From 89bd89c706c9862c6980cdf18a74ad041f98dc76 Mon Sep 17 00:00:00 2001 From: Henri Menke Date: Sun, 29 Nov 2020 10:58:16 +0100 Subject: [PATCH] Recommend bcrypt passwords everywhere --- README.md | 2 +- default.nix | 12 ++++++------ docs/howto-add-radicale.rst | 6 +++++- docs/quick-start.rst | 2 +- docs/setup-guide.rst | 2 +- mail-server/dovecot.nix | 2 +- tests/intern.nix | 4 ++-- tests/multiple.nix | 4 ++-- 8 files changed, 19 insertions(+), 15 deletions(-) diff --git a/README.md b/README.md index f96f7d0..7c28145 100644 --- a/README.md +++ b/README.md @@ -96,7 +96,7 @@ See the [mailing list archive](https://www.freelists.org/archive/snm/) domains = [ "example.com" "example2.com" ]; loginAccounts = { "user1@example.com" = { - # mkpasswd -m sha-512 "super secret password" > /hashed/password/file/location + # nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2 > /hashed/password/file/location hashedPasswordFile = "/hashed/password/file/location"; aliases = [ diff --git a/default.nix b/default.nix index 5ebb391..7452ebd 100644 --- a/default.nix +++ b/default.nix @@ -59,10 +59,10 @@ in default = null; example = "$6$evQJs5CFQyPAW09S$Cn99Y8.QjZ2IBnSu4qf1vBxDRWkaIZWOtmu1Ddsm3.H3CFpeVc0JU4llIq8HQXgeatvYhh5O33eWG3TSpjzu6/"; description = '' - The user's hashed password. Use `mkpasswd` as follows + The user's hashed password. Use `htpasswd` as follows ``` - mkpasswd -m sha-512 "super secret password" + nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2 ``` Warning: this is stored in plaintext in the Nix store! @@ -75,10 +75,10 @@ in default = null; example = "/run/keys/user1-passwordhash"; description = '' - A file containing the user's hashed password. Use `mkpasswd` as follows + A file containing the user's hashed password. Use `htpasswd` as follows ``` - mkpasswd -m sha-512 "super secret password" + nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2 ``` ''; }; @@ -171,11 +171,11 @@ in }; description = '' The login account of the domain. Every account is mapped to a unix user, - e.g. `user1@example.com`. To generate the passwords use `mkpasswd` as + e.g. `user1@example.com`. To generate the passwords use `htpasswd` as follows ``` - mkpasswd -m sha-512 "super secret password" + nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2 ``` ''; default = {}; diff --git a/docs/howto-add-radicale.rst b/docs/howto-add-radicale.rst index 824e363..ea01d5b 100644 --- a/docs/howto-add-radicale.rst +++ b/docs/howto-add-radicale.rst @@ -3,6 +3,10 @@ How to Add Radicale to SNM Configuration by @dotlambda +Starting with Radicale 3 (first introduced in NixOS 20.09) the traditional +crypt passwords, as generated by `mkpasswd`, are no longer supported. Instead +bcrypt passwords have to be used which can be generated using `htpasswd`. + .. code:: nix { config, pkgs, lib, ... }: @@ -24,7 +28,7 @@ Configuration by @dotlambda [auth] type = htpasswd htpasswd_filename = ${htpasswd} - htpasswd_encryption = crypt + htpasswd_encryption = bcrypt ''; }; diff --git a/docs/quick-start.rst b/docs/quick-start.rst index e52afe8..7a7015f 100644 --- a/docs/quick-start.rst +++ b/docs/quick-start.rst @@ -20,7 +20,7 @@ Quick Start domains = [ "example.com" "example2.com" ]; loginAccounts = { "user1@example.com" = { - # mkpasswd -m sha-512 "super secret password" > /hashed/password/file/location + # nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2 > /hashed/password/file/location hashedPasswordFile = "/hashed/password/file/location"; aliases = [ diff --git a/docs/setup-guide.rst b/docs/setup-guide.rst index 1f0617a..ef2a76b 100644 --- a/docs/setup-guide.rst +++ b/docs/setup-guide.rst @@ -46,7 +46,7 @@ should be the most common ones. domains = [ ]; # A list of all login accounts. To create the password hashes, use - # mkpasswd -m sha-512 "super secret password" + # nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2 loginAccounts = { "user1@example.com" = { hashedPassword = "$6$/z4n8AQl6K$kiOkBTWlZfBd7PvF5GsJ8PmPgdZsFGN1jPGZufxxr60PoR0oUsrvzm2oQiflyz5ir9fFJ.d/zKm/NgLXNUsNX/"; diff --git a/mail-server/dovecot.nix b/mail-server/dovecot.nix index 23609fe..f8666a3 100644 --- a/mail-server/dovecot.nix +++ b/mail-server/dovecot.nix @@ -70,7 +70,7 @@ let cat < ${passwdFile} ${lib.concatStringsSep "\n" (lib.mapAttrsToList (name: value: - "${name}:${"$(cat ${passwordFiles."${name}"})"}:${builtins.toString cfg.vmailUID}:${builtins.toString cfg.vmailUID}::${cfg.mailDirectory}:/run/current-system/sw/bin/nologin:" + "${name}:${"$(head -n 1 ${passwordFiles."${name}"})"}:${builtins.toString cfg.vmailUID}:${builtins.toString cfg.vmailUID}::${cfg.mailDirectory}:/run/current-system/sw/bin/nologin:" + (if lib.isString value.quota then "userdb_quota_rule=*:storage=${value.quota}" else "") diff --git a/tests/intern.nix b/tests/intern.nix index 0799fc0..1d1816b 100644 --- a/tests/intern.nix +++ b/tests/intern.nix @@ -29,8 +29,8 @@ let hashPassword = password: pkgs.runCommand "password-${password}-hashed" - { buildInputs = [ pkgs.mkpasswd ]; } '' - mkpasswd -m sha-512 ${password} > $out + { buildInputs = [ pkgs.apacheHttpd ]; } '' + htpasswd -nbB "" "${password}" | cut -d: -f2 > $out ''; in diff --git a/tests/multiple.nix b/tests/multiple.nix index c6a4edf..9f54cff 100644 --- a/tests/multiple.nix +++ b/tests/multiple.nix @@ -5,9 +5,9 @@ let hashPassword = password: pkgs.runCommand "password-${password}-hashed" - { buildInputs = [ pkgs.mkpasswd ]; } + { buildInputs = [ pkgs.apacheHttpd ]; } '' - mkpasswd -m sha-512 ${password} > $out + htpasswd -nbB "" "${password}" | cut -d: -f2 > $out ''; password = pkgs.writeText "password" "password";