules/config | |
| parent | 508b661d6818fa524af1af3c166d65e384385b6d (diff) | |
| parent | 749f60adef76c4dbbee154cab3344327f07713d7 (diff) | |
Merge staging-next into staging
Diffstat (limited to 'nixos/modules/config')
| -rw-r--r-- | nixos/modules/config/users-groups.nix | 22 |
1 files changed, 21 insertions, 1 deletions
diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index b538a0119c06d..2660b0e6c9388 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -35,7 +35,7 @@ let ''; hashedPasswordDescription = '' - To generate a hashed password run `mkpasswd -m sha-512`. + To generate a hashed password run `mkpasswd`. If set to an empty string (`""`), this user will be able to log in without being asked for a password (but not via remote @@ -592,6 +592,26 @@ in { ''; }; + # Warn about user accounts with deprecated password hashing schemes + system.activationScripts.hashes = { + deps = [ "users" ]; + text = '' + users=() + while IFS=: read -r user hash tail; do + if [[ "$hash" = "$"* && ! "$hash" =~ ^\$(y|gy|7|2b|2y|2a|6)\$ ]]; then + users+=("$user") + fi + done </etc/shadow + + if (( "''${#users[@]}" )); then + echo " + WARNING: The following user accounts rely on password hashes that will + be removed in NixOS 23.05. They should be renewed as soon as possible." + printf ' - %s\n' "''${users[@]}" + fi + ''; + }; + # for backwards compatibility system.activationScripts.groups = stringAfter [ "users" ] ""; |