public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Don't set an initial null root password for Amazon / VirtualBox images

Browse Source 
A null password allows logging into local PAM services such as "login"
(agetty) and KDM.  That's not actually a security problem for EC2
machines, since they do not have "local" logins; for VirtualBox
machines, if you local access, you can do anything anyway.  But it's
better to be on the safe side and disable password-based logins for
root.
This commit is contained in:
Eelco Dolstra 2013-11-01 14:45:56 +01:00
parent 8352df8d66
commit 4ba7dfde5b
3 changed files with 25 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
nixos/modules/config/users-groups.nix
View File

@ -188,6 +188,20 @@ in
options = [ groupOpts ]; options = [ groupOpts ];
}; };
security.initialRootPassword = mkOption {
type = types.str;
default = "";
example = "!";
description = ''
The (hashed) password for the root account set on initial
installation. The empty string denotes that root can login
locally without a password (but not via remote services such
as SSH, or indirectly via <command>su</command> or
<command>sudo</command>). The string <literal>!</literal>
prevents root from logging in using a password.
'';
};
}; };
@ -240,7 +254,7 @@ in
# Can't use useradd, since it complains that it doesn't know us # Can't use useradd, since it complains that it doesn't know us
# (bootstrap problem!). # (bootstrap problem!).
echo "root:x:0:0:System administrator:$rootHome:${config.users.defaultUserShell}" >> /etc/passwd echo "root:x:0:0:System administrator:$rootHome:${config.users.defaultUserShell}" >> /etc/passwd
echo "root::::::::" >> /etc/shadow echo "root:${config.security.initialRootPassword}:::::::" >> /etc/shadow
fi fi
''; '';

5
nixos/modules/virtualisation/amazon-image.nix
View File

@ -160,4 +160,9 @@ with pkgs.lib;
environment.systemPackages = [ pkgs.cryptsetup ]; environment.systemPackages = [ pkgs.cryptsetup ];
boot.initrd.supportedFilesystems = [ "unionfs-fuse" ]; boot.initrd.supportedFilesystems = [ "unionfs-fuse" ];
# Prevent logging in as root without a password. This doesn't really matter,
# since the only PAM services that allow logging in with a null
# password are local ones that are inaccessible on EC2 machines.
security.initialRootPassword = "!";
} }

5
nixos/modules/virtualisation/virtualbox-image.nix
View File

@ -107,4 +107,9 @@ with pkgs.lib;
boot.loader.grub.device = "/dev/sda"; boot.loader.grub.device = "/dev/sda";
services.virtualbox.enable = true; services.virtualbox.enable = true;
# Prevent logging in as root without a password. For NixOps, we
# don't need this because the user can login via SSH, and for the
# demo images, there is a demo user account that can sudo to root.
security.initialRootPassword = "!";
} }