Recommend bcrypt passwords everywhere

2020-11-29 10:58:16 +01:00 · 2020-11-29 10:58:16 +01:00 · 89bd89c706
commit 89bd89c706
parent c00fc587f5
8 changed files with 19 additions and 15 deletions
--- a/README.md
+++ b/README.md
@ -96,7 +96,7 @@ See the [mailing list archive](https://www.freelists.org/archive/snm/)
       domains = [ "example.com" "example2.com" ];
       loginAccounts = {
           "user1@example.com" = {
-               # mkpasswd -m sha-512 "super secret password" > /hashed/password/file/location
+               # nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2 > /hashed/password/file/location
               hashedPasswordFile = "/hashed/password/file/location";

               aliases = [
--- a/default.nix
+++ b/default.nix
@ -59,10 +59,10 @@ in
            default = null;
            example = "$6$evQJs5CFQyPAW09S$Cn99Y8.QjZ2IBnSu4qf1vBxDRWkaIZWOtmu1Ddsm3.H3CFpeVc0JU4llIq8HQXgeatvYhh5O33eWG3TSpjzu6/";
            description = ''
-              The user's hashed password. Use `mkpasswd` as follows
+              The user's hashed password. Use `htpasswd` as follows

              ```
-              mkpasswd -m sha-512 "super secret password"
+              nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2
              ```

              Warning: this is stored in plaintext in the Nix store!
@ -75,10 +75,10 @@ in
            default = null;
            example = "/run/keys/user1-passwordhash";
            description = ''
-              A file containing the user's hashed password. Use `mkpasswd` as follows
+              A file containing the user's hashed password. Use `htpasswd` as follows

              ```
-              mkpasswd -m sha-512 "super secret password"
+              nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2
              ```
            '';
          };
@ -171,11 +171,11 @@ in
      };
      description = ''
        The login account of the domain. Every account is mapped to a unix user,
-        e.g. `user1@example.com`. To generate the passwords use `mkpasswd` as
+        e.g. `user1@example.com`. To generate the passwords use `htpasswd` as
        follows

        ```
-        mkpasswd -m sha-512 "super secret password"
+        nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2
        ```
      '';
      default = {};
--- a/docs/howto-add-radicale.rst
+++ b/docs/howto-add-radicale.rst
@ -3,6 +3,10 @@ How to Add Radicale to SNM

 Configuration by @dotlambda

+Starting with Radicale 3 (first introduced in NixOS 20.09) the traditional
+crypt passwords, as generated by `mkpasswd`, are no longer supported.  Instead
+bcrypt passwords have to be used which can be generated using `htpasswd`.
+
 .. code:: nix

   { config, pkgs, lib, ... }:
@ -24,7 +28,7 @@ Configuration by @dotlambda
         [auth]
         type = htpasswd
         htpasswd_filename = ${htpasswd}
-         htpasswd_encryption = crypt
+         htpasswd_encryption = bcrypt
       '';
     };

--- a/docs/quick-start.rst
+++ b/docs/quick-start.rst
@ -20,7 +20,7 @@ Quick Start
       domains = [ "example.com" "example2.com" ];
       loginAccounts = {
           "user1@example.com" = {
-               # mkpasswd -m sha-512 "super secret password" > /hashed/password/file/location
+               # nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2 > /hashed/password/file/location
               hashedPasswordFile = "/hashed/password/file/location";

               aliases = [
--- a/docs/setup-guide.rst
+++ b/docs/setup-guide.rst
@ -46,7 +46,7 @@ should be the most common ones.
       domains = [ <domains> ];

       # A list of all login accounts. To create the password hashes, use
-       # mkpasswd -m sha-512 "super secret password"
+       # nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2
       loginAccounts = {
           "user1@example.com" = {
               hashedPassword = "$6$/z4n8AQl6K$kiOkBTWlZfBd7PvF5GsJ8PmPgdZsFGN1jPGZufxxr60PoR0oUsrvzm2oQiflyz5ir9fFJ.d/zKm/NgLXNUsNX/";
--- a/mail-server/dovecot.nix
+++ b/mail-server/dovecot.nix
@ -70,7 +70,7 @@ let

    cat <<EOF > ${passwdFile}
    ${lib.concatStringsSep "\n" (lib.mapAttrsToList (name: value:
-      "${name}:${"$(cat ${passwordFiles."${name}"})"}:${builtins.toString cfg.vmailUID}:${builtins.toString cfg.vmailUID}::${cfg.mailDirectory}:/run/current-system/sw/bin/nologin:"
+      "${name}:${"$(head -n 1 ${passwordFiles."${name}"})"}:${builtins.toString cfg.vmailUID}:${builtins.toString cfg.vmailUID}::${cfg.mailDirectory}:/run/current-system/sw/bin/nologin:"
        + (if lib.isString value.quota
              then "userdb_quota_rule=*:storage=${value.quota}"
              else "")
--- a/tests/intern.nix
+++ b/tests/intern.nix
@ -29,8 +29,8 @@ let

  hashPassword = password: pkgs.runCommand
    "password-${password}-hashed"
-    { buildInputs = [ pkgs.mkpasswd ]; } ''
-      mkpasswd -m sha-512 ${password} > $out
+    { buildInputs = [ pkgs.apacheHttpd ]; } ''
+      htpasswd -nbB "" "${password}" | cut -d: -f2 > $out
    '';

 in
--- a/tests/multiple.nix
+++ b/tests/multiple.nix
@ -5,9 +5,9 @@
 let
    hashPassword = password: pkgs.runCommand
      "password-${password}-hashed"
-      { buildInputs = [ pkgs.mkpasswd ]; }
+      { buildInputs = [ pkgs.apacheHttpd ]; }
      ''
-        mkpasswd -m sha-512 ${password} > $out
+        htpasswd -nbB "" "${password}" | cut -d: -f2 > $out
      '';

    password = pkgs.writeText "password" "password";