Merge pull request #220557 from mweinelt/libxcrypt-strong
libxcrypt: Build only with strong hashes
This commit is contained in:
commit
578fb7fd1f
|
@ -22,6 +22,8 @@ In addition to numerous new and upgraded packages, this release has the followin
|
|||
|
||||
- `nixos-rebuild` now supports an extra `--specialisation` option that can be used to change specialisation for `switch` and `test` commands.
|
||||
|
||||
- `libxcrypt`, the library providing the `crypt(3)` password hashing function, is now built without support for algorithms not flagged [`strong`](https://github.com/besser82/libxcrypt/blob/v4.4.33/lib/hashes.conf#L48). This affects the availability of password hashing algorithms used for system login (`login(1)`, `passwd(1)`), but also Apache2 Basic-Auth, Samba, OpenLDAP, and [many other packages](https://github.com/search?q=repo%3ANixOS%2Fnixpkgs%20libxcrypt&type=code).
|
||||
|
||||
## New Services {#sec-release-23.05-new-services}
|
||||
|
||||
<!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
|
||||
|
|
|
@ -539,7 +539,9 @@ in {
|
|||
|
||||
###### implementation
|
||||
|
||||
config = {
|
||||
config = let
|
||||
cryptSchemeIdPatternGroup = "(${lib.concatStringsSep "|" pkgs.libxcrypt.enabledCryptSchemeIds})";
|
||||
in {
|
||||
|
||||
users.users = {
|
||||
root = {
|
||||
|
@ -601,15 +603,16 @@ in {
|
|||
text = ''
|
||||
users=()
|
||||
while IFS=: read -r user hash tail; do
|
||||
if [[ "$hash" = "$"* && ! "$hash" =~ ^\$(y|gy|7|2b|2y|2a|6)\$ ]]; then
|
||||
if [[ "$hash" = "$"* && ! "$hash" =~ ^\''$${cryptSchemeIdPatternGroup}\$ ]]; then
|
||||
users+=("$user")
|
||||
fi
|
||||
done </etc/shadow
|
||||
|
||||
if (( "''${#users[@]}" )); then
|
||||
echo "
|
||||
WARNING: The following user accounts rely on password hashes that will
|
||||
be removed in NixOS 23.05. They should be renewed as soon as possible."
|
||||
WARNING: The following user accounts rely on password hashing algorithms
|
||||
that have been removed. They need to be renewed as soon as possible, as
|
||||
they do prevent their users from logging in."
|
||||
printf ' - %s\n' "''${users[@]}"
|
||||
fi
|
||||
'';
|
||||
|
@ -716,7 +719,7 @@ in {
|
|||
let
|
||||
sep = "\\$";
|
||||
base64 = "[a-zA-Z0-9./]+";
|
||||
id = "[a-z0-9-]+";
|
||||
id = cryptSchemeIdPatternGroup;
|
||||
value = "[a-zA-Z0-9/+.-]+";
|
||||
options = "${id}(=${value})?(,${id}=${value})*";
|
||||
scheme = "${id}(${sep}${options})?";
|
||||
|
|
|
@ -620,7 +620,7 @@ let
|
|||
optionalString config.services.homed.enable ''
|
||||
password sufficient ${config.systemd.package}/lib/security/pam_systemd_home.so
|
||||
'' + ''
|
||||
password sufficient pam_unix.so nullok sha512
|
||||
password sufficient pam_unix.so nullok yescrypt
|
||||
'' +
|
||||
optionalString config.security.pam.enableEcryptfs ''
|
||||
password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so
|
||||
|
|
|
@ -323,7 +323,7 @@ in
|
|||
|
||||
account sufficient pam_unix.so
|
||||
|
||||
password requisite pam_unix.so nullok sha512
|
||||
password requisite pam_unix.so nullok yescrypt
|
||||
|
||||
session optional pam_keyinit.so revoke
|
||||
session include login
|
||||
|
|
|
@ -302,7 +302,7 @@ in
|
|||
|
||||
account sufficient pam_unix.so
|
||||
|
||||
password requisite pam_unix.so nullok sha512
|
||||
password requisite pam_unix.so nullok yescrypt
|
||||
|
||||
session optional pam_keyinit.so revoke
|
||||
session include login
|
||||
|
|
|
@ -8,7 +8,7 @@ expected_lines = {
|
|||
"auth sufficient pam_rootok.so",
|
||||
"auth sufficient pam_unix.so likeauth try_first_pass",
|
||||
"password sufficient @@pam_krb5@@/lib/security/pam_krb5.so use_first_pass",
|
||||
"password sufficient pam_unix.so nullok sha512",
|
||||
"password sufficient pam_unix.so nullok yescrypt",
|
||||
"session optional @@pam_krb5@@/lib/security/pam_krb5.so",
|
||||
"session required pam_env.so conffile=/etc/pam/environment readenv=0",
|
||||
"session required pam_unix.so",
|
||||
|
|
|
@ -190,7 +190,7 @@ rec {
|
|||
cat > /etc/pam.d/other <<EOF
|
||||
account sufficient pam_unix.so
|
||||
auth sufficient pam_rootok.so
|
||||
password requisite pam_unix.so nullok sha512
|
||||
password requisite pam_unix.so nullok yescrypt
|
||||
session required pam_unix.so
|
||||
EOF
|
||||
fi
|
||||
|
|
|
@ -15,7 +15,8 @@ stdenv.mkDerivation rec {
|
|||
];
|
||||
|
||||
configureFlags = [
|
||||
"--enable-hashes=all"
|
||||
# Update the enabled crypt scheme ids in passthru when the enabled hashes change
|
||||
"--enable-hashes=strong"
|
||||
"--enable-obsolete-api=glibc"
|
||||
"--disable-failure-tokens"
|
||||
] ++ lib.optionals (stdenv.hostPlatform.isMusl || stdenv.hostPlatform.libc == "bionic") [
|
||||
|
@ -30,9 +31,21 @@ stdenv.mkDerivation rec {
|
|||
|
||||
doCheck = true;
|
||||
|
||||
passthru.tests = {
|
||||
passthru = {
|
||||
tests = {
|
||||
inherit (nixosTests) login shadow;
|
||||
};
|
||||
enabledCryptSchemeIds = [
|
||||
# https://github.com/besser82/libxcrypt/blob/v4.4.33/lib/hashes.conf
|
||||
"y" # yescrypt
|
||||
"gy" # gost_yescrypt
|
||||
"7" # scrypt
|
||||
"2b" # bcrypt
|
||||
"2y" # bcrypt_y
|
||||
"2a" # bcrypt_a
|
||||
"6" # sha512crypt
|
||||
];
|
||||
};
|
||||
|
||||
meta = with lib; {
|
||||
description = "Extended crypt library for descrypt, md5crypt, bcrypt, and others";
|
||||
|
|
|
@ -1,6 +1,5 @@
|
|||
{ lib, stdenv, buildPackages, fetchurl, flex, cracklib, db4, gettext, audit
|
||||
{ lib, stdenv, buildPackages, fetchurl, flex, cracklib, db4, gettext, audit, libxcrypt
|
||||
, nixosTests
|
||||
, withLibxcrypt ? true, libxcrypt
|
||||
}:
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
|
@ -20,9 +19,8 @@ stdenv.mkDerivation rec {
|
|||
nativeBuildInputs = [ flex ]
|
||||
++ lib.optional stdenv.buildPlatform.isDarwin gettext;
|
||||
|
||||
buildInputs = [ cracklib db4 ]
|
||||
++ lib.optional stdenv.buildPlatform.isLinux audit
|
||||
++ lib.optional withLibxcrypt libxcrypt;
|
||||
buildInputs = [ cracklib db4 libxcrypt ]
|
||||
++ lib.optional stdenv.buildPlatform.isLinux audit;
|
||||
|
||||
enableParallelBuilding = true;
|
||||
|
||||
|
|
Loading…
Reference in New Issue
Block a user