diff options
| author | Martin Weinelt <hexa@darmstadt.ccc.de> | 2023-03-12 17:59:01 +0100 |
|---|---|---|
| committer | Martin Weinelt <hexa@darmstadt.ccc.de> | 2023-03-13 07:54:27 +0100 |
| commit | 4472cf44eba4991e46904c588e07dfe8e6fcceb8 (patch) | |
| tree | 50d184541bb5d1163027a0fbf11303ac95db4681 | |
| parent | 909f394f28c637a6d5a269d893b77e095b2812eb (diff) | |
| download | nixpkgs-4472cf44eba4991e46904c588e07dfe8e6fcceb8.tar nixpkgs-4472cf44eba4991e46904c588e07dfe8e6fcceb8.tar.gz nixpkgs-4472cf44eba4991e46904c588e07dfe8e6fcceb8.tar.bz2 nixpkgs-4472cf44eba4991e46904c588e07dfe8e6fcceb8.tar.lz nixpkgs-4472cf44eba4991e46904c588e07dfe8e6fcceb8.tar.xz nixpkgs-4472cf44eba4991e46904c588e07dfe8e6fcceb8.tar.zst nixpkgs-4472cf44eba4991e46904c588e07dfe8e6fcceb8.zip | |
treewide: Make yescrypt the default algorithm for pam_unix.so
This ensures `passwd` will default to yescrypt for newly generated passwords.
| -rw-r--r-- | nixos/modules/security/pam.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/services/x11/display-managers/gdm.nix | 2 | ||||
| -rw-r--r-- | nixos/modules/services/x11/display-managers/lightdm.nix | 2 | ||||
| -rw-r--r-- | nixos/tests/pam/test_chfn.py | 2 | ||||
| -rw-r--r-- | pkgs/build-support/docker/default.nix | 2 |
5 files changed, 5 insertions, 5 deletions
diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 4224722f879..d57dec36c32 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -620,7 +620,7 @@ let optionalString config.services.homed.enable '' password sufficient ${config.systemd.package}/lib/security/pam_systemd_home.so '' + '' - password sufficient pam_unix.so nullok sha512 + password sufficient pam_unix.so nullok yescrypt '' + optionalString config.security.pam.enableEcryptfs '' password optional ${pkgs.ecryptfs}/lib/security/pam_ecryptfs.so diff --git a/nixos/modules/services/x11/display-managers/gdm.nix b/nixos/modules/services/x11/display-managers/gdm.nix index 1c3881bef2d..f8f82bda3fa 100644 --- a/nixos/modules/services/x11/display-managers/gdm.nix +++ b/nixos/modules/services/x11/display-managers/gdm.nix @@ -323,7 +323,7 @@ in account sufficient pam_unix.so - password requisite pam_unix.so nullok sha512 + password requisite pam_unix.so nullok yescrypt session optional pam_keyinit.so revoke session include login diff --git a/nixos/modules/services/x11/display-managers/lightdm.nix b/nixos/modules/services/x11/display-managers/lightdm.nix index 65f414705fc..548d3c5bc46 100644 --- a/nixos/modules/services/x11/display-managers/lightdm.nix +++ b/nixos/modules/services/x11/display-managers/lightdm.nix @@ -302,7 +302,7 @@ in account sufficient pam_unix.so - password requisite pam_unix.so nullok sha512 + password requisite pam_unix.so nullok yescrypt session optional pam_keyinit.so revoke session include login diff --git a/nixos/tests/pam/test_chfn.py b/nixos/tests/pam/test_chfn.py index b108a9423ca..a48438b8d30 100644 --- a/nixos/tests/pam/test_chfn.py +++ b/nixos/tests/pam/test_chfn.py @@ -8,7 +8,7 @@ expected_lines = { "auth sufficient pam_rootok.so", "auth sufficient pam_unix.so likeauth try_first_pass", "password sufficient @@pam_krb5@@/lib/security/pam_krb5.so use_first_pass", - "password sufficient pam_unix.so nullok sha512", + "password sufficient pam_unix.so nullok yescrypt", "session optional @@pam_krb5@@/lib/security/pam_krb5.so", "session required pam_env.so conffile=/etc/pam/environment readenv=0", "session required pam_unix.so", diff --git a/pkgs/build-support/docker/default.nix b/pkgs/build-support/docker/default.nix index 7fa5aeafc8e..5f48fb9f7bd 100644 --- a/pkgs/build-support/docker/default.nix +++ b/pkgs/build-support/docker/default.nix @@ -190,7 +190,7 @@ rec { cat > /etc/pam.d/other <<EOF account sufficient pam_unix.so auth sufficient pam_rootok.so - password requisite pam_unix.so nullok sha512 + password requisite pam_unix.so nullok yescrypt session required pam_unix.so EOF fi |