diff options
| author | Sandro <sandro.jaeckel@gmail.com> | 2024-06-02 23:10:26 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-06-02 23:10:26 +0200 |
| commit | 6f02edec1a24d025b3249803cee6b0ae51c24d5b (patch) | |
| tree | f8498d8fba9cd4eaf7164afe62a723fa8ed740e5 /nixos | |
| parent | fa7656236f424e29caaa18d0be5d6198df4ca1cd (diff) | |
| parent | d11d18df304bb7c51aba7e889621c7685daca4e8 (diff) | |
Merge pull request #316358 from majewsky/portunus-remove-libxcrypt-legacy
Diffstat (limited to 'nixos')
| -rw-r--r-- | nixos/doc/manual/release-notes/rl-2411.section.md | 9 | ||||
| -rw-r--r-- | nixos/modules/services/misc/portunus.nix | 5 |
2 files changed, 10 insertions, 4 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2411.section.md b/nixos/doc/manual/release-notes/rl-2411.section.md index 1e0af734ed40b..28264b0b3429d 100644 --- a/nixos/doc/manual/release-notes/rl-2411.section.md +++ b/nixos/doc/manual/release-notes/rl-2411.section.md @@ -30,6 +30,15 @@ for `stateVersion` ≥ 24.11. (It was previously using SQLite for structured data and the filesystem for blobs). +- The `portunus` package and service do not support weak password hashes anymore. + If you installed Portunus on NixOS 23.11 or earlier, upgrade to NixOS 24.05 first to get support for strong password hashing. + Then, follow the instructions on the [upstream release notes](https://github.com/majewsky/portunus/releases/tag/v2.0.0) to upgrade all existing user accounts to strong password hashes. + If you need to upgrade to 24.11 without having completed the migration, consider the security implications of weak password hashes on your user accounts, and add the following to your configuration: + ```nix + services.portunus.package = pkgs.portunus.override { libxcrypt = pkgs.libxcrypt-legacy; }; + services.portunus.ldap.package = pkgs.openldap.override { libxcrypt = pkgs.libxcrypt-legacy; }; + ``` + ## Other Notable Changes {#sec-release-24.11-notable-changes} <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> diff --git a/nixos/modules/services/misc/portunus.nix b/nixos/modules/services/misc/portunus.nix index 335806b261a23..c7abb2cfa2a3e 100644 --- a/nixos/modules/services/misc/portunus.nix +++ b/nixos/modules/services/misc/portunus.nix @@ -115,10 +115,7 @@ in ldap = { package = mkOption { type = types.package; - # needs openldap built with a libxcrypt that support crypt sha256 until users have had time to migrate to newer hashes - # Ref: <https://github.com/majewsky/portunus/issues/2> - # TODO: remove in NixOS 24.11 (cf. same note on pkgs/servers/portunus/default.nix) - default = pkgs.openldap.override { libxcrypt = pkgs.libxcrypt-legacy; }; + default = pkgs.openldap; defaultText = lib.literalExpression "pkgs.openldap.override { libxcrypt = pkgs.libxcrypt-legacy; }"; description = "The OpenLDAP package to use."; }; |