colin/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #220557 from mweinelt/libxcrypt-strong

Browse Source 
libxcrypt: Build only with strong hashes
This commit is contained in:
Martin Weinelt 2023-03-15 16:43:12 +00:00 committed by GitHub
commit 578fb7fd1f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 34 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
nixos/doc/manual/release-notes/rl-2305.section.md
View File

@ -22,6 +22,8 @@ In addition to numerous new and upgraded packages, this release has the followin
- `nixos-rebuild` now supports an extra `--specialisation` option that can be used to change specialisation for `switch` and `test` commands.
- `libxcrypt`, the library providing the `crypt(3)` password hashing function, is now built without support for algorithms not flagged [`strong`](https://github.com/besser82/libxcrypt/blob/v4.4.33/lib/hashes.conf#L48). This affects the availability of password hashing algorithms used for system login (`login(1)`, `passwd(1)`), but also Apache2 Basic-Auth, Samba, OpenLDAP, and [many other packages](https://github.com/search?q=repo%3ANixOS%2Fnixpkgs%20libxcrypt&type=code).
## New Services {#sec-release-23.05-new-services}
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

13
nixos/modules/config/users-groups.nix
View File

@ -539,7 +539,9 @@ in {
###### implementation
config = {
config = let
cryptSchemeIdPatternGroup = "(${lib.concatStringsSep "|" pkgs.libxcrypt.enabledCryptSchemeIds})";
in {
users.users = {
root = {
@ -601,15 +603,16 @@ in {
text = ''
users=()
while IFS=: read -r user hash tail; do
if [[ "$hash" = "$"* && ! "$hash" =~ ^\$(y|gy|7|2b|2y|2a|6)\$ ]]; then
if [[ "$hash" = "$"* && ! "$hash" =~ ^\''$${cryptSchemeIdPatternGroup}\$ ]]; then
users+=("$user")
fi
done </etc/shadow
if (( "''${#users[@]}" )); then
echo "
WARNING: The following user accounts rely on password hashes that will
be removed in NixOS 23.05. They should be renewed as soon as possible."
WARNING: The following user accounts rely on password hashing algorithms
that have been removed. They need to be renewed as soon as possible, as
they do prevent their users from logging in."
printf ' - %s\n' "''${users[@]}"
fi
'';
@ -716,7 +719,7 @@ in {
let
sep = "\\$";
base64 = "[a-zA-Z0-9./]+";
id = "[a-z0-9-]+";
id = cryptSchemeIdPatternGroup;
value = "[a-zA-Z0-9/+.-]+";
options = "${id}(=${value})?(,${id}=${value})*";
scheme = "${id}(${sep}${options})?";

2
nixos/modules/security/pam.nix
View File

@ -620,7 +620,7 @@ let
optionalString config.services.homed.enable ''
password sufficient ${config.systemd.package}/lib/security/pam_systemd_home.so
'' + ''
password sufficient pam_unix.so nullok sha512
password sufficient pam_unix.so nullok yescrypt
'' +
optionalString config.security.pam.enableEcryptfs ''
password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so

2
nixos/modules/services/x11/display-managers/gdm.nix
View File

@ -323,7 +323,7 @@ in
account sufficient pam_unix.so
password requisite pam_unix.so nullok sha512
password requisite pam_unix.so nullok yescrypt
session optional pam_keyinit.so revoke
session include login

2
nixos/modules/services/x11/display-managers/lightdm.nix
View File

@ -302,7 +302,7 @@ in
account sufficient pam_unix.so
password requisite pam_unix.so nullok sha512
password requisite pam_unix.so nullok yescrypt
session optional pam_keyinit.so revoke
session include login

2
nixos/tests/pam/test_chfn.py
View File

@ -8,7 +8,7 @@ expected_lines = {
"auth sufficient pam_rootok.so",
"auth sufficient pam_unix.so likeauth try_first_pass",
"password sufficient @@pam_krb5@@/lib/security/pam_krb5.so use_first_pass",
"password sufficient pam_unix.so nullok sha512",
"password sufficient pam_unix.so nullok yescrypt",
"session optional @@pam_krb5@@/lib/security/pam_krb5.so",
"session required pam_env.so conffile=/etc/pam/environment readenv=0",
"session required pam_unix.so",

2
pkgs/build-support/docker/default.nix
View File

@ -190,7 +190,7 @@ rec {
cat > /etc/pam.d/other <<EOF
account sufficient pam_unix.so
auth sufficient pam_rootok.so
password requisite pam_unix.so nullok sha512
password requisite pam_unix.so nullok yescrypt
session required pam_unix.so
EOF
fi

19
pkgs/development/libraries/libxcrypt/default.nix
View File

@ -15,7 +15,8 @@ stdenv.mkDerivation rec {
];
configureFlags = [
"--enable-hashes=all"
# Update the enabled crypt scheme ids in passthru when the enabled hashes change
"--enable-hashes=strong"
"--enable-obsolete-api=glibc"
"--disable-failure-tokens"
] ++ lib.optionals (stdenv.hostPlatform.isMusl || stdenv.hostPlatform.libc == "bionic") [
@ -30,8 +31,20 @@ stdenv.mkDerivation rec {
doCheck = true;
passthru.tests = {
inherit (nixosTests) login shadow;
passthru = {
tests = {
inherit (nixosTests) login shadow;
};
enabledCryptSchemeIds = [
# https://github.com/besser82/libxcrypt/blob/v4.4.33/lib/hashes.conf
"y" # yescrypt
"gy" # gost_yescrypt
"7" # scrypt
"2b" # bcrypt
"2y" # bcrypt_y
"2a" # bcrypt_a
"6" # sha512crypt
];
};
meta = with lib; {

8
pkgs/os-specific/linux/pam/default.nix
View File

@ -1,6 +1,5 @@
{ lib, stdenv, buildPackages, fetchurl, flex, cracklib, db4, gettext, audit
{ lib, stdenv, buildPackages, fetchurl, flex, cracklib, db4, gettext, audit, libxcrypt
, nixosTests
, withLibxcrypt ? true, libxcrypt
}:
stdenv.mkDerivation rec {
@ -20,9 +19,8 @@ stdenv.mkDerivation rec {
nativeBuildInputs = [ flex ]
++ lib.optional stdenv.buildPlatform.isDarwin gettext;
buildInputs = [ cracklib db4 ]
++ lib.optional stdenv.buildPlatform.isLinux audit
++ lib.optional withLibxcrypt libxcrypt;
buildInputs = [ cracklib db4 libxcrypt ]
++ lib.optional stdenv.buildPlatform.isLinux audit;
enableParallelBuilding = true;