Recommend bcrypt passwords everywhere

This commit is contained in:
Henri Menke 2020-11-29 10:58:16 +01:00 committed by Antoine Eiche
parent c00fc587f5
commit 89bd89c706
8 changed files with 19 additions and 15 deletions

View file

@ -96,7 +96,7 @@ See the [mailing list archive](https://www.freelists.org/archive/snm/)
domains = [ "example.com" "example2.com" ]; domains = [ "example.com" "example2.com" ];
loginAccounts = { loginAccounts = {
"user1@example.com" = { "user1@example.com" = {
# mkpasswd -m sha-512 "super secret password" > /hashed/password/file/location # nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2 > /hashed/password/file/location
hashedPasswordFile = "/hashed/password/file/location"; hashedPasswordFile = "/hashed/password/file/location";
aliases = [ aliases = [

View file

@ -59,10 +59,10 @@ in
default = null; default = null;
example = "$6$evQJs5CFQyPAW09S$Cn99Y8.QjZ2IBnSu4qf1vBxDRWkaIZWOtmu1Ddsm3.H3CFpeVc0JU4llIq8HQXgeatvYhh5O33eWG3TSpjzu6/"; example = "$6$evQJs5CFQyPAW09S$Cn99Y8.QjZ2IBnSu4qf1vBxDRWkaIZWOtmu1Ddsm3.H3CFpeVc0JU4llIq8HQXgeatvYhh5O33eWG3TSpjzu6/";
description = '' description = ''
The user's hashed password. Use `mkpasswd` as follows The user's hashed password. Use `htpasswd` as follows
``` ```
mkpasswd -m sha-512 "super secret password" nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2
``` ```
Warning: this is stored in plaintext in the Nix store! Warning: this is stored in plaintext in the Nix store!
@ -75,10 +75,10 @@ in
default = null; default = null;
example = "/run/keys/user1-passwordhash"; example = "/run/keys/user1-passwordhash";
description = '' description = ''
A file containing the user's hashed password. Use `mkpasswd` as follows A file containing the user's hashed password. Use `htpasswd` as follows
``` ```
mkpasswd -m sha-512 "super secret password" nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2
``` ```
''; '';
}; };
@ -171,11 +171,11 @@ in
}; };
description = '' description = ''
The login account of the domain. Every account is mapped to a unix user, The login account of the domain. Every account is mapped to a unix user,
e.g. `user1@example.com`. To generate the passwords use `mkpasswd` as e.g. `user1@example.com`. To generate the passwords use `htpasswd` as
follows follows
``` ```
mkpasswd -m sha-512 "super secret password" nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2
``` ```
''; '';
default = {}; default = {};

View file

@ -3,6 +3,10 @@ How to Add Radicale to SNM
Configuration by @dotlambda Configuration by @dotlambda
Starting with Radicale 3 (first introduced in NixOS 20.09) the traditional
crypt passwords, as generated by `mkpasswd`, are no longer supported. Instead
bcrypt passwords have to be used which can be generated using `htpasswd`.
.. code:: nix .. code:: nix
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
@ -24,7 +28,7 @@ Configuration by @dotlambda
[auth] [auth]
type = htpasswd type = htpasswd
htpasswd_filename = ${htpasswd} htpasswd_filename = ${htpasswd}
htpasswd_encryption = crypt htpasswd_encryption = bcrypt
''; '';
}; };

View file

@ -20,7 +20,7 @@ Quick Start
domains = [ "example.com" "example2.com" ]; domains = [ "example.com" "example2.com" ];
loginAccounts = { loginAccounts = {
"user1@example.com" = { "user1@example.com" = {
# mkpasswd -m sha-512 "super secret password" > /hashed/password/file/location # nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2 > /hashed/password/file/location
hashedPasswordFile = "/hashed/password/file/location"; hashedPasswordFile = "/hashed/password/file/location";
aliases = [ aliases = [

View file

@ -46,7 +46,7 @@ should be the most common ones.
domains = [ <domains> ]; domains = [ <domains> ];
# A list of all login accounts. To create the password hashes, use # A list of all login accounts. To create the password hashes, use
# mkpasswd -m sha-512 "super secret password" # nix run nixpkgs.apacheHttpd -c htpasswd -nbB "" "super secret password" | cut -d: -f2
loginAccounts = { loginAccounts = {
"user1@example.com" = { "user1@example.com" = {
hashedPassword = "$6$/z4n8AQl6K$kiOkBTWlZfBd7PvF5GsJ8PmPgdZsFGN1jPGZufxxr60PoR0oUsrvzm2oQiflyz5ir9fFJ.d/zKm/NgLXNUsNX/"; hashedPassword = "$6$/z4n8AQl6K$kiOkBTWlZfBd7PvF5GsJ8PmPgdZsFGN1jPGZufxxr60PoR0oUsrvzm2oQiflyz5ir9fFJ.d/zKm/NgLXNUsNX/";

View file

@ -70,7 +70,7 @@ let
cat <<EOF > ${passwdFile} cat <<EOF > ${passwdFile}
${lib.concatStringsSep "\n" (lib.mapAttrsToList (name: value: ${lib.concatStringsSep "\n" (lib.mapAttrsToList (name: value:
"${name}:${"$(cat ${passwordFiles."${name}"})"}:${builtins.toString cfg.vmailUID}:${builtins.toString cfg.vmailUID}::${cfg.mailDirectory}:/run/current-system/sw/bin/nologin:" "${name}:${"$(head -n 1 ${passwordFiles."${name}"})"}:${builtins.toString cfg.vmailUID}:${builtins.toString cfg.vmailUID}::${cfg.mailDirectory}:/run/current-system/sw/bin/nologin:"
+ (if lib.isString value.quota + (if lib.isString value.quota
then "userdb_quota_rule=*:storage=${value.quota}" then "userdb_quota_rule=*:storage=${value.quota}"
else "") else "")

View file

@ -29,8 +29,8 @@ let
hashPassword = password: pkgs.runCommand hashPassword = password: pkgs.runCommand
"password-${password}-hashed" "password-${password}-hashed"
{ buildInputs = [ pkgs.mkpasswd ]; } '' { buildInputs = [ pkgs.apacheHttpd ]; } ''
mkpasswd -m sha-512 ${password} > $out htpasswd -nbB "" "${password}" | cut -d: -f2 > $out
''; '';
in in

View file

@ -5,9 +5,9 @@
let let
hashPassword = password: pkgs.runCommand hashPassword = password: pkgs.runCommand
"password-${password}-hashed" "password-${password}-hashed"
{ buildInputs = [ pkgs.mkpasswd ]; } { buildInputs = [ pkgs.apacheHttpd ]; }
'' ''
mkpasswd -m sha-512 ${password} > $out htpasswd -nbB "" "${password}" | cut -d: -f2 > $out
''; '';
password = pkgs.writeText "password" "password"; password = pkgs.writeText "password" "password";