colin/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #220557 from mweinelt/libxcrypt-strong

Browse Source 
libxcrypt: Build only with strong hashes
This commit is contained in:
Martin Weinelt 2023-03-15 16:43:12 +00:00 committed by GitHub
commit 578fb7fd1f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 34 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
nixos/doc/manual/release-notes/rl-2305.section.md
View File

@ -22,6 +22,8 @@ In addition to numerous new and upgraded packages, this release has the followin
- `nixos-rebuild` now supports an extra `--specialisation` option that can be used to change specialisation for `switch` and `test` commands. - `nixos-rebuild` now supports an extra `--specialisation` option that can be used to change specialisation for `switch` and `test` commands.
- `libxcrypt`, the library providing the `crypt(3)` password hashing function, is now built without support for algorithms not flagged [`strong`](https://github.com/besser82/libxcrypt/blob/v4.4.33/lib/hashes.conf#L48). This affects the availability of password hashing algorithms used for system login (`login(1)`, `passwd(1)`), but also Apache2 Basic-Auth, Samba, OpenLDAP, and [many other packages](https://github.com/search?q=repo%3ANixOS%2Fnixpkgs%20libxcrypt&type=code).
## New Services {#sec-release-23.05-new-services} ## New Services {#sec-release-23.05-new-services}
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->

13
nixos/modules/config/users-groups.nix
View File

@ -539,7 +539,9 @@ in {
###### implementation ###### implementation
config = { config = let
cryptSchemeIdPatternGroup = "(${lib.concatStringsSep "|" pkgs.libxcrypt.enabledCryptSchemeIds})";
in {
users.users = { users.users = {
root = { root = {
@ -601,15 +603,16 @@ in {
text = '' text = ''
users=() users=()
while IFS=: read -r user hash tail; do while IFS=: read -r user hash tail; do
if [[ "$hash" = "$"* && ! "$hash" =~ ^\$(y|gy|7|2b|2y|2a|6)\$ ]]; then if [[ "$hash" = "$"* && ! "$hash" =~ ^\''$${cryptSchemeIdPatternGroup}\$ ]]; then
users+=("$user") users+=("$user")
fi fi
done </etc/shadow done </etc/shadow
if (( "''${#users[@]}" )); then if (( "''${#users[@]}" )); then
echo " echo "
WARNING: The following user accounts rely on password hashes that will WARNING: The following user accounts rely on password hashing algorithms
be removed in NixOS 23.05. They should be renewed as soon as possible." that have been removed. They need to be renewed as soon as possible, as
they do prevent their users from logging in."
printf ' - %s\n' "''${users[@]}" printf ' - %s\n' "''${users[@]}"
fi fi
''; '';
@ -716,7 +719,7 @@ in {
let let
sep = "\\$"; sep = "\\$";
base64 = "[a-zA-Z0-9./]+"; base64 = "[a-zA-Z0-9./]+";
id = "[a-z0-9-]+"; id = cryptSchemeIdPatternGroup;
value = "[a-zA-Z0-9/+.-]+"; value = "[a-zA-Z0-9/+.-]+";
options = "${id}(=${value})?(,${id}=${value})*"; options = "${id}(=${value})?(,${id}=${value})*";
scheme = "${id}(${sep}${options})?"; scheme = "${id}(${sep}${options})?";

2
nixos/modules/security/pam.nix
View File

@ -620,7 +620,7 @@ let
optionalString config.services.homed.enable '' optionalString config.services.homed.enable ''
password sufficient ${config.systemd.package}/lib/security/pam_systemd_home.so password sufficient ${config.systemd.package}/lib/security/pam_systemd_home.so
'' + '' '' + ''
password sufficient pam_unix.so nullok sha512 password sufficient pam_unix.so nullok yescrypt
'' + '' +
optionalString config.security.pam.enableEcryptfs '' optionalString config.security.pam.enableEcryptfs ''
password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so

2
nixos/modules/services/x11/display-managers/gdm.nix
View File

@ -323,7 +323,7 @@ in
account sufficient pam_unix.so account sufficient pam_unix.so
password requisite pam_unix.so nullok sha512 password requisite pam_unix.so nullok yescrypt
session optional pam_keyinit.so revoke session optional pam_keyinit.so revoke
session include login session include login

2
nixos/modules/services/x11/display-managers/lightdm.nix
View File

@ -302,7 +302,7 @@ in
account sufficient pam_unix.so account sufficient pam_unix.so
password requisite pam_unix.so nullok sha512 password requisite pam_unix.so nullok yescrypt
session optional pam_keyinit.so revoke session optional pam_keyinit.so revoke
session include login session include login

2
nixos/tests/pam/test_chfn.py
View File

@ -8,7 +8,7 @@ expected_lines = {
"auth sufficient pam_rootok.so", "auth sufficient pam_rootok.so",
"auth sufficient pam_unix.so likeauth try_first_pass", "auth sufficient pam_unix.so likeauth try_first_pass",
"password sufficient @@pam_krb5@@/lib/security/pam_krb5.so use_first_pass", "password sufficient @@pam_krb5@@/lib/security/pam_krb5.so use_first_pass",
"password sufficient pam_unix.so nullok sha512", "password sufficient pam_unix.so nullok yescrypt",
"session optional @@pam_krb5@@/lib/security/pam_krb5.so", "session optional @@pam_krb5@@/lib/security/pam_krb5.so",
"session required pam_env.so conffile=/etc/pam/environment readenv=0", "session required pam_env.so conffile=/etc/pam/environment readenv=0",
"session required pam_unix.so", "session required pam_unix.so",

2
pkgs/build-support/docker/default.nix
View File

@ -190,7 +190,7 @@ rec {
cat > /etc/pam.d/other <<EOF cat > /etc/pam.d/other <<EOF
account sufficient pam_unix.so account sufficient pam_unix.so
auth sufficient pam_rootok.so auth sufficient pam_rootok.so
password requisite pam_unix.so nullok sha512 password requisite pam_unix.so nullok yescrypt
session required pam_unix.so session required pam_unix.so
EOF EOF
fi fi

19
pkgs/development/libraries/libxcrypt/default.nix
View File

@ -15,7 +15,8 @@ stdenv.mkDerivation rec {
]; ];
configureFlags = [ configureFlags = [
"--enable-hashes=all" # Update the enabled crypt scheme ids in passthru when the enabled hashes change
"--enable-hashes=strong"
"--enable-obsolete-api=glibc" "--enable-obsolete-api=glibc"
"--disable-failure-tokens" "--disable-failure-tokens"
] ++ lib.optionals (stdenv.hostPlatform.isMusl || stdenv.hostPlatform.libc == "bionic") [ ] ++ lib.optionals (stdenv.hostPlatform.isMusl || stdenv.hostPlatform.libc == "bionic") [
@ -30,8 +31,20 @@ stdenv.mkDerivation rec {
doCheck = true; doCheck = true;
passthru.tests = { passthru = {
inherit (nixosTests) login shadow; tests = {
inherit (nixosTests) login shadow;
};
enabledCryptSchemeIds = [
# https://github.com/besser82/libxcrypt/blob/v4.4.33/lib/hashes.conf
"y" # yescrypt
"gy" # gost_yescrypt
"7" # scrypt
"2b" # bcrypt
"2y" # bcrypt_y
"2a" # bcrypt_a
"6" # sha512crypt
];
}; };
meta = with lib; { meta = with lib; {

8
pkgs/os-specific/linux/pam/default.nix
View File

@ -1,6 +1,5 @@
{ lib, stdenv, buildPackages, fetchurl, flex, cracklib, db4, gettext, audit { lib, stdenv, buildPackages, fetchurl, flex, cracklib, db4, gettext, audit, libxcrypt
, nixosTests , nixosTests
, withLibxcrypt ? true, libxcrypt
}: }:
stdenv.mkDerivation rec { stdenv.mkDerivation rec {
@ -20,9 +19,8 @@ stdenv.mkDerivation rec {
nativeBuildInputs = [ flex ] nativeBuildInputs = [ flex ]
++ lib.optional stdenv.buildPlatform.isDarwin gettext; ++ lib.optional stdenv.buildPlatform.isDarwin gettext;
buildInputs = [ cracklib db4 ] buildInputs = [ cracklib db4 libxcrypt ]
++ lib.optional stdenv.buildPlatform.isLinux audit ++ lib.optional stdenv.buildPlatform.isLinux audit;
++ lib.optional withLibxcrypt libxcrypt;
enableParallelBuilding = true; enableParallelBuilding = true;