nixos/installer: Allow setting a password on cmdline for pxe boot #358722
Conversation
github-actions
bot
added
6.topic: nixos
|
PR is caused by nix-community/nixos-images#303 |
NixOSInfra
added
the
12. first-time contribution
| # Allows using nixos-anywhere in headless environments | ||
| for o in $(</proc/cmdline); do | ||
| case "$o" in | ||
| live.nixos.passwd=*) |
There was a problem hiding this comment.
I was thinking about how to make this a bit more secure, netboot often is not encrypted and while we cannot protect against active attacker trying to intercept/change the traffic, we shouldn't have a service where we can just ask for the password using the netboot protocol. This is a bit different from the ISO usecase which is just local and requires physical access.
So our perl script currently supports setting password via password hashes like this:
foreach my $u (values %usersOut) {
next if defined $shadowSeen{$u->{name}};
my $hashedPassword = "!";
$hashedPassword = $u->{hashedPassword} if defined $u->{hashedPassword};
my $expires = "";
$expires = dateToDays($u->{expires}) if defined $u->{expires};
# FIXME: set correct value for sp_lstchg.
push @shadowNew, join(":", $u->{name}, $hashedPassword, "1::::", $expires, "") . "\n";
}
Could we change this bash instead or awk and do something similar?
This is how to generate a password hash:
echo foo | mkpasswd -m sha-512 -s
There was a problem hiding this comment.
Here is some untested code:
#!/bin/bash
# Precomputed SHA-512 password hash for "foo"
PRECOMPUTED_HASH='$6$someSalt$5bPlhBOL/PV.CWzi4UUE0DXQeWawY/kD1uYBdX.h2/s5XPz.vGmvCDmdDlEKZq8nCtOdXIuGFS9Hi0uEaRBnq.'
# File to check
SHADOW_FILE="/etc/shadow"
# Function to update the root password hash
update_root_password() {
if [ "$(id -u)" -ne 0 ]; then
echo "This script must be run as root!"
exit 1
fi
if grep -q '^root::' "$SHADOW_FILE"; then
echo "Root password is not set. Updating..."
sed -i "s/^root::/root:${PRECOMPUTED_HASH}:/" "$SHADOW_FILE"
echo "Root password updated successfully."
else
echo "Root password is already set. No action needed."
fi
}
update_root_password
You might need to run it as an activation script after /etc/passwd has been populated.
Here is a snippet how sops-nix install secrets after user have been created. The password adding code should be run in a similar way.
You would also need to duplicate it for userborn/sysusers in a systemd service: https://github.com/Mic92/sops-nix/blob/53c853fb1a7e4f25f68805ee25c83d5de18dc699/modules/sops/default.nix#L436
|
It would be great if you could add the new parameter to Line 91 in d4b1fcd And than check |
Copied isoImage-functionality for setting a password on boot for the nixos-user to the pxe image.
The pxe images come without passwords for the
nixosandrootaccounts. This works great when doing local installations, but it prevents you from using ssh into the live-system without setting a password first. Addinglive.nixos.passwd=somesecretpasswordto the cmdline in any pxe configuration eliminates this requirement. This change also eliminates the need to build own images to achive this goal.Things done
nix.conf? (See Nix manual)sandbox = relaxedsandbox = truenix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/)Add a 👍 reaction to pull requests you find important.