nixos/installer: Allow setting a password on cmdline for pxe boot #358722
Conversation
github-actions
bot
added
6.topic: nixos
|
PR is caused by nix-community/nixos-images#303 |
NixOSInfra
added
the
12. first-time contribution
| # Allows using nixos-anywhere in headless environments | ||
| for o in $(</proc/cmdline); do | ||
| case "$o" in | ||
| live.nixos.passwd=*) |
There was a problem hiding this comment.
I was thinking about how to make this a bit more secure, netboot often is not encrypted and while we cannot protect against active attacker trying to intercept/change the traffic, we shouldn't have a service where we can just ask for the password using the netboot protocol. This is a bit different from the ISO usecase which is just local and requires physical access.
So our perl script currently supports setting password via password hashes like this:
foreach my $u (values %usersOut) {
next if defined $shadowSeen{$u->{name}};
my $hashedPassword = "!";
$hashedPassword = $u->{hashedPassword} if defined $u->{hashedPassword};
my $expires = "";
$expires = dateToDays($u->{expires}) if defined $u->{expires};
# FIXME: set correct value for sp_lstchg.
push @shadowNew, join(":", $u->{name}, $hashedPassword, "1::::", $expires, "") . "\n";
}
Could we change this bash instead or awk and do something similar?
This is how to generate a password hash:
echo foo | mkpasswd -m sha-512 -s
There was a problem hiding this comment.
Here is some untested code:
#!/bin/bash
# Precomputed SHA-512 password hash for "foo"
PRECOMPUTED_HASH='$6$someSalt$5bPlhBOL/PV.CWzi4UUE0DXQeWawY/kD1uYBdX.h2/s5XPz.vGmvCDmdDlEKZq8nCtOdXIuGFS9Hi0uEaRBnq.'
# File to check
SHADOW_FILE="/etc/shadow"
# Function to update the root password hash
update_root_password() {
if [ "$(id -u)" -ne 0 ]; then
echo "This script must be run as root!"
exit 1
fi
if grep -q '^root::' "$SHADOW_FILE"; then
echo "Root password is not set. Updating..."
sed -i "s/^root::/root:${PRECOMPUTED_HASH}:/" "$SHADOW_FILE"
echo "Root password updated successfully."
else
echo "Root password is already set. No action needed."
fi
}
update_root_password
You might need to run it as an activation script after /etc/passwd has been populated.
Here is a snippet how sops-nix install secrets after user have been created. The password adding code should be run in a similar way.
You would also need to duplicate it for userborn/sysusers in a systemd service: https://github.com/Mic92/sops-nix/blob/53c853fb1a7e4f25f68805ee25c83d5de18dc699/modules/sops/default.nix#L436
There was a problem hiding this comment.
I'm not sure if I get your points:
- non-local intercept: Possible, but unlikely. While the image component are loaded from the web, the kernel arguments are set by the handling pxe server, in the local network. An attacker in that position has already won.
- Hash instead of password makes no difference in security terms. An attacker can easily set a password hash instead of a password.
Re asking the pxe server for the password: I added live.nixos.passwordHash as second option. It has priority over password. Also I changed the script to not allow password-changes (with both options) if there is already a password set, eg in custom images. And just for common unterstanding: This password is only for the live system and does not persist in an installation done from there.
Please let me know if I missed something!
Fun fact: I asked an LLM about a simple script for this (because I was interested in it's output). It refused to help until I changed the query to "update password for user x" instead of root. Definitely no chance AI takes over my job 🤣
There was a problem hiding this comment.
There is a difference between an attacker that can ask the PXE server for the same configuration (passive) and an attacker that pretends to be the PXE server and alters the response (active)
There was a problem hiding this comment.
You said you add the option, but I can't see it. Did you forgot to push?
There was a problem hiding this comment.
Another advantage of password hashes is, that you don't leak passwords to the nix store in case you build a configuration with nix.
There was a problem hiding this comment.
An attacker altering the response still makes no difference if it's a password or a hash. Needless to say an attacker in the position to run a pxe server (he needs control over the dhcp server as well for that) doesn't need a nixos netboot image to do harm. But I get your point with the cleartext password in the nix store.
No, not forgotten. Just adding the test scenario. Pushing my current state though for your feedback.
|
It would be great if you could add the new parameter to Line 91 in d4b1fcd And than check |
ofborg
bot
added
10.rebuild-darwin: 0
I'm not sure if that even works: After adding (In other words: I have no clue how to fix that.) |
|
@Mic92 I fixed the missing kernel parameters and added the Please review and merge, if there's nothing else to do here. |
Copied isoImage-functionality for setting a password on boot for the nixos-user to the pxe image.
The pxe images come without passwords for the
nixosandrootaccounts. This works great when doing local installations, but it prevents you from using ssh into the live-system without setting a password first. Addinglive.nixos.passwd=somesecretpasswordto the cmdline in any pxe configuration eliminates this requirement. This change also eliminates the need to build own images to achive this goal.Things done
nix.conf? (See Nix manual)sandbox = relaxedsandbox = truenix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage./result/bin/)Add a 👍 reaction to pull requests you find important.