generate-secrets: use pwgen

Password length and alphabet is unchanged, but the restriction to
include at least one numeric and one capital char has been removed.
This restriction is not needed by client applications,
adds code complexity, and even (insignificantly) reduces entropy.

Reason for switching to pwgen:
apg uses /dev/random instead of /dev/urandom which brings no security
benefits but can stall the generate-secrets script on low-entropy
devices due to blocking.

Since `security.rngd` has been disabled in NixOS 20.09, blocking
in generate-secrets can also appear on regular NixOS desktop systems.
This commit is contained in:
Erik Arvstedt 2020-12-16 01:28:12 +01:00
parent a5a2fc7274
commit a359cdfb66
No known key found for this signature in database
GPG Key ID: 33312B944DD97846
3 changed files with 3 additions and 4 deletions

View File

@ -32,5 +32,3 @@
* **A:** Check your clightning logs with `journalctl -eu clightning`. Do you see something like `bitcoin-cli getblock ... false` failed? Are you using pruned mode? That means that clightning hasn't seen all the blocks it needs to and it can't get that block because your node is pruned. If you're just setting up a new node you can `systemctl stop clightning` and wipe your `/var/lib/clightning` directory. Otherwise you need to reindex the Bitcoin node. * **A:** Check your clightning logs with `journalctl -eu clightning`. Do you see something like `bitcoin-cli getblock ... false` failed? Are you using pruned mode? That means that clightning hasn't seen all the blocks it needs to and it can't get that block because your node is pruned. If you're just setting up a new node you can `systemctl stop clightning` and wipe your `/var/lib/clightning` directory. Otherwise you need to reindex the Bitcoin node.
* **Q:** My disk space is getting low due to nix. * **Q:** My disk space is getting low due to nix.
* **A:** run `nix-collect-garbage -d` * **A:** run `nix-collect-garbage -d`
* **Q:** `nix-shell` takes too long and doesn't finish generating `/secrets`
* **A:** This might be the result of low system entropy. Check your entropy with `cat /proc/sys/kernel/random/entropy_avail`. If necessary, take steps to increase entropy like performing some tasks on the system or acquiring a hardware true random number generator.

View File

@ -10,6 +10,6 @@ let
''; '';
in in
writers.writeBash "generate-secrets" '' writers.writeBash "generate-secrets" ''
export PATH=${lib.makeBinPath [ coreutils apg openssl gnugrep rpcauth ]} export PATH=${lib.makeBinPath [ coreutils pwgen openssl gnugrep rpcauth ]}
. ${./generate-secrets.sh} ${./openssl.cnf} . ${./generate-secrets.sh} ${./openssl.cnf}
'' ''

View File

@ -5,7 +5,8 @@ set -euo pipefail
opensslConf=${1:-openssl.cnf} opensslConf=${1:-openssl.cnf}
makePasswordSecret() { makePasswordSecret() {
[[ -e $1 ]] || apg -m 20 -x 20 -M Ncl -n 1 > "$1" # Passwords have alphabet {a-z, A-Z, 0-9} and ~119 bits of entropy
[[ -e $1 ]] || pwgen -s 20 1 > "$1"
} }
makeHMAC() { makeHMAC() {
user=$1 user=$1