c0c0n3 / odoo.box

All of Martel's Odoo stack on just one NixOS machine.
MIT License
3 stars 0 forks source link

Better hash for NixOS user passwords #8

Closed c0c0n3 closed 7 months ago

c0c0n3 commented 7 months ago

At the moment we're hashing NixOS user passwords with SHA512. We could easily switch over to yescrypt which seems to be a better option or Argon2id which may be even better than yescrypt in some regards---see this and this.

To hash passwords, the vaultgen script uses openssl which currently doesn't support yescrypt. We could use mkpasswd instead which does support yescrypt but doesn't build on the M1 at the moment---NixOS 23.11.

PAM on NixOS defaults to yescrypt (as you can see from cat /etc/pam.d/chpasswd) so there's no prob using yescrypt instead of SHA512. But PAM doesn't yet support Argon2, so we can't use Argon2id just yet.

Put some thought into moving away from SHA512 if it turns out we need to up our security game. Also keep in mind we could easily rewrite the vaultgen script in Haskell using the new crypto echo system and do away with all the CLI tools vaultgen requires---age, openssl, etc. If we go down that road, we might just as well use the same Haskell program for decrypting secrets on the server so we could replace agenix too. Having just one tool to do everything could potentially make our life much easier.

c0c0n3 commented 7 months ago

So we've managed to make mkpasswd work on Apple silicon too by compiling with an older clang version---see a889269. Thanks to this, now vaultgen can use mkpasswd to generate yescrypt hashes---see 2e5a492.

Because of the above, I reckon we can close this issue? Well, it'd be nice to still consider the Haskell option mentioned in the earlier comment, but we'll leave that for another day.