Sudo not working with mutableUsers=false

timhae · February 5, 2022, 3:23pm

Dear all, I am trying to setup a server with multiple users and mutableUsers = false. I store the secrets with agenix and then use the users.users.<user>.passwordFile = config.age.secrets.<userPassword>.path;. After a rebuild, I notice that the password is present in /etc/shadow in plain text. When I try to run a command with sudo the password is not recognized (I assume it is hashed before checking /etc/shadow). When I set mutableUsers = true; and change the password with passwd, I see a password hash prefixed with $6$ for the corresponding user in the shadow file and sudo commands run without issues. Here are my questions:

should the password appear in plain text in the shadow file when setting passwordFile for a user?
how do I make sudo work with plain text passwords in the shadow file?

please let me know if you need additional information. thanks for your time and effort!

rnhmjoj · February 5, 2022, 7:41pm

After a rebuild, I notice that the password is present in /etc/shadow in plain text

Do you really mean the clear text password, not a hash?
If so, you’re using the option wrong:

users.users.<name>.passwordFile
[…] The file should contain exactly one line, which should be the
password in an encrypted form that is suitable for the chpasswd -e command.

timhae · February 6, 2022, 8:35am

… True sorry for the noise