initialHashedPassword cannot be blank

I got a lowend KVM VPS on Black Friday, and I want to run NixOS on it. Unfortunately, the VNC console is hosed right now and there is no ISO mount available, so I am doing a LUSTRATE install over Ubuntu.

I got the machine running SSH after reboot, but I was unable to login with a blank password hash as
either root or the regular user. I followed this section in the installation chapter:

You’ll likely want to set a root password for your first boot using the configuration files because you won’t have a chance to enter a password until after you reboot. You can initalize the root password to an empty one with this line: (and of course don’t forget to set one once you’ve rebooted or to lock the account with sudo passwd -l root if you use sudo )

users.users.root.initialHashedPassword = “”; <<

After searching this forum for successful LUSTRATE installs, everyone was setting an SSH key and/or using a non-blank password hash. And both of those worked for me. In reading the ssd docs, the default is to not be able to login with a blank password. That can be enabled by setting PermitEmptyPasswords to “yes”. The NixOS sshd_config file after installation has no mention of PermitEmptyPasswords.

Did this default change at some point? Should I submit a pull request on the documentation?

I don’t think we want to encourage a user to set an empty root password with SSH allowing the root account :confused:

I think this part of the documentation targets an installation with a local access or a VNC like console.

Maybe we should recommend to add SSH keys (it’s also a oneline) when an SSH access is needed.

1 Like