| 8 Aug 2022 |
 @elvishjerricco:matrix.org | or I can set it to a hashed password. It just can't be false | 05:26:28 |
| @elvishjerricco:matrix.org | Which is really not what I would have expected with PasswordAuthentication no in sshd_config | 05:27:13 |
 Winter (she/her) | In reply to @elvishjerricco:matrix.org
or I can set it to a hashed password. It just can't be false hashed password -> giving the user a password, while "it can't be false" -> services.openssh.passwordAuthentication? | 05:50:39 |
| @elvishjerricco:matrix.org | Winter (she/her): emergencyAccess translates to what we put in /etc/shadow in systemd-based initrd. The old initrd doesn't have shadow at all | 05:56:04 |
| @elvishjerricco:matrix.org | false sets the password field to !, which I guess means openssh considers the account disabled... | 05:56:38 |
| Winter (she/her) | oh you're talking about the value of emergencyAccess, oops | 06:12:12 |
| Winter (she/her) | didn't realize that would also take a string, maybe i should've looked that up before asking | 06:12:25 |
| @elvishjerricco:matrix.org | yea true means no password, false means root is locked, and a hashed password means... password :P | 06:12:55 |
| Winter (she/her) | In reply to @elvishjerricco:matrix.org
false sets the password field to !, which I guess means openssh considers the account disabled... maybe cranking the log level to DEBUG will confirm that theory? | 06:15:55 |
| Winter (she/her) | (there's also DEBUG{1,2,3}, in increasing order of verbosity, but i'm guessing DEBUG will be enough) | 06:16:33 |
| @elvishjerricco:matrix.org | The reason I noticed was because I passed -ddd to sshd, and finally got it to spit out something like "the root account is locked" :P | 06:17:20 |
| Winter (she/her) | you said it was set to !, right? i don't see that in the OpenSSH source, only * and *LK* | 06:22:39 |
| Winter (she/her) | never mind | 06:23:43 |
| Winter (she/her) |
AC_DEFINE([LOCKED_PASSWD_PREFIX], ["!"])
| 06:23:48 |
| @elvishjerricco:matrix.org | Ok, so using * instead of ! seems to lock the root account while still allowing login with SSH keys. But I don't know where to find this documented... man 5 shadow was rather... vague | 15:23:23 |
| Winter (she/her) | I think that would be because OpenSSH assumes ! for locked accounts on Linux, but some other system component allows both? | 15:26:20 |
| @elvishjerricco:matrix.org | I have spent at least a couple of hours trying to figure out why initrd secrets weren't working in the nixos test without some very annoying finagling with pkgs.writeText and setting useBootLoader = true;. Turns out the find command in initrd-nixos-copy-secrets.service just needed a -o -type l 🙃 | 23:11:46 |
| @elvishjerricco:matrix.org | oh and I need to set boot.loader.supportsInitrdSecrets = lib.mkForce false, but I think that's more a flaw with qemu-vm.nix not disabling the boot loader options when it's not going to use a boot loader | 23:13:00 |
| 9 Aug 2022 |
| @elvishjerricco:matrix.org | Hm. I'm looking more at the shutdownRamfs stuff and my system gets Failed to unmount /oldroot/nix/store: Device or resource busy followed by the same for the parent FSes. Anyone have any ideas why the store FS would be busy after transitioning to the shutdownRamfs? | 23:00:01 |
| 11 Aug 2022 |
 @arianvp:matrix.org | hmm | 11:56:29 |
| @arianvp:matrix.org | would this happen if any processes still have files open on /nix/store? | 11:56:41 |
| @arianvp:matrix.org | after chrooting? | 11:56:45 |
| @arianvp:matrix.org | might need to pivot/re-exec to processes in the new chroot | 11:57:07 |
