Hashing plain-text password directly in configuration.nix


#1

Hashing plain-text password directly in configuration.nix.

It would be nice to put the user’s plain-text password in configuration.nix and have it automatically converted to a hash.

This can be done, if you add a field called password and hash the value and over-write that field with hashedPassword during the nixos-rebuild process. This will make setup easier for users. This is one of many improvements that should be made to the installation process. When added up, these improvements will drastically simplify deployment.

Example:

users.users.alice = {
  isNormalUser = true;
  home = "/home/alice";
  description = "Alice Foobar";
  extraGroups = [ "wheel" "networkmanager" ];
  openssh.authorizedKeys.keys = [ "ssh-dss AAAAB3Nza... alice@foobar" ];
  password = "plaintext";
};

#2

That way the password would end up in plaintext in the world-readable *.drv file as well… EDIT: at least unless the hashing were purely evaluation-time thing, but I’m not sure about suitability of such an approach.


#3

Vladimír čunát via Nix community nixos1@discoursemail.com writes:

That way the password would end up in plaintext in the world-readable *.drv file as well… EDIT: at least unless the hashing were purely evaluation-time thing, but I’m not sure about suitability of such an approach.

I think it would make sense as a follow-up to https://github.com/NixOS/rfcs/pull/5


#4

I have a related suggestion that can improve the user install experience: if you follow the installation section step-by-step, it suggests you run useradd to create users, with no mention that you can declaratively manage user accounts in configuration.nix until chapter 7:
https://nixos.org/nixos/manual/index.html#sec-installation-installing

We should put a sentence in there letting users known they have a choice.


#5

I’d caution against casually using this, as it mixes safe to share data with definitely not safe to share data.


#6

Even when you’re using declarative user accounts, NixOS will not mess with passwords, so you can still use passwd to change them. So this is perfectly safe:

  users.users.eelco =
    { isNormalUser = true;
      description = "Eelco Dolstra";
      extraGroups = [ "wheel" ];
    };

It’s only unsafe to set users.users.<name>.password, since it stores the password in plaintext in the Nix store.