* Passwords inside System Configuration
@ 2020-01-19 11:20 Raghav Gururajan
2020-01-20 10:31 ` Giovanni Biscuolo
0 siblings, 1 reply; 7+ messages in thread
From: Raghav Gururajan @ 2020-01-19 11:20 UTC (permalink / raw)
To: help-guix
Hello Guix!
I would like to insert/set password for the following, inside system configuration (config.scm):
1) Roor User
2) Regular User
3) LUKS Device
Could anyone please provide me straight-forward step-by-step instruction to achieve it?
Thank you!
Regards,
RG.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Passwords inside System Configuration
2020-01-19 11:20 Passwords inside System Configuration Raghav Gururajan
@ 2020-01-20 10:31 ` Giovanni Biscuolo
2020-01-21 20:45 ` Raghav Gururajan
0 siblings, 1 reply; 7+ messages in thread
From: Giovanni Biscuolo @ 2020-01-20 10:31 UTC (permalink / raw)
To: Raghav Gururajan, help-guix
[-- Attachment #1: Type: text/plain, Size: 1628 bytes --]
Hello Raghav,
"Raghav Gururajan" <raghavgururajan@disroot.org> writes:
> Hello Guix!
>
> I would like to insert/set password for the following, inside system configuration (config.scm):
> 1) Roor User
> 2) Regular User
--8<---------------cut here---------------start------------->8---
(user-account
(name "charlie")
(group "users")
;; Specify a SHA-512-hashed initial password.
(password (crypt "InitialPassword!" "$6$abc")))
--8<---------------cut here---------------end--------------->8---
but please read
https://guix.gnu.org/manual/en/html_node/User-Accounts.html#user_002daccount_002dpassword
--8<---------------cut here---------------start------------->8---
You would normally leave this field to #f, initialize user passwords as
root with the passwd command, and then let users change it with
passwd. Passwords set with passwd are of course preserved across reboot
and reconfiguration.
[...]
Note: The hash of this initial password will be available in a file in
/gnu/store, readable by all the users, so this method must be used with
care.
--8<---------------cut here---------------end--------------->8---
> 3) LUKS Device
AFAIK it's not possible to provide the passphrase in the system
configuration, and it's by design :-)
I mean: you set the LUKS passphrase "imperatively" when encrypting the
device (e.g. during installation) or to change it later, storing it in
config.scm would mean to make it available in /gnu/store, readeable by
all users... and you should avoid it
[...]
HTH! Gio'
--
Giovanni Biscuolo
Xelera IT Infrastructures
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Passwords inside System Configuration
2020-01-20 10:31 ` Giovanni Biscuolo
@ 2020-01-21 20:45 ` Raghav Gururajan
2020-01-21 21:24 ` Vagrant Cascadian
2020-01-24 20:53 ` Giovanni Biscuolo
0 siblings, 2 replies; 7+ messages in thread
From: Raghav Gururajan @ 2020-01-21 20:45 UTC (permalink / raw)
To: Giovanni Biscuolo, help-guix
[-- Attachment #1: Type: text/plain, Size: 1381 bytes --]
Hello Giovanni!
> --8<---------------cut here---------------start------------->8---
> (user-account
> (name "charlie")
> (group "users")
>
> ;; Specify a SHA-512-hashed initial password.
> (password (crypt "InitialPassword!" "$6$abc")))
> --8<---------------cut here---------------end--------------->8---
Thanks! But how do I do this for 'root' user as well?
> but please read
> https://guix.gnu.org/manual/en/html_node/User-Accounts.html#user_002daccount_002dpassword
OOPS! I somehow missed it. Thanks for letting me know.
> You would normally leave this field to #f, initialize user passwords
> as
> root with the passwd command, and then let users change it with
> passwd. Passwords set with passwd are of course preserved across
> reboot
> and reconfiguration.
Yes, but I wanted to do things in declarative way.
> Note: The hash of this initial password will be available in a file
> in
> /gnu/store, readable by all the users, so this method must be used
> with
> care.
I see. But why would it be a concern? It is not feasible to brute-force
SHA-512 hash right?
> > 3) LUKS Device
>
> AFAIK it's not possible to provide the passphrase in the system
> configuration, and it's by design :-)
Hmm, I have heard of a way to embed the passphrase in 'initrd'. Do you
know how to do that?
Thank you!
Regards,
RG.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Passwords inside System Configuration
2020-01-21 20:45 ` Raghav Gururajan
@ 2020-01-21 21:24 ` Vagrant Cascadian
2020-01-23 1:36 ` Raghav Gururajan
2020-01-24 20:53 ` Giovanni Biscuolo
1 sibling, 1 reply; 7+ messages in thread
From: Vagrant Cascadian @ 2020-01-21 21:24 UTC (permalink / raw)
To: Raghav Gururajan, Giovanni Biscuolo, help-guix
[-- Attachment #1: Type: text/plain, Size: 741 bytes --]
On 2020-01-21, Raghav Gururajan wrote:
>> Note: The hash of this initial password will be available in a file
>> in
>> /gnu/store, readable by all the users, so this method must be used
>> with
>> care.
>
> I see. But why would it be a concern? It is not feasible to brute-force
> SHA-512 hash right?
I'm no expert, but evaluating the future based on today has it's
weaknesses; brute-force isn't usually what makes it possible to
compromise an algorithm...
https://valerieaurora.org/hash.html
According to wikipedia, SHA-512 is in the SHA2 family:
https://en.wikipedia.org/wiki/SHA-2
Which outlines papers, some going back over a decade, on various ways
SHA2 could be weakened...
live well,
vagrant
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Passwords inside System Configuration
2020-01-21 21:24 ` Vagrant Cascadian
@ 2020-01-23 1:36 ` Raghav Gururajan
0 siblings, 0 replies; 7+ messages in thread
From: Raghav Gururajan @ 2020-01-23 1:36 UTC (permalink / raw)
To: Vagrant Cascadian, Giovanni Biscuolo, help-guix
[-- Attachment #1: Type: text/plain, Size: 487 bytes --]
Hi Vagrant!
> I'm no expert, but evaluating the future based on today has it's
> weaknesses; brute-force isn't usually what makes it possible to
> compromise an algorithm...
>
> https://valerieaurora.org/hash.html
I see.
> According to wikipedia, SHA-512 is in the SHA2 family:
>
> https://en.wikipedia.org/wiki/SHA-2
>
> Which outlines papers, some going back over a decade, on various ways
> SHA2 could be weakened...
Thanks for the info.
Regards,
RG.
[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: Passwords inside System Configuration
2020-01-21 20:45 ` Raghav Gururajan
2020-01-21 21:24 ` Vagrant Cascadian
@ 2020-01-24 20:53 ` Giovanni Biscuolo
2020-01-25 0:34 ` Raghav Gururajan
1 sibling, 1 reply; 7+ messages in thread
From: Giovanni Biscuolo @ 2020-01-24 20:53 UTC (permalink / raw)
To: Raghav Gururajan, help-guix
[-- Attachment #1: Type: text/plain, Size: 498 bytes --]
Hi Raghav,
Raghav Gururajan <raghavgururajan@disroot.org> writes:
[...]
>> > 3) LUKS Device
>>
>> AFAIK it's not possible to provide the passphrase in the system
>> configuration, and it's by design :-)
>
> Hmm, I have heard of a way to embed the passphrase in 'initrd'. Do you
> know how to do that?
no sorry, I never searched for that because I think it is unsecure, so I
don't know how to do it
HTH! Gio'
[...]
--
Giovanni Biscuolo
Xelera IT Infrastructures
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2020-01-25 0:34 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-01-19 11:20 Passwords inside System Configuration Raghav Gururajan
2020-01-20 10:31 ` Giovanni Biscuolo
2020-01-21 20:45 ` Raghav Gururajan
2020-01-21 21:24 ` Vagrant Cascadian
2020-01-23 1:36 ` Raghav Gururajan
2020-01-24 20:53 ` Giovanni Biscuolo
2020-01-25 0:34 ` Raghav Gururajan
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).