Indeed you are not the only one. Even in large LDAP shops, there could
be a local "break-glass" account, so managing hashes could still be a
factor in those environments.
One of the pain points of managing a large-scale Puppet infrastructure
is supporting different hashes for different OS's. I've seen this done,
and the result is...not always pretty.
What does usage of yescrypt look like in the rest of the ecosystem? Are
other major distros moving to it, or likely to?
Marty
On 6/8/21 9:13 AM, Ewoud Kohl van Wijngaarden wrote:
On Tue, Jun 08, 2021 at 03:18:10PM +0200, Björn 'besser82' Esser wrote:
Unfortunately there is no automatic way to update the hash from
anything, but yescrypt, to yescrypt without knowing / entering the
actual user password; in the future existing yescrypt hashes can be
updated to new yescrypt hashes with stronger salts and/or cost
parameters in-place without changing the password, and without user
interaction.
Has anyone some better idea?
I'd advise against this. People can use a system like Puppet to sync
password hashes between systems (as a cheap alternative to LDAP). If
they use older distros that don't support it, it'll end up flapping
where one system sets it to the older hashing and one to the newer.
Or maybe I'm just the only person who does this.
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure