nixos/users: validate password hashes #83171
Conversation
ofborg
bot
added
6.topic: nixos
|
It would definitely be shorter but I'm afraid of false positives when matching a stricter regex. |
|
I'm also in favor of using |
|
So, I implemented the check using builtins.match. It wasn't easy because there is no actual standard behind the format used for the hashes and I had to come to a compromise between supporting obscure (read deprecated) schemes and catching common mistakes. Here's the expression I used to test the regex. rec {
regex =
let
sep = "\\$";
base64 = "[a-zA-Z0-9./]+";
scheme = "[a-z0-9-]+";
content = "${base64}${sep}${base64}";
in
"^${sep}${scheme}${sep}${content}$";
validate = hash: builtins.match regex hash != null;
results = map validate
[ # valid but should fail
"Kyq4bCxAXJkbg" # the original crypt() hash
"$sha1$40000$jtNX3nZ2$hBNaIXkt4wBI2o5rsi8KejSjNqIq" # PBKDF2 unsupported on gnu/linux
# valid and should match
"$1$etNnh7FA$OlM7eljE/B7F1J4XYNnk81"
"$2a$10$VIhIOofSMqgdGlL4wzE//e.77dAQGqntF/1dT7bqCrVtquInWy2qi"
"$5$9ks3nNEqv31FX.F$gdEoLFsCRsn/WRN3wxUnzfeZLoooVlzeF4WjLomTRFD"
"$6$qoE2letU$wWPRl.PVczjzeMVgjiA8LLy2nOyZbf7Amj3qLIL978o18gbMySdKZ7uepq9tmMQXxyTIrS12Pln.2Q/6Xscao0"
# invalid and should fail
"Still not giving it away :P"
"aNonHashedPasssword3!"
"aNonHa$hedPa$$swordWith$s"
];
} |
|
Hm, looking at It might make sense to be precise with this though, since failure to check correctly could lead to users being locked out, or to users getting errors even when they have a working password. But now I'm not even sure if this is achievable at all during eval time. |
Yeah, that's why I initially went for some simplier sanity check.
I could handle the PBKDF2 case by complicating a bix the regex, but allowing the original DES is really asking for false negatives: 8 bytes alphanumeric ASCII. It will match pretty much everything. Also I think the number of NixOS users having DES hashes in 2020 is 0. |
|
Ok, this should handle the hashes with options rec {
regex =
let
sep = "\\$";
base64 = "[a-zA-Z0-9./]+";
id = "[a-z0-9-]+";
value = "[a-zA-Z0-9/+.-]+";
options = "${id}(=${value})?(,${id}=${value})*";
scheme = "${id}(${sep}${options})?";
content = "${base64}${sep}${base64}";
in
"^${sep}${scheme}${sep}${content}$";
validate = hash: builtins.match regex hash != null;
results = map validate
[
## valid but should fail
# original DES hash
"Kyq4bCxAXJkbg"
## valid and should match
# MD5
"$1$etNnh7FA$OlM7eljE/B7F1J4XYNnk81"
# bcrypt
"$2a$10$VIhIOofSMqgdGlL4wzE//e.77dAQGqntF/1dT7bqCrVtquInWy2qi"
# SHA2 hashes
"$5$9ks3nNEqv31FX.F$gdEoLFsCRsn/WRN3wxUnzfeZLoooVlzeF4WjLomTRFD"
"$6$qoE2letU$wWPRl.PVczjzeMVgjiA8LLy2nOyZbf7Amj3qLIL978o18gbMySdKZ7uepq9tmMQXxyTIrS12Pln.2Q/6Xscao0"
# SHA-512 with custom rounds
"$6$rounds=1000000$9ks3nNEqv31FX.F$9PJ4NaW6zmi/iuQdVtOvFXB3wdtNC7k5GOHRtnEtpJAMdBJ7asunZpCuqfjyx2vZdqRRaS/z33EXI9Z.nkNEb."
# PBKDF2 (unsupported on gnu/linux)
"$sha1$40000$jtNX3nZ2$hBNaIXkt4wBI2o5rsi8KejSjNqIq"
## invalid and should fail
"Still not giving it away :P"
"aNonHashedPasssword3!"
"aNonHa$hedPa$$swordWith$s"
"sha1$40000$jtNX3nZ2$hBNaIXkt4wBI2o5rsi8KejSjNqIq"
];
} |
rnhmjoj
force-pushed
the
hash
branch
2 times, most recently
from
efd4115 to
660a701
Compare
|
Fixed evaluation. |
|
I’m torn, if there’s no real standard we can’t really make it into an
error. A warning sounds okay.
…On Tue, Jun 9, 2020 at 4:19 PM Michele Guerini Rocco < ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In nixos/modules/config/users-groups.nix
<#83171 (comment)>:
> + #
+ # [1]: https://en.wikipedia.org/wiki/Crypt_(C)
+ let
+ sep = "\\$";
+ base64 = "[a-zA-Z0-9./]+";
+ id = "[a-z0-9-]+";
+ value = "[a-zA-Z0-9/+.-]+";
+ options = "${id}(=${value})?(,${id}=${value})*";
+ scheme = "${id}(${sep}${options})?";
+ content = "${base64}${sep}${base64}";
+ mcf = "^${sep}${scheme}${sep}${content}$";
+ in
+ user.hashedPassword != null
+ -> builtins.match mcf user.hashedPassword != null;
+ message = ''
+ The password hash of user "${name}" is not valid. You must set a valid hash or
Currently we don't. Since this format is not specified in any standard I
think the he only reasonable way is to match the hashes supported by glibc
(which I believe is the only usable libc in NIxOS) and a few other common
ones.
To avoid the rejecting valid hashes we could either make this only a
warning or add a mechanism to let users override the check, maybe something
with prioities.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#83171 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAYB5ZX7OKU5MM4DI6BBXIDRVZAFHANCNFSM4LRQRXVA>
.
|
|
Turned the assertion into a warning. It's not as effective as failing the build in protecting the users but it won't ever reject a valid hash. |
|
I tested it with the above expression, which covers the most common and some rarely used but modern hashes. It should be ready to go. |
|
@rnhmjoj My as the documentation suggests. They all fail the regex and generate the warning. Do you have an suggestion for what would be best practice for generating the hash? |
|
Your hash is perfectly fine and should be covered. The regular expression itself looks ok, I added this hash just to be sure and it matches: https://regexr.com/572ro. I don't understand why you're getting the warning. |
|
I built a NixOS VM with this configuration: {...}:
{
networking.hostName = "vmhost";
users.users.vm = {
isNormalUser = true;
hashedPassword = "$6$.wR5JrSCCS4D69$zSf.X9l4nrAkFJNv8vz6zlcA.c5aAbxOzb0/BD.mRHRuMUnwPs";
};
}
and I can't reproduce it. How are you writing the hash? |
|
I'm so sorry, as I build all my NixOS machines in one eval, I misinterpreted the warnings. They happened not on machines with a |
|
Don't be, if you've seen the warning it already means something is not right. |
|
My servers(s) are also giving this warning, but they use SSH-only authentication. I've ignored the warning, deployed the update to them, and am still able to log in remotely. Inspection with nix repl shows: |
|
@tilpner: is that a literal "!"? What does it mean? |
|
I've managed to build my testcase: { nixpkgs ? <nixpkgs> }:
(
import "${nixpkgs}/nixos/lib/eval-config.nix" {
modules = [
(
{ config, pkgs, lib, ... }: {
fileSystems."/".device = "x";
boot.loader.grub.device = "nodev";
users.users.root = {
password = "notsecret";
shell = pkgs.bashInteractive;
};
users.mutableUsers = false;
}
)
];
}
).config.system.build.toplevelIt was |
|
It seems "!" has the special meaning "disable password login". This was documented in the option EDIT: Whatever the reason, locking the user out is intended so it should be ignored by the check. I'll open a PR soon. |
| then | ||
| '' | ||
| The password hash of user "${name}" may be invalid. You must set a | ||
| valid hash or the user will be locked out of his account. Please |
There was a problem hiding this comment.
Good catch, let’s change that.
Motivation for this change
Fixes #12008
This is a more basic check than actually running
crypton the hash but it's simplier and can be done at evaluation time without worrying about hashes getting into derivations.Things done
nixosTests.pam-oath-loginand manually