Merge pull request #220557 from mweinelt/libxcrypt-strong
libxcrypt: Build only with strong hashes
This commit is contained in:
commit
578fb7fd1f
|
@ -22,6 +22,8 @@ In addition to numerous new and upgraded packages, this release has the followin
|
||||||
|
|
||||||
- `nixos-rebuild` now supports an extra `--specialisation` option that can be used to change specialisation for `switch` and `test` commands.
|
- `nixos-rebuild` now supports an extra `--specialisation` option that can be used to change specialisation for `switch` and `test` commands.
|
||||||
|
|
||||||
|
- `libxcrypt`, the library providing the `crypt(3)` password hashing function, is now built without support for algorithms not flagged [`strong`](https://github.com/besser82/libxcrypt/blob/v4.4.33/lib/hashes.conf#L48). This affects the availability of password hashing algorithms used for system login (`login(1)`, `passwd(1)`), but also Apache2 Basic-Auth, Samba, OpenLDAP, and [many other packages](https://github.com/search?q=repo%3ANixOS%2Fnixpkgs%20libxcrypt&type=code).
|
||||||
|
|
||||||
## New Services {#sec-release-23.05-new-services}
|
## New Services {#sec-release-23.05-new-services}
|
||||||
|
|
||||||
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
|
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
|
||||||
|
|
|
@ -539,7 +539,9 @@ in {
|
||||||
|
|
||||||
###### implementation
|
###### implementation
|
||||||
|
|
||||||
config = {
|
config = let
|
||||||
|
cryptSchemeIdPatternGroup = "(${lib.concatStringsSep "|" pkgs.libxcrypt.enabledCryptSchemeIds})";
|
||||||
|
in {
|
||||||
|
|
||||||
users.users = {
|
users.users = {
|
||||||
root = {
|
root = {
|
||||||
|
@ -601,15 +603,16 @@ in {
|
||||||
text = ''
|
text = ''
|
||||||
users=()
|
users=()
|
||||||
while IFS=: read -r user hash tail; do
|
while IFS=: read -r user hash tail; do
|
||||||
if [[ "$hash" = "$"* && ! "$hash" =~ ^\$(y|gy|7|2b|2y|2a|6)\$ ]]; then
|
if [[ "$hash" = "$"* && ! "$hash" =~ ^\''$${cryptSchemeIdPatternGroup}\$ ]]; then
|
||||||
users+=("$user")
|
users+=("$user")
|
||||||
fi
|
fi
|
||||||
done </etc/shadow
|
done </etc/shadow
|
||||||
|
|
||||||
if (( "''${#users[@]}" )); then
|
if (( "''${#users[@]}" )); then
|
||||||
echo "
|
echo "
|
||||||
WARNING: The following user accounts rely on password hashes that will
|
WARNING: The following user accounts rely on password hashing algorithms
|
||||||
be removed in NixOS 23.05. They should be renewed as soon as possible."
|
that have been removed. They need to be renewed as soon as possible, as
|
||||||
|
they do prevent their users from logging in."
|
||||||
printf ' - %s\n' "''${users[@]}"
|
printf ' - %s\n' "''${users[@]}"
|
||||||
fi
|
fi
|
||||||
'';
|
'';
|
||||||
|
@ -716,7 +719,7 @@ in {
|
||||||
let
|
let
|
||||||
sep = "\\$";
|
sep = "\\$";
|
||||||
base64 = "[a-zA-Z0-9./]+";
|
base64 = "[a-zA-Z0-9./]+";
|
||||||
id = "[a-z0-9-]+";
|
id = cryptSchemeIdPatternGroup;
|
||||||
value = "[a-zA-Z0-9/+.-]+";
|
value = "[a-zA-Z0-9/+.-]+";
|
||||||
options = "${id}(=${value})?(,${id}=${value})*";
|
options = "${id}(=${value})?(,${id}=${value})*";
|
||||||
scheme = "${id}(${sep}${options})?";
|
scheme = "${id}(${sep}${options})?";
|
||||||
|
|
|
@ -620,7 +620,7 @@ let
|
||||||
optionalString config.services.homed.enable ''
|
optionalString config.services.homed.enable ''
|
||||||
password sufficient ${config.systemd.package}/lib/security/pam_systemd_home.so
|
password sufficient ${config.systemd.package}/lib/security/pam_systemd_home.so
|
||||||
'' + ''
|
'' + ''
|
||||||
password sufficient pam_unix.so nullok sha512
|
password sufficient pam_unix.so nullok yescrypt
|
||||||
'' +
|
'' +
|
||||||
optionalString config.security.pam.enableEcryptfs ''
|
optionalString config.security.pam.enableEcryptfs ''
|
||||||
password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so
|
password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so
|
||||||
|
|
|
@ -323,7 +323,7 @@ in
|
||||||
|
|
||||||
account sufficient pam_unix.so
|
account sufficient pam_unix.so
|
||||||
|
|
||||||
password requisite pam_unix.so nullok sha512
|
password requisite pam_unix.so nullok yescrypt
|
||||||
|
|
||||||
session optional pam_keyinit.so revoke
|
session optional pam_keyinit.so revoke
|
||||||
session include login
|
session include login
|
||||||
|
|
|
@ -302,7 +302,7 @@ in
|
||||||
|
|
||||||
account sufficient pam_unix.so
|
account sufficient pam_unix.so
|
||||||
|
|
||||||
password requisite pam_unix.so nullok sha512
|
password requisite pam_unix.so nullok yescrypt
|
||||||
|
|
||||||
session optional pam_keyinit.so revoke
|
session optional pam_keyinit.so revoke
|
||||||
session include login
|
session include login
|
||||||
|
|
|
@ -8,7 +8,7 @@ expected_lines = {
|
||||||
"auth sufficient pam_rootok.so",
|
"auth sufficient pam_rootok.so",
|
||||||
"auth sufficient pam_unix.so likeauth try_first_pass",
|
"auth sufficient pam_unix.so likeauth try_first_pass",
|
||||||
"password sufficient @@pam_krb5@@/lib/security/pam_krb5.so use_first_pass",
|
"password sufficient @@pam_krb5@@/lib/security/pam_krb5.so use_first_pass",
|
||||||
"password sufficient pam_unix.so nullok sha512",
|
"password sufficient pam_unix.so nullok yescrypt",
|
||||||
"session optional @@pam_krb5@@/lib/security/pam_krb5.so",
|
"session optional @@pam_krb5@@/lib/security/pam_krb5.so",
|
||||||
"session required pam_env.so conffile=/etc/pam/environment readenv=0",
|
"session required pam_env.so conffile=/etc/pam/environment readenv=0",
|
||||||
"session required pam_unix.so",
|
"session required pam_unix.so",
|
||||||
|
|
|
@ -190,7 +190,7 @@ rec {
|
||||||
cat > /etc/pam.d/other <<EOF
|
cat > /etc/pam.d/other <<EOF
|
||||||
account sufficient pam_unix.so
|
account sufficient pam_unix.so
|
||||||
auth sufficient pam_rootok.so
|
auth sufficient pam_rootok.so
|
||||||
password requisite pam_unix.so nullok sha512
|
password requisite pam_unix.so nullok yescrypt
|
||||||
session required pam_unix.so
|
session required pam_unix.so
|
||||||
EOF
|
EOF
|
||||||
fi
|
fi
|
||||||
|
|
|
@ -15,7 +15,8 @@ stdenv.mkDerivation rec {
|
||||||
];
|
];
|
||||||
|
|
||||||
configureFlags = [
|
configureFlags = [
|
||||||
"--enable-hashes=all"
|
# Update the enabled crypt scheme ids in passthru when the enabled hashes change
|
||||||
|
"--enable-hashes=strong"
|
||||||
"--enable-obsolete-api=glibc"
|
"--enable-obsolete-api=glibc"
|
||||||
"--disable-failure-tokens"
|
"--disable-failure-tokens"
|
||||||
] ++ lib.optionals (stdenv.hostPlatform.isMusl || stdenv.hostPlatform.libc == "bionic") [
|
] ++ lib.optionals (stdenv.hostPlatform.isMusl || stdenv.hostPlatform.libc == "bionic") [
|
||||||
|
@ -30,8 +31,20 @@ stdenv.mkDerivation rec {
|
||||||
|
|
||||||
doCheck = true;
|
doCheck = true;
|
||||||
|
|
||||||
passthru.tests = {
|
passthru = {
|
||||||
inherit (nixosTests) login shadow;
|
tests = {
|
||||||
|
inherit (nixosTests) login shadow;
|
||||||
|
};
|
||||||
|
enabledCryptSchemeIds = [
|
||||||
|
# https://github.com/besser82/libxcrypt/blob/v4.4.33/lib/hashes.conf
|
||||||
|
"y" # yescrypt
|
||||||
|
"gy" # gost_yescrypt
|
||||||
|
"7" # scrypt
|
||||||
|
"2b" # bcrypt
|
||||||
|
"2y" # bcrypt_y
|
||||||
|
"2a" # bcrypt_a
|
||||||
|
"6" # sha512crypt
|
||||||
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
meta = with lib; {
|
meta = with lib; {
|
||||||
|
|
|
@ -1,6 +1,5 @@
|
||||||
{ lib, stdenv, buildPackages, fetchurl, flex, cracklib, db4, gettext, audit
|
{ lib, stdenv, buildPackages, fetchurl, flex, cracklib, db4, gettext, audit, libxcrypt
|
||||||
, nixosTests
|
, nixosTests
|
||||||
, withLibxcrypt ? true, libxcrypt
|
|
||||||
}:
|
}:
|
||||||
|
|
||||||
stdenv.mkDerivation rec {
|
stdenv.mkDerivation rec {
|
||||||
|
@ -20,9 +19,8 @@ stdenv.mkDerivation rec {
|
||||||
nativeBuildInputs = [ flex ]
|
nativeBuildInputs = [ flex ]
|
||||||
++ lib.optional stdenv.buildPlatform.isDarwin gettext;
|
++ lib.optional stdenv.buildPlatform.isDarwin gettext;
|
||||||
|
|
||||||
buildInputs = [ cracklib db4 ]
|
buildInputs = [ cracklib db4 libxcrypt ]
|
||||||
++ lib.optional stdenv.buildPlatform.isLinux audit
|
++ lib.optional stdenv.buildPlatform.isLinux audit;
|
||||||
++ lib.optional withLibxcrypt libxcrypt;
|
|
||||||
|
|
||||||
enableParallelBuilding = true;
|
enableParallelBuilding = true;
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user