nixos/users-groups: Warn about deprecated hashes at activation

To allow for a reasonably fast deprecation of weak password hashing schemes we provide an activation script that checks existing hashes in /etc/shadow and issues a warning for user accounts that still rely on deprecated hashes. Co-Authored-By: oxalica <oxalicc@pm.me>
2022-10-10 04:19:06 +02:00 · 2022-10-10 04:19:06 +02:00 · 78155df21d
parent f391e6dbcc
commit 78155df21d
1 changed files with 20 additions and 0 deletions
--- a/nixos/modules/config/users-groups.nix
+++ b/nixos/modules/config/users-groups.nix
@ -592,6 +592,26 @@ in {
      '';
    };

+    # Warn about user accounts with deprecated password hashing schemes
+    system.activationScripts.hashes = {
+      deps = [ "users" ];
+      text = ''
+        users=()
+        while IFS=: read -r user hash tail; do
+          if [[ "$hash" = "$"* && ! "$hash" =~ ^\$(y|gy|7|2b|2y|2a|6)\$ ]]; then
+            users+=("$user")
+          fi
+        done </etc/shadow
+
+        if (( "''${#users[@]}" )); then
+          echo "
+        WARNING: The following user accounts rely on password hashes that will
+        be removed in NixOS 23.05. They should be renewed as soon as possible."
+          printf ' - %s\n' "''${users[@]}"
+        fi
+      '';
+    };
+
    # for backwards compatibility
    system.activationScripts.groups = stringAfter [ "users" ] "";