post(nixos): use yescrypt password hashing only

This commit is contained in:
Ming Di Leom 2024-07-25 11:01:53 +00:00
parent d2c6db25d3
commit f038f71a97
No known key found for this signature in database
GPG Key ID: 32D3E28E96A695E8
1 changed files with 2 additions and 12 deletions

View File

@ -59,17 +59,7 @@ User's password can be configured by `users.<name>.password`, obviously this mea
users.<name>.hashedPassword = "xxxx"; users.<name>.hashedPassword = "xxxx";
``` ```
Use `openssl passwd -6` to generate the SHA512-hashed password. Alternatively, you could also use `mkpasswd -m sha-512` (bundled with `whois` package). To ensure password is entered correctly in `mkpasswd` (it only prompts once), copy the salt value which is the second section where each section is separated by `$` ($6$**salt**$hashedpassword). Use `mkpasswd -m yescrypt` to generate the yescrypt-hashed password. mkpasswd generates it with "5" compute cost by default, you can change it using `--round` option with a value from 1 to 11. Increasing the value will make it more resistant to brute-force, but password verification will also be slower.
```
mkpasswd -m sha-512 --salt 'saltvalue'
```
Both outputs of `mkpasswd` should be the same.
### yescript
NixOS 22.11 onwards support yescrypt, a more secure password hashing algorithm than SHA512. It can generated using `mkpasswd -m yescrypt`, openssl passwd doesn't support it yet. mkpasswd generates it with "5" compute cost by default, you can change it using `--round` option with a value from 1 to 11. Increasing the value will make it more resistant to brute-force, but password verification will also be slower.
To verify the output, `--salt` option cannot be used for yescrypt due to [a bug](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003151). As a workaround, copy the output from the first `$` until the forth. To verify the output, `--salt` option cannot be used for yescrypt due to [a bug](https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003151). As a workaround, copy the output from the first `$` until the forth.
@ -77,7 +67,7 @@ To verify the output, `--salt` option cannot be used for yescrypt due to [a bug]
printf "Password: " && read -s var && mkpasswd "$var" '$y$parameter$salt$' && var="" printf "Password: " && read -s var && mkpasswd "$var" '$y$parameter$salt$' && var=""
``` ```
Replace the single-quoted value `''` with the copied value. Replace the single-quoted value `''` with the copied value. It should have similar output as the previous mkpasswd.
### passwordFile ### passwordFile