Passwords inside System Configuration

all messages for Guix-related lists mirrored at yhetil.org
 help / color / mirror / code / Atom feed

* Passwords inside System Configuration
@ 2020-01-19 11:20 Raghav Gururajan
  2020-01-20 10:31 ` Giovanni Biscuolo
  0 siblings, 1 reply; 7+ messages in thread
From: Raghav Gururajan @ 2020-01-19 11:20 UTC (permalink / raw)
  To: help-guix

Hello Guix!

I would like to insert/set password for the following, inside system configuration (config.scm):
1) Roor User
2) Regular User
3) LUKS Device

Could anyone please provide me straight-forward step-by-step instruction to achieve it?

Thank you!

Regards,
RG.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Passwords inside System Configuration
  2020-01-19 11:20 Passwords inside System Configuration Raghav Gururajan
@ 2020-01-20 10:31 ` Giovanni Biscuolo
  2020-01-21 20:45   ` Raghav Gururajan
  0 siblings, 1 reply; 7+ messages in thread
From: Giovanni Biscuolo @ 2020-01-20 10:31 UTC (permalink / raw)
  To: Raghav Gururajan, help-guix

[-- Attachment #1: Type: text/plain, Size: 1628 bytes --]

Hello Raghav, 

"Raghav Gururajan" <raghavgururajan@disroot.org> writes:

> Hello Guix!
>
> I would like to insert/set password for the following, inside system configuration (config.scm):
> 1) Roor User
> 2) Regular User

--8<---------------cut here---------------start------------->8---
(user-account
  (name "charlie")
  (group "users")

  ;; Specify a SHA-512-hashed initial password.
  (password (crypt "InitialPassword!" "$6$abc")))
--8<---------------cut here---------------end--------------->8---

but please read
https://guix.gnu.org/manual/en/html_node/User-Accounts.html#user_002daccount_002dpassword

--8<---------------cut here---------------start------------->8---
You would normally leave this field to #f, initialize user passwords as
root with the passwd command, and then let users change it with
passwd. Passwords set with passwd are of course preserved across reboot
and reconfiguration.

[...]

Note: The hash of this initial password will be available in a file in
/gnu/store, readable by all the users, so this method must be used with
care.

--8<---------------cut here---------------end--------------->8---

> 3) LUKS Device

AFAIK it's not possible to provide the passphrase in the system
configuration, and it's by design :-)

I mean: you set the LUKS passphrase "imperatively" when encrypting the
device (e.g. during installation) or to change it later, storing it in
config.scm would mean to make it available in /gnu/store, readeable by
all users... and you should avoid it

[...]


HTH! Gio'

-- 
Giovanni Biscuolo

Xelera IT Infrastructures

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Passwords inside System Configuration
  2020-01-20 10:31 ` Giovanni Biscuolo
@ 2020-01-21 20:45   ` Raghav Gururajan
  2020-01-21 21:24     ` Vagrant Cascadian
  2020-01-24 20:53     ` Giovanni Biscuolo
  0 siblings, 2 replies; 7+ messages in thread
From: Raghav Gururajan @ 2020-01-21 20:45 UTC (permalink / raw)
  To: Giovanni Biscuolo, help-guix

[-- Attachment #1: Type: text/plain, Size: 1381 bytes --]

Hello Giovanni!

> --8<---------------cut here---------------start------------->8---
> (user-account
>   (name "charlie")
>   (group "users")
> 
>   ;; Specify a SHA-512-hashed initial password.
>   (password (crypt "InitialPassword!" "$6$abc")))
> --8<---------------cut here---------------end--------------->8---

Thanks! But how do I do this for 'root' user as well?

> but please read
> https://guix.gnu.org/manual/en/html_node/User-Accounts.html#user_002daccount_002dpassword

OOPS! I somehow missed it. Thanks for letting me know.

> You would normally leave this field to #f, initialize user passwords
> as
> root with the passwd command, and then let users change it with
> passwd. Passwords set with passwd are of course preserved across
> reboot
> and reconfiguration.

Yes, but I wanted to do things in declarative way.

> Note: The hash of this initial password will be available in a file
> in
> /gnu/store, readable by all the users, so this method must be used
> with
> care.

I see. But why would it be a concern? It is not feasible to brute-force 
SHA-512 hash right?

> > 3) LUKS Device
> 
> AFAIK it's not possible to provide the passphrase in the system
> configuration, and it's by design :-)

Hmm, I have heard of a way to embed the passphrase in 'initrd'. Do you
know how to do that?

Thank you!

Regards,
RG.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Passwords inside System Configuration
  2020-01-21 20:45   ` Raghav Gururajan
@ 2020-01-21 21:24     ` Vagrant Cascadian
  2020-01-23  1:36       ` Raghav Gururajan
  2020-01-24 20:53     ` Giovanni Biscuolo
  1 sibling, 1 reply; 7+ messages in thread
From: Vagrant Cascadian @ 2020-01-21 21:24 UTC (permalink / raw)
  To: Raghav Gururajan, Giovanni Biscuolo, help-guix

[-- Attachment #1: Type: text/plain, Size: 741 bytes --]

On 2020-01-21, Raghav Gururajan wrote:
>> Note: The hash of this initial password will be available in a file
>> in
>> /gnu/store, readable by all the users, so this method must be used
>> with
>> care.
>
> I see. But why would it be a concern? It is not feasible to brute-force 
> SHA-512 hash right?

I'm no expert, but evaluating the future based on today has it's
weaknesses; brute-force isn't usually what makes it possible to
compromise an algorithm...

  https://valerieaurora.org/hash.html


According to wikipedia, SHA-512 is in the SHA2 family:

  https://en.wikipedia.org/wiki/SHA-2

Which outlines papers, some going back over a decade, on various ways
SHA2 could be weakened...


live well,
  vagrant

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 227 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Passwords inside System Configuration
  2020-01-21 21:24     ` Vagrant Cascadian
@ 2020-01-23  1:36       ` Raghav Gururajan
  0 siblings, 0 replies; 7+ messages in thread
From: Raghav Gururajan @ 2020-01-23  1:36 UTC (permalink / raw)
  To: Vagrant Cascadian, Giovanni Biscuolo, help-guix

[-- Attachment #1: Type: text/plain, Size: 487 bytes --]

Hi Vagrant!

> I'm no expert, but evaluating the future based on today has it's
> weaknesses; brute-force isn't usually what makes it possible to
> compromise an algorithm...
> 
>   https://valerieaurora.org/hash.html

I see.

> According to wikipedia, SHA-512 is in the SHA2 family:
> 
>   https://en.wikipedia.org/wiki/SHA-2
> 
> Which outlines papers, some going back over a decade, on various ways
> SHA2 could be weakened...

Thanks for the info.

Regards,
RG.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Passwords inside System Configuration
  2020-01-21 20:45   ` Raghav Gururajan
  2020-01-21 21:24     ` Vagrant Cascadian
@ 2020-01-24 20:53     ` Giovanni Biscuolo
  2020-01-25  0:34       ` Raghav Gururajan
  1 sibling, 1 reply; 7+ messages in thread
From: Giovanni Biscuolo @ 2020-01-24 20:53 UTC (permalink / raw)
  To: Raghav Gururajan, help-guix

[-- Attachment #1: Type: text/plain, Size: 498 bytes --]

Hi Raghav,

Raghav Gururajan <raghavgururajan@disroot.org> writes:

[...]

>> > 3) LUKS Device
>> 
>> AFAIK it's not possible to provide the passphrase in the system
>> configuration, and it's by design :-)
>
> Hmm, I have heard of a way to embed the passphrase in 'initrd'. Do you
> know how to do that?

no sorry, I never searched for that because I think it is unsecure, so I
don't know how to do it  

HTH! Gio'

[...]

-- 
Giovanni Biscuolo

Xelera IT Infrastructures

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: Passwords inside System Configuration
  2020-01-24 20:53     ` Giovanni Biscuolo
@ 2020-01-25  0:34       ` Raghav Gururajan
  0 siblings, 0 replies; 7+ messages in thread
From: Raghav Gururajan @ 2020-01-25  0:34 UTC (permalink / raw)
  To: Giovanni Biscuolo, help-guix

[-- Attachment #1: Type: text/plain, Size: 160 bytes --]

Hi Giovanni!

> no sorry, I never searched for that because I think it is unsecure,
> so I
> don't know how to do it  

No worries! :-)

Regards,
RG.

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 488 bytes --]

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, other threads:[~2020-01-25  0:34 UTC | newest]

Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-01-19 11:20 Passwords inside System Configuration Raghav Gururajan
2020-01-20 10:31 ` Giovanni Biscuolo
2020-01-21 20:45   ` Raghav Gururajan
2020-01-21 21:24     ` Vagrant Cascadian
2020-01-23  1:36       ` Raghav Gururajan
2020-01-24 20:53     ` Giovanni Biscuolo
2020-01-25  0:34       ` Raghav Gururajan

Code repositories for project(s) associated with this external index

	https://git.savannah.gnu.org/cgit/guix.git

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.