Re: F35 Change: Use yescrypt as default hashing method for shadow passwords (System-Wide Change proposal)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Indeed you are not the only one.  Even in large LDAP shops, there could be a local "break-glass" account, so managing hashes could still be a factor in those environments.

One of the pain points of managing a large-scale Puppet infrastructure is supporting different hashes for different OS's. I've seen this done, and the result is...not always pretty.

What does usage of yescrypt look like in the rest of the ecosystem?  Are other major distros moving to it, or likely to?

Marty

On 6/8/21 9:13 AM, Ewoud Kohl van Wijngaarden wrote:
On Tue, Jun 08, 2021 at 03:18:10PM +0200, Björn 'besser82' Esser wrote:
Unfortunately there is no automatic way to update the hash from
anything, but yescrypt, to yescrypt without knowing / entering the
actual user password; in the future existing yescrypt hashes can be
updated to new yescrypt hashes with stronger salts and/or cost
parameters in-place without changing the password, and without user
interaction.

Has anyone some better idea?

I'd advise against this. People can use a system like Puppet to sync password hashes between systems (as a cheap alternative to LDAP). If they use older distros that don't support it, it'll end up flapping where one system sets it to the older hashing and one to the newer.

Or maybe I'm just the only person who does this.
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux