nixos/users-groups: handle password hashes with special meaning

This commit is contained in:
rnhmjoj 2020-06-25 02:02:29 +02:00
parent 99899e2e46
commit c37347af7e
No known key found for this signature in database
GPG Key ID: BFBAF4C975F76450
1 changed files with 14 additions and 6 deletions

View File

@ -6,6 +6,16 @@ let
ids = config.ids;
cfg = config.users;
# Check whether a password hash will allow login.
allowsLogin = hash:
hash == "" # login without password
|| !(lib.elem hash
[ null # password login disabled
"!" # password login disabled
"!!" # a variant of "!"
"*" # password unset
]);
passwordDescription = ''
The options <option>hashedPassword</option>,
<option>password</option> and <option>passwordFile</option>
@ -596,7 +606,7 @@ in {
|| cfg.group == "wheel"
|| elem "wheel" cfg.extraGroups)
&&
(cfg.hashedPassword != null
(allowsLogin cfg.hashedPassword
|| cfg.password != null
|| cfg.passwordFile != null
|| cfg.openssh.authorizedKeys.keys != []
@ -639,15 +649,13 @@ in {
content = "${base64}${sep}${base64}";
mcf = "^${sep}${scheme}${sep}${content}$";
in
if (user.hashedPassword != null # login disabled
if (allowsLogin user.hashedPassword
&& user.hashedPassword != "" # login without password
&& builtins.match mcf user.hashedPassword == null)
then
''
then ''
The password hash of user "${name}" may be invalid. You must set a
valid hash or the user will be locked out of their account. Please
check the value of option `users.users."${name}".hashedPassword`.
''
check the value of option `users.users."${name}".hashedPassword`.''
else null
));