[HIGH] Hardcoded password hash committed to repository for rnetadmin user #15

New issue

Open

opened 2026-05-05 15:43:32 -05:00 by pjennings · 0 comments

pjennings commented

2026-05-05 15:43:32 -05:00

Owner

Labels: area:security, priority:high, type:bug

Description

In modules/profiles/standard.nix line 62, a SHA-512 password hash is committed:

initialHashedPassword = lib.mkDefault "$6$ELaXwtqP5R5l.n5e$wsn7KBDXQKIfCbbDOfOHG4OYJjb/KQmyp4ekmFHcv/oZbJyEkwpoHCjqEDzOBpkGCXdZw1F1CNApXXkiKOhrR.";

Impact

SHA-512 hashes can be cracked offline with modern GPUs. If the password is weak (common word, short, etc.), it can be recovered in hours to days. Combined with passwordless sudo (CRITICAL-003), cracked password = root on all hosts.

Recommended Fix

Move password hash to encrypted secrets (sops-nix/agenix)
If using SSH key-only auth, set initialHashedPassword = null and disable password auth
If a password is needed, use a strong random password stored in secrets management

**Labels:** `area:security`, `priority:high`, `type:bug` ## Description In `modules/profiles/standard.nix` line 62, a SHA-512 password hash is committed: ```nix initialHashedPassword = lib.mkDefault "$6$ELaXwtqP5R5l.n5e$wsn7KBDXQKIfCbbDOfOHG4OYJjb/KQmyp4ekmFHcv/oZbJyEkwpoHCjqEDzOBpkGCXdZw1F1CNApXXkiKOhrR."; ``` ## Impact SHA-512 hashes can be cracked offline with modern GPUs. If the password is weak (common word, short, etc.), it can be recovered in hours to days. Combined with passwordless sudo (CRITICAL-003), cracked password = root on all hosts. ## Recommended Fix 1. Move password hash to encrypted secrets (sops-nix/agenix) 2. If using SSH key-only auth, set `initialHashedPassword = null` and disable password auth 3. If a password is needed, use a strong random password stored in secrets management