diff options
| author | Martin Weinelt <hexa@darmstadt.ccc.de> | 2022-10-10 04:19:06 +0200 |
|---|---|---|
| committer | Martin Weinelt <hexa@darmstadt.ccc.de> | 2022-11-19 14:07:59 +0100 |
| commit | 78155df21dbdb8bd4c471df69e9352ec3471bf45 (patch) | |
| tree | 37c5d10a5a3200f006c68d1955b9fb8574db5d5e /nixos/modules/config | |
| parent | f391e6dbccfb8289930a139f2afcfd032c60d89f (diff) | |
nixos/users-groups: Warn about deprecated hashes at activation
To allow for a reasonably fast deprecation of weak password hashing schemes we provide an activation script that checks existing hashes in /etc/shadow and issues a warning for user accounts that still rely on deprecated hashes. Co-Authored-By: oxalica <oxalicc@pm.me>
Diffstat (limited to 'nixos/modules/config')
| -rw-r--r-- | nixos/modules/config/users-groups.nix | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index de5e398dc46a9..2660b0e6c9388 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -592,6 +592,26 @@ in { ''; }; + # Warn about user accounts with deprecated password hashing schemes + system.activationScripts.hashes = { + deps = [ "users" ]; + text = '' + users=() + while IFS=: read -r user hash tail; do + if [[ "$hash" = "$"* && ! "$hash" =~ ^\$(y|gy|7|2b|2y|2a|6)\$ ]]; then + users+=("$user") + fi + done </etc/shadow + + if (( "''${#users[@]}" )); then + echo " + WARNING: The following user accounts rely on password hashes that will + be removed in NixOS 23.05. They should be renewed as soon as possible." + printf ' - %s\n' "''${users[@]}" + fi + ''; + }; + # for backwards compatibility system.activationScripts.groups = stringAfter [ "users" ] ""; |