mirror of
https://github.com/ilyakooo0/nixpkgs.git
synced 2024-12-26 04:43:09 +03:00
Don't set an initial null root password for Amazon / VirtualBox images
A null password allows logging into local PAM services such as "login" (agetty) and KDM. That's not actually a security problem for EC2 machines, since they do not have "local" logins; for VirtualBox machines, if you local access, you can do anything anyway. But it's better to be on the safe side and disable password-based logins for root.
This commit is contained in:
parent
8352df8d66
commit
4ba7dfde5b
@ -188,6 +188,20 @@ in
|
||||
options = [ groupOpts ];
|
||||
};
|
||||
|
||||
security.initialRootPassword = mkOption {
|
||||
type = types.str;
|
||||
default = "";
|
||||
example = "!";
|
||||
description = ''
|
||||
The (hashed) password for the root account set on initial
|
||||
installation. The empty string denotes that root can login
|
||||
locally without a password (but not via remote services such
|
||||
as SSH, or indirectly via <command>su</command> or
|
||||
<command>sudo</command>). The string <literal>!</literal>
|
||||
prevents root from logging in using a password.
|
||||
'';
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
|
||||
@ -240,7 +254,7 @@ in
|
||||
# Can't use useradd, since it complains that it doesn't know us
|
||||
# (bootstrap problem!).
|
||||
echo "root:x:0:0:System administrator:$rootHome:${config.users.defaultUserShell}" >> /etc/passwd
|
||||
echo "root::::::::" >> /etc/shadow
|
||||
echo "root:${config.security.initialRootPassword}:::::::" >> /etc/shadow
|
||||
fi
|
||||
'';
|
||||
|
||||
|
@ -160,4 +160,9 @@ with pkgs.lib;
|
||||
environment.systemPackages = [ pkgs.cryptsetup ];
|
||||
|
||||
boot.initrd.supportedFilesystems = [ "unionfs-fuse" ];
|
||||
|
||||
# Prevent logging in as root without a password. This doesn't really matter,
|
||||
# since the only PAM services that allow logging in with a null
|
||||
# password are local ones that are inaccessible on EC2 machines.
|
||||
security.initialRootPassword = "!";
|
||||
}
|
||||
|
@ -107,4 +107,9 @@ with pkgs.lib;
|
||||
boot.loader.grub.device = "/dev/sda";
|
||||
|
||||
services.virtualbox.enable = true;
|
||||
|
||||
# Prevent logging in as root without a password. For NixOps, we
|
||||
# don't need this because the user can login via SSH, and for the
|
||||
# demo images, there is a demo user account that can sudo to root.
|
||||
security.initialRootPassword = "!";
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user