From mboxrd@z Thu Jan 1 00:00:00 1970 From: Raghav Gururajan Subject: Re: Passwords inside System Configuration Date: Tue, 21 Jan 2020 15:45:37 -0500 Message-ID: References: <87zheipghw.fsf@roquette.mug.biscuolo.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="=-1xjthVUDEMD2Qe9ZQQKr" Return-path: Received: from eggs.gnu.org ([2001:470:142:3::10]:42964) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1iu0PM-0006zl-AI for help-guix@gnu.org; Tue, 21 Jan 2020 15:46:00 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1iu0PI-0001fO-II for help-guix@gnu.org; Tue, 21 Jan 2020 15:45:56 -0500 Received: from knopi.disroot.org ([178.21.23.139]:33828) by eggs.gnu.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.71) (envelope-from ) id 1iu0PH-0001eP-VB for help-guix@gnu.org; Tue, 21 Jan 2020 15:45:52 -0500 In-Reply-To: <87zheipghw.fsf@roquette.mug.biscuolo.net> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: help-guix-bounces+gcggh-help-guix=m.gmane-mx.org@gnu.org Sender: "Help-Guix" To: Giovanni Biscuolo , help-guix@gnu.org --=-1xjthVUDEMD2Qe9ZQQKr Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hello Giovanni! > --8<---------------cut here---------------start------------->8--- > (user-account > (name "charlie") > (group "users") >=20 > ;; Specify a SHA-512-hashed initial password. > (password (crypt "InitialPassword!" "$6$abc"))) > --8<---------------cut here---------------end--------------->8--- Thanks! But how do I do this for 'root' user as well? > but please read > https://guix.gnu.org/manual/en/html_node/User-Accounts.html#user_002dacco= unt_002dpassword OOPS! I somehow missed it. Thanks for letting me know. > You would normally leave this field to #f, initialize user passwords > as > root with the passwd command, and then let users change it with > passwd. Passwords set with passwd are of course preserved across > reboot > and reconfiguration. Yes, but I wanted to do things in declarative way. > Note: The hash of this initial password will be available in a file > in > /gnu/store, readable by all the users, so this method must be used > with > care. I see. But why would it be a concern? It is not feasible to brute-force=20 SHA-512 hash right? > > 3) LUKS Device >=20 > AFAIK it's not possible to provide the passphrase in the system > configuration, and it's by design :-) Hmm, I have heard of a way to embed the passphrase in 'initrd'. Do you know how to do that? Thank you! Regards, RG. --=-1xjthVUDEMD2Qe9ZQQKr Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- iQEzBAABCAAdFiEEamFiplxUWgy2NgJiorDiYAVcMdsFAl4nYvAACgkQorDiYAVc MdvheQf/TBkF+CQj+6jfK1/No0PUdI/58H06742yph56kdzdW+E+qJgewnMh+ddV K2E3lESPNK5zR6vVnMsfCIjR8VuXY8PIBOa8IEx/IC7IVINxsWBhI6TzHomWYIHp VU3EzzFU0Z0xqzyo2nm96ZklitgjOCz3+whUTxBUOq0d9kSfYnchRH6DzLzzOCtv 5OHd+Ot+1bValzW+jokqqqtVYUt6fRYW5M56/lo4ELuudEpA8nlC9g+u/yMe1Zwr ziJ0OE9eOLS/R4+BfeChfuwKlfAtFhuxklSb2Azfg8QvkwPBTe2ZVWQzHxQzxNeM LvKlgBOVXN8XDvrF/j5O2dXraPWYYw== =7qUB -----END PGP SIGNATURE----- --=-1xjthVUDEMD2Qe9ZQQKr--