diff options
author | Martin Weinelt <mweinelt@users.noreply.github.com> | 2022-11-19 14:28:44 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-11-19 14:28:44 +0100 |
commit | 6c1b52297d5966949640e393df2f2e59ed8508e2 (patch) | |
tree | c7b4dbf33faac8a67ee0b6116dbd7aa45856b53c /nixos/modules | |
parent | 218e2f5e14b60dd2984dbd9a3ba16371de849fd5 (diff) | |
parent | 78155df21dbdb8bd4c471df69e9352ec3471bf45 (diff) |
Merge pull request #195497 from mweinelt/crypt-hash-deprecations
Diffstat (limited to 'nixos/modules')
-rw-r--r-- | nixos/modules/config/users-groups.nix | 22 |
1 files changed, 21 insertions, 1 deletions
diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index b538a0119c06d..2660b0e6c9388 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -35,7 +35,7 @@ let ''; hashedPasswordDescription = '' - To generate a hashed password run `mkpasswd -m sha-512`. + To generate a hashed password run `mkpasswd`. If set to an empty string (`""`), this user will be able to log in without being asked for a password (but not via remote @@ -592,6 +592,26 @@ in { ''; }; + # Warn about user accounts with deprecated password hashing schemes + system.activationScripts.hashes = { + deps = [ "users" ]; + text = '' + users=() + while IFS=: read -r user hash tail; do + if [[ "$hash" = "$"* && ! "$hash" =~ ^\$(y|gy|7|2b|2y|2a|6)\$ ]]; then + users+=("$user") + fi + done </etc/shadow + + if (( "''${#users[@]}" )); then + echo " + WARNING: The following user accounts rely on password hashes that will + be removed in NixOS 23.05. They should be renewed as soon as possible." + printf ' - %s\n' "''${users[@]}" + fi + ''; + }; + # for backwards compatibility system.activationScripts.groups = stringAfter [ "users" ] ""; |