post(nixos): yescrypt in 22.11

This commit is contained in:
Ming Di Leom 2022-12-03 06:26:35 +00:00
parent 9225ec79aa
commit edfa38439b
No known key found for this signature in database
GPG Key ID: 32D3E28E96A695E8
1 changed files with 46 additions and 26 deletions

View File

@ -2,7 +2,7 @@
title: "Setup Caddy as a reverse proxy on NixOS (Part 2: Hardening)" title: "Setup Caddy as a reverse proxy on NixOS (Part 2: Hardening)"
excerpt: "Part 2: Securing NixOS" excerpt: "Part 2: Securing NixOS"
date: 2020-03-04 date: 2020-03-04
updated: 2022-07-06 updated: 2022-12-03
tags: tags:
- server - server
- linux - linux
@ -51,7 +51,7 @@ users.mutableUsers = false;
users.root.hashedPassword = "*"; users.root.hashedPassword = "*";
``` ```
## Hash user's password ## Hash password
User's password can be configured by `users.<name>.password`, obviously this means the password is stored in plain text. Even if you lock down `configuration.nix` with `chmod 600` (which I did), "it is (still) world-readable in the Nix store". The safer way is to store in a hashed form, User's password can be configured by `users.<name>.password`, obviously this means the password is stored in plain text. Even if you lock down `configuration.nix` with `chmod 600` (which I did), "it is (still) world-readable in the Nix store". The safer way is to store in a hashed form,
@ -59,11 +59,31 @@ User's password can be configured by `users.<name>.password`, obviously this mea
users.<name>.hashedPassword = "xxxx"; users.<name>.hashedPassword = "xxxx";
``` ```
Use `openssl passwd -6` to generate the SHA512-hashed password. Alternatively, if your distro bundles it (Ubuntu doesn't), you could also use `mkpasswd -m sha-512`, but do enter the password with care because it only prompts once (unlike openssl which prompts twice). Use `openssl passwd -6` to generate the SHA512-hashed password. Alternatively, you could also use `mkpasswd -m sha-512` (bundled with `whois` package). To ensure password is entered correctly in `mkpasswd` (it only prompts once), copy the salt value which is the second section where each section is separated by `$` ($6$**salt**$hashedpassword).
```
mkpasswd -m sha-512 --salt 'saltvalue'
```
Both outputs of `mkpasswd` should be the same.
### yescript
NixOS 22.11 onwards support yescrypt, a more secure password hashing algorithm than SHA512. It can generated using `mkpasswd -m yescrypt`, openssl passwd doesn't support it yet. mkpasswd generates it with "5" compute cost by default, you can change it using `--round` option with a value from 1 to 11. Increasing the value will make it more resistant to brute-force, but password verification will also be slower.
To verify the output, `--salt` option cannot be used for yescrypt due to [a bug](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003151). As a workaround, copy the output from the first `$` until the forth.
```
printf "Password: " && read -s var && mkpasswd "$var" '$y$parameter$salt$' && var=""
```
Replace the single-quoted value `''` with the copied value.
### passwordFile
Note that the hash is still world-readable. A more secure option is to use `users.<name>.passwordFile`. Save the hash into a file (e.g. "/etc/nixos/nixos.password") and restricts the file to be readable by root only (`chown root:root` and `chmod 600`). Note that the hash is still world-readable. A more secure option is to use `users.<name>.passwordFile`. Save the hash into a file (e.g. "/etc/nixos/nixos.password") and restricts the file to be readable by root only (`chown root:root` and `chmod 600`).
You might be wondering why not just `passwordFile` during installation. The issue is that, in the live CD environment, the "/etc/" folder refers to the live CD's not the actual one which is located in "/mnt/etc/". I mean, you _could_ try "/mnt/etc/nixos/nixos.password", but you gotta remember to update the option after reboot otherwise you would get locked out. "./nixos.password" value doesn't work because `passwordFile` option doesn't support relative path, it must be a full path. Hence, I have use `hashedPassword` during the initial setup and then switch to `passwordFile`. Remember to remove the `hashedPassword` option once you have set up `passwordFile`. You might be wondering why not just `passwordFile` during installation. The issue is that, in the live CD environment, the "/etc/" folder refers to the live CD's not the actual one which is located in "/mnt/etc/". I mean, you _could_ try "/mnt/etc/nixos/nixos.password", but remember to update the option after reboot otherwise you would get locked out. "./nixos.password" value doesn't work because `passwordFile` option doesn't support relative path, it must be a full path. Hence, I have to use `hashedPassword` during the initial setup and then switch to `passwordFile`. Remember to remove the `hashedPassword` option once you have set up `passwordFile`.
```nix ```nix
passwordFile = "/etc/nixos/nixos.password"; passwordFile = "/etc/nixos/nixos.password";
@ -79,7 +99,7 @@ Once you run `# nixos-rebuild switch`, verify the password has been set, by chec
# cat /etc/shadow | grep 'nixos' # cat /etc/shadow | grep 'nixos'
``` ```
The hash in the output should be the same as the "/etc/nixos/nixos.password" file. Only quit root shell **after** verify. The hash in the output should be the same as the content of "/etc/nixos/nixos.password" or `hashedPassword` value. Only quit root shell **after** verify.
## Run each service as different user ## Run each service as different user
@ -136,7 +156,7 @@ Combining with the previous user configs, I ended up with:
## Enables 2FA (OTP) for login ## Enables 2FA (OTP) for login
For extra security, I enabled 2FA for the user account via TOTP method. It can be configured using `google-authenticator` (available in NixOS repo). The resulting secret is stored in "~/.google_authenticator". This is also why `isNormalUser` is needed. `google-authenticator` should be run as a normal user, _not_ root nor sudo. For extra security, I enabled 2FA for the user account via TOTP method. It can be configured using `google-authenticator` (available in NixOS repo). The resulting secret is stored in "~/.google*authenticator". This is also why `isNormalUser` is needed. `google-authenticator` should be run as a normal user, \_not* root nor sudo.
``` ```
$ google-authenticator $ google-authenticator