-
-
Notifications
You must be signed in to change notification settings - Fork 14k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Password hashes from mkpasswd result in unusable passwords #136104
Comments
works for me
|
I've always used this method and never had any trouble. Can you post a specific hash that breaks the login? |
Hah. Took me a little while to reset the password I had tried to set so that I can publish it here. I used :; mkpasswd -m sha-512
Password:
$6$WWnJtJKELmoUU$DWBEmWnGIeAYCUFFhqrCT1DIkBI1NxRSuO2./FfMrmSRjEwJSFLp44J.RqSYHDn2qf13YLEJbe1RO7OxdfGYk1 You can repro that on other systems with Generating the same password hash with the python command line above (using the pre-set salt) results in a different hash though: :; nix-shell -p python3 --run "python -c 'import crypt,getpass; print(crypt.crypt(\"teeny3vassar2stipple2bereft\", \"\$6\$WWnJtJKELmoUU\"))'"
$6$WWnJtJKELmoUU$tnVT0Vl.oMEN.dhp/vlmy5clJOwj3k0G36Qu0OcYO0OpB00SiZRjBoJH7/DSYy.E0klnn.maSm7eUjeA/brB7/ And given that the python script can generate a password that I can use to log in... I think something is wonky with mkpasswd. |
Trying some other randomly-generated strings, I notice that I must have gotten pretty (un)lucky: mkpasswd and crypt.crypt generate the same hash given the same salt, on many passwords. Just the first one I tried causes things to go off the rails (typical!) (: |
I marked this as stale due to inactivity. → More info |
I've run into this in the past as well and am a bit wary of mkPassword because of it (recovering from an account lockout is not fun). I'm still curious what the cause might be and if it's still an issue for others. |
Is this issue still relevant ? I've tried generating a password using |
We experienced the issue described here just two weeks ago and are still in the process of rolling out fixed hashes to avoid lock-outs 🙈 |
@fadenb can you confirm you you indeed used There is a draft PR #181764 and I also tried fixing this in the past but it's complicated and requires lots of rebuilds. 🙁 |
I can confirm @fpletz that I've used |
This PR is now merged, and the manual no longer suggests |
We indeed now support all hashes that libxcrypt supports with 23.05 and thus this issue can be closed. Thanks. |
Describe the bug
The nixos manual suggests:
Unfortunately, this outputs password hashes that do not let the user in when using the password being set. Another method of getting a salted password hash from stackoverflow results in a password hash that does work.
Steps To Reproduce
Steps to reproduce the behavior:
mkpasswd -m sha-512
and enter a randomly-generated password (I set a 27-character password consisting of lowercase letters and digits).users.users.root.hashedPassword = "<the emitted hash>";
in system confignixos-rebuild switch
su
and enter the randomly-generated password abovesu: Authentication failure
nix-shell -p python3 --run "python -c 'import crypt,getpass; print(crypt.crypt(getpass.getpass(), crypt.mksalt(crypt.METHOD_SHA512)))'"
to get a password hash; set that and rebuildsu
and enter the randomly-generated passwordExpected behavior
su
should accept the password in step 5.Additional context
I have many suspicions on why mkpasswd-emitted hashes don't work, but haven't yet evaluated any of them:
Notify maintainers
@fpletz
Metadata
Please run
nix-shell -p nix-info --run "nix-info -m"
and paste the result.Maintainer information:
The text was updated successfully, but these errors were encountered: