Merge pull request #316358 from majewsky/portunus-remove-libxcrypt-legacy

2024-11-18 11:40:45 +00:00 · 2024-06-02 23:10:26 +02:00 · 2024-06-02 23:10:26 +02:00 · 6f02edec1a
parent fa7656236f d11d18df30
commit 6f02edec1a
3 changed files with 12 additions and 6 deletions
--- a/nixos/doc/manual/release-notes/rl-2411.section.md
+++ b/nixos/doc/manual/release-notes/rl-2411.section.md
@ -30,6 +30,15 @@
  for `stateVersion` ≥ 24.11. (It was previously using SQLite for structured
  data and the filesystem for blobs).

+- The `portunus` package and service do not support weak password hashes anymore.
+  If you installed Portunus on NixOS 23.11 or earlier, upgrade to NixOS 24.05 first to get support for strong password hashing.
+  Then, follow the instructions on the [upstream release notes](https://github.com/majewsky/portunus/releases/tag/v2.0.0) to upgrade all existing user accounts to strong password hashes.
+  If you need to upgrade to 24.11 without having completed the migration, consider the security implications of weak password hashes on your user accounts, and add the following to your configuration:
+  ```nix
+  services.portunus.package      = pkgs.portunus.override { libxcrypt = pkgs.libxcrypt-legacy; };
+  services.portunus.ldap.package = pkgs.openldap.override { libxcrypt = pkgs.libxcrypt-legacy; };
+  ```
+
 ## Other Notable Changes {#sec-release-24.11-notable-changes}

 <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. -->
--- a/nixos/modules/services/misc/portunus.nix
+++ b/nixos/modules/services/misc/portunus.nix
@ -115,10 +115,7 @@ in
    ldap = {
      package = mkOption {
        type = types.package;
-        # needs openldap built with a libxcrypt that support crypt sha256 until users have had time to migrate to newer hashes
-        # Ref: <https://github.com/majewsky/portunus/issues/2>
-        # TODO: remove in NixOS 24.11 (cf. same note on pkgs/servers/portunus/default.nix)
-        default = pkgs.openldap.override { libxcrypt = pkgs.libxcrypt-legacy; };
+        default = pkgs.openldap;
        defaultText = lib.literalExpression "pkgs.openldap.override { libxcrypt = pkgs.libxcrypt-legacy; }";
        description = "The OpenLDAP package to use.";
      };
--- a/pkgs/servers/portunus/default.nix
+++ b/pkgs/servers/portunus/default.nix
@ -1,7 +1,7 @@
 { lib
 , buildGoModule
 , fetchFromGitHub
-, libxcrypt-legacy # TODO: switch to libxcrypt for NixOS 24.11 (cf. same note on nixos/modules/services/misc/portunus.nix)
+, libxcrypt
 }:

 buildGoModule rec {
@ -15,7 +15,7 @@ buildGoModule rec {
    sha256 = "sha256-+pMMIutj+OWKZmOYH5NuA4a7aS5CD+33vAEC9bJmyfM=";
  };

-  buildInputs = [ libxcrypt-legacy ];
+  buildInputs = [ libxcrypt ];

  vendorHash = null;