Re: F35 Change: Use yescrypt as default hashing method for shadow passwords (System-Wide Change proposal)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Jun 08, 2021 at 03:18:10PM +0200, Björn 'besser82' Esser wrote:
> Am Di., 8. Juni 2021 um 14:35 Uhr schrieb Richard W.M. Jones
> <rjones@xxxxxxxxxx>:
> >
> > On Mon, Jun 07, 2021 at 02:59:54PM -0400, Ben Cotton wrote:
> > > == Dependencies ==
> > > * anaconda: https://github.com/rhinstaller/anaconda/pull/3431
> > > * authselect: https://github.com/authselect/authselect/pull/253
> > > * libuser: WIP ongoing
> > > * shadow-utils: https://src.fedoraproject.org/rpms/shadow-utils/pull-request/10
> > >
> > > * pam: Is already capable to use yescrypt.
> > > * libxcrypt: Is already capable for computing yescrypt hashes.
> >
> > libguestfs (virt-customize etc.) might also need changing.  What
> > happens if a new user account is created with (eg) $6$ sha512.  Does
> > it use that scheme forever?  Attempt to upgrade it?  Break?
> 
> Well, yes, that needs to be updated, too, but it's written in OCAML…
> I suppose, you want to volunteer, and get a well deserved F35 change
> badge for doing so?!  :P
> 
> If a user account is created with a sha512crypt hash, it will keep it
> as long as the password remains unchanged.  I'm currently thinking of
> a way to migrate all local users to use yescrypt hashes, but it's not
> that easy: Human users could be prompted on first login to change
> their password, if the hash in shadow is not yescrypt - there is a way
> to force that.  But what about local users with older password hashes
> that get logged in by any non-human interaction, like www-cron; those
> would need to be updated manually by the system admin.  Maybe I can
> write a CLI-tool for doing so.
> 
> Unfortunately there is no automatic way to update the hash from
> anything, but yescrypt, to yescrypt without knowing / entering the
> actual user password;

I think it's better to leave existing passwords in place. You can't
really force people to log in as all users, so the only realistic
scenario is to keep existing passwords if there's more than one user.

And I don't think there's a reason to try to force immediate password
switch. As far as we know, previous defaults like sha256 are OK.

> in the future existing yescrypt hashes can be
> updated to new yescrypt hashes with stronger salts and/or cost
> parameters in-place without changing the password, and without user
> interaction.

Interesting. How does this work?

Zbyszek
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux