mirror of https://gitlab.com/curben/blog
post(nixos): yescrypt in 22.11
This commit is contained in:
parent
9225ec79aa
commit
edfa38439b
|
@ -2,7 +2,7 @@
|
|||
title: "Setup Caddy as a reverse proxy on NixOS (Part 2: Hardening)"
|
||||
excerpt: "Part 2: Securing NixOS"
|
||||
date: 2020-03-04
|
||||
updated: 2022-07-06
|
||||
updated: 2022-12-03
|
||||
tags:
|
||||
- server
|
||||
- linux
|
||||
|
@ -51,7 +51,7 @@ users.mutableUsers = false;
|
|||
users.root.hashedPassword = "*";
|
||||
```
|
||||
|
||||
## Hash user's password
|
||||
## Hash password
|
||||
|
||||
User's password can be configured by `users.<name>.password`, obviously this means the password is stored in plain text. Even if you lock down `configuration.nix` with `chmod 600` (which I did), "it is (still) world-readable in the Nix store". The safer way is to store in a hashed form,
|
||||
|
||||
|
@ -59,11 +59,31 @@ User's password can be configured by `users.<name>.password`, obviously this mea
|
|||
users.<name>.hashedPassword = "xxxx";
|
||||
```
|
||||
|
||||
Use `openssl passwd -6` to generate the SHA512-hashed password. Alternatively, if your distro bundles it (Ubuntu doesn't), you could also use `mkpasswd -m sha-512`, but do enter the password with care because it only prompts once (unlike openssl which prompts twice).
|
||||
Use `openssl passwd -6` to generate the SHA512-hashed password. Alternatively, you could also use `mkpasswd -m sha-512` (bundled with `whois` package). To ensure password is entered correctly in `mkpasswd` (it only prompts once), copy the salt value which is the second section where each section is separated by `$` ($6$**salt**$hashedpassword).
|
||||
|
||||
```
|
||||
mkpasswd -m sha-512 --salt 'saltvalue'
|
||||
```
|
||||
|
||||
Both outputs of `mkpasswd` should be the same.
|
||||
|
||||
### yescript
|
||||
|
||||
NixOS 22.11 onwards support yescrypt, a more secure password hashing algorithm than SHA512. It can generated using `mkpasswd -m yescrypt`, openssl passwd doesn't support it yet. mkpasswd generates it with "5" compute cost by default, you can change it using `--round` option with a value from 1 to 11. Increasing the value will make it more resistant to brute-force, but password verification will also be slower.
|
||||
|
||||
To verify the output, `--salt` option cannot be used for yescrypt due to [a bug](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003151). As a workaround, copy the output from the first `$` until the forth.
|
||||
|
||||
```
|
||||
printf "Password: " && read -s var && mkpasswd "$var" '$y$parameter$salt$' && var=""
|
||||
```
|
||||
|
||||
Replace the single-quoted value `''` with the copied value.
|
||||
|
||||
### passwordFile
|
||||
|
||||
Note that the hash is still world-readable. A more secure option is to use `users.<name>.passwordFile`. Save the hash into a file (e.g. "/etc/nixos/nixos.password") and restricts the file to be readable by root only (`chown root:root` and `chmod 600`).
|
||||
|
||||
You might be wondering why not just `passwordFile` during installation. The issue is that, in the live CD environment, the "/etc/" folder refers to the live CD's not the actual one which is located in "/mnt/etc/". I mean, you _could_ try "/mnt/etc/nixos/nixos.password", but you gotta remember to update the option after reboot otherwise you would get locked out. "./nixos.password" value doesn't work because `passwordFile` option doesn't support relative path, it must be a full path. Hence, I have use `hashedPassword` during the initial setup and then switch to `passwordFile`. Remember to remove the `hashedPassword` option once you have set up `passwordFile`.
|
||||
You might be wondering why not just `passwordFile` during installation. The issue is that, in the live CD environment, the "/etc/" folder refers to the live CD's not the actual one which is located in "/mnt/etc/". I mean, you _could_ try "/mnt/etc/nixos/nixos.password", but remember to update the option after reboot otherwise you would get locked out. "./nixos.password" value doesn't work because `passwordFile` option doesn't support relative path, it must be a full path. Hence, I have to use `hashedPassword` during the initial setup and then switch to `passwordFile`. Remember to remove the `hashedPassword` option once you have set up `passwordFile`.
|
||||
|
||||
```nix
|
||||
passwordFile = "/etc/nixos/nixos.password";
|
||||
|
@ -79,7 +99,7 @@ Once you run `# nixos-rebuild switch`, verify the password has been set, by chec
|
|||
# cat /etc/shadow | grep 'nixos'
|
||||
```
|
||||
|
||||
The hash in the output should be the same as the "/etc/nixos/nixos.password" file. Only quit root shell **after** verify.
|
||||
The hash in the output should be the same as the content of "/etc/nixos/nixos.password" or `hashedPassword` value. Only quit root shell **after** verify.
|
||||
|
||||
## Run each service as different user
|
||||
|
||||
|
@ -136,7 +156,7 @@ Combining with the previous user configs, I ended up with:
|
|||
|
||||
## Enables 2FA (OTP) for login
|
||||
|
||||
For extra security, I enabled 2FA for the user account via TOTP method. It can be configured using `google-authenticator` (available in NixOS repo). The resulting secret is stored in "~/.google_authenticator". This is also why `isNormalUser` is needed. `google-authenticator` should be run as a normal user, _not_ root nor sudo.
|
||||
For extra security, I enabled 2FA for the user account via TOTP method. It can be configured using `google-authenticator` (available in NixOS repo). The resulting secret is stored in "~/.google*authenticator". This is also why `isNormalUser` is needed. `google-authenticator` should be run as a normal user, \_not* root nor sudo.
|
||||
|
||||
```
|
||||
$ google-authenticator
|
||||
|
|
Loading…
Reference in New Issue