diff options
author | rnhmjoj <rnhmjoj@inventati.org> | 2020-06-25 02:02:29 +0200 |
---|---|---|
committer | rnhmjoj <rnhmjoj@inventati.org> | 2020-07-04 12:21:49 +0200 |
commit | c37347af7eaa0177e3a374dd94158ff546f20fdb (patch) | |
tree | 123fedbc1f78ef5dc238342e289505be46b8ec8e /nixos | |
parent | 99899e2e464845da34638ab35125943e8445bce0 (diff) | |
download | nixpkgs-c37347af7eaa0177e3a374dd94158ff546f20fdb.tar nixpkgs-c37347af7eaa0177e3a374dd94158ff546f20fdb.tar.gz nixpkgs-c37347af7eaa0177e3a374dd94158ff546f20fdb.tar.bz2 nixpkgs-c37347af7eaa0177e3a374dd94158ff546f20fdb.tar.lz nixpkgs-c37347af7eaa0177e3a374dd94158ff546f20fdb.tar.xz nixpkgs-c37347af7eaa0177e3a374dd94158ff546f20fdb.tar.zst nixpkgs-c37347af7eaa0177e3a374dd94158ff546f20fdb.zip |
nixos/users-groups: handle password hashes with special meaning
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/config/users-groups.nix | 20 |
1 files changed, 14 insertions, 6 deletions
diff --git a/nixos/modules/config/users-groups.nix b/nixos/modules/config/users-groups.nix index cca87d8b4a5..12d9be94663 100644 --- a/nixos/modules/config/users-groups.nix +++ b/nixos/modules/config/users-groups.nix @@ -6,6 +6,16 @@ let ids = config.ids; cfg = config.users; + # Check whether a password hash will allow login. + allowsLogin = hash: + hash == "" # login without password + || !(lib.elem hash + [ null # password login disabled + "!" # password login disabled + "!!" # a variant of "!" + "*" # password unset + ]); + passwordDescription = '' The options <option>hashedPassword</option>, <option>password</option> and <option>passwordFile</option> @@ -596,7 +606,7 @@ in { || cfg.group == "wheel" || elem "wheel" cfg.extraGroups) && - (cfg.hashedPassword != null + (allowsLogin cfg.hashedPassword || cfg.password != null || cfg.passwordFile != null || cfg.openssh.authorizedKeys.keys != [] @@ -639,15 +649,13 @@ in { content = "${base64}${sep}${base64}"; mcf = "^${sep}${scheme}${sep}${content}$"; in - if (user.hashedPassword != null # login disabled + if (allowsLogin user.hashedPassword && user.hashedPassword != "" # login without password && builtins.match mcf user.hashedPassword == null) - then - '' + then '' The password hash of user "${name}" may be invalid. You must set a valid hash or the user will be locked out of their account. Please - check the value of option `users.users."${name}".hashedPassword`. - '' + check the value of option `users.users."${name}".hashedPassword`.'' else null )); |