users.users.<name>.initialHashedPassword ‐ NixOS ‐ Searchix

users.users.<name>.initialHashedPassword

Specifies the initial hashed password for the user, i.e. the hashed password assigned if the user does not already exist. If users.mutableUsers is true, the password can be changed subsequently using the passwd command. Otherwise, it's equivalent to setting the hashedPassword option.

The initialHashedPassword, hashedPassword, initialPassword, password and hashedPasswordFile options all control what password is set for the user.

In a system where systemd.sysusers.enable is false, typically only one of hashedPassword, password, or hashedPasswordFile will be set.

In a system where systemd.sysusers.enable or services.userborn.enable is true, typically only one of initialPassword, initialHashedPassword, or hashedPasswordFile will be set.

If the option users.mutableUsers is true, the password defined in one of the above password options will only be set when the user is created for the first time. After that, you are free to change the password with the ordinary user management commands. If users.mutableUsers is false, you cannot change user passwords, they will always be set according to the password options.

If none of the password options are set, then no password is assigned to the user, and the user will not be able to do password-based logins.

If multiple of these password options are set at the same time then a specific order of precedence is followed, which can lead to surprising results. The order of precedence differs depending on whether the users.mutableUsers option is set.

If the option users.mutableUsers is false, then the order of precedence is as shown below, where values on the left are overridden by values on the right: initialHashedPassword -> hashedPassword -> initialPassword -> password -> hashedPasswordFile

If the option users.mutableUsers is true, then the order of precedence is as shown below, where values on the left are overridden by values on the right: initialHashedPassword -> initialPassword -> hashedPassword -> password -> hashedPasswordFile

To generate a hashed password run mkpasswd.

If set to an empty string (""), this user will be able to log in without being asked for a password (but not via remote services such as SSH, or indirectly via su or sudo). This should only be used for e.g. bootable live systems. Note: this is different from setting an empty password, which can be achieved using users.users.<name?>.password.

If set to null (default) this user will not be able to log in using a password (i.e. via login command).

Type

null or (string, not containing newlines or colons)

Default

null

Declared