You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If systemd.sysusers.enable is used with users having passwords set by hashedPassword, the defined password is ignored and the users are provisioned as password-less (i.e "disabled").
Steps To Reproduce
Steps to reproduce the behavior:
Enable systemd.sysusers.enable
Enable disable users.mutableUsers or enable system.etc.overlay.enable. (I only tested via mutableUsers=false).
Test new config (careful!)
No user will be able to login via password - including root.
Expected behavior
Users should retain existing password configured via hashedPassword.
The existing users-groups module (./nixos/modules/config/users-groups.nix) actually sets the default opposite of what the new systemd-sysusers module expects. users-groups sets hashedPassword and password based on the initialHashedPassword and initialPassword values while systemd-sysusersonly looks in the initial* values. systemd-sysfiles should just look at hasedPassword and password.
The assertions that prevent building a config without any login-able user (locally or via SSH) should be reviewed. I believe they were not triggered because while I did have an SSH public key configured via Nix - the config does not have an SSH server enabled.
The text was updated successfully, but these errors were encountered:
Also, the default UID of users does not start at 1000 and often results in an UID < 1000. systemd-sysusers doesn't really implement a distinction for isSystemUser or isNormalUser since it's intended to be used only for system users.
One option is to run systemd-sysusers twice; once for "normal" users and once for "system" users. In each call set the range of allowed UID/GID values via the r line option. I think just setting the r line type once will restrict all (dynamic) UID/GID allocations.
Describe the bug
If
systemd.sysusers.enable
is used with users having passwords set byhashedPassword
, the defined password is ignored and the users are provisioned as password-less (i.e "disabled").Steps To Reproduce
Steps to reproduce the behavior:
systemd.sysusers.enable
users.mutableUsers
or enablesystem.etc.overlay.enable
. (I only tested viamutableUsers=false
).Expected behavior
Users should retain existing password configured via
hashedPassword
.The existing
users-groups
module (./nixos/modules/config/users-groups.nix
) actually sets the default opposite of what the new systemd-sysusers module expects.users-groups
setshashedPassword
andpassword
based on theinitialHashedPassword
andinitialPassword
values whilesystemd-sysusers
only looks in theinitial*
values.systemd-sysfiles
should just look athasedPassword
andpassword
.The assertions that prevent building a config without any login-able user (locally or via SSH) should be reviewed. I believe they were not triggered because while I did have an SSH public key configured via Nix - the config does not have an SSH server enabled.
The text was updated successfully, but these errors were encountered: