Re: F35 Change: Use yescrypt as default hashing method for shadow passwords (System-Wide Change proposal)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Am Di., 8. Juni 2021 um 15:46 Uhr schrieb Zbigniew Jędrzejewski-Szmek
<zbyszek@xxxxxxxxx>:
>
> On Tue, Jun 08, 2021 at 03:18:10PM +0200, Björn 'besser82' Esser wrote:
> > Am Di., 8. Juni 2021 um 14:35 Uhr schrieb Richard W.M. Jones
> > <rjones@xxxxxxxxxx>:
> > >
> > > On Mon, Jun 07, 2021 at 02:59:54PM -0400, Ben Cotton wrote:
> > > > == Dependencies ==
> > > > * anaconda: https://github.com/rhinstaller/anaconda/pull/3431
> > > > * authselect: https://github.com/authselect/authselect/pull/253
> > > > * libuser: WIP ongoing
> > > > * shadow-utils: https://src.fedoraproject.org/rpms/shadow-utils/pull-request/10
> > > >
> > > > * pam: Is already capable to use yescrypt.
> > > > * libxcrypt: Is already capable for computing yescrypt hashes.
> > >
> > > libguestfs (virt-customize etc.) might also need changing.  What
> > > happens if a new user account is created with (eg) $6$ sha512.  Does
> > > it use that scheme forever?  Attempt to upgrade it?  Break?
> >
> > Well, yes, that needs to be updated, too, but it's written in OCAML…
> > I suppose, you want to volunteer, and get a well deserved F35 change
> > badge for doing so?!  :P
> >
> > If a user account is created with a sha512crypt hash, it will keep it
> > as long as the password remains unchanged.  I'm currently thinking of
> > a way to migrate all local users to use yescrypt hashes, but it's not
> > that easy: Human users could be prompted on first login to change
> > their password, if the hash in shadow is not yescrypt - there is a way
> > to force that.  But what about local users with older password hashes
> > that get logged in by any non-human interaction, like www-cron; those
> > would need to be updated manually by the system admin.  Maybe I can
> > write a CLI-tool for doing so.
> >
> > Unfortunately there is no automatic way to update the hash from
> > anything, but yescrypt, to yescrypt without knowing / entering the
> > actual user password;
>
> I think it's better to leave existing passwords in place. You can't
> really force people to log in as all users, so the only realistic
> scenario is to keep existing passwords if there's more than one user.
>
> And I don't think there's a reason to try to force immediate password
> switch. As far as we know, previous defaults like sha256 are OK.
>
> > in the future existing yescrypt hashes can be
> > updated to new yescrypt hashes with stronger salts and/or cost
> > parameters in-place without changing the password, and without user
> > interaction.
>
> Interesting. How does this work?

You can find a basic description here:

https://www.sjoerdlangkemper.nl/2018/01/31/client-independent-upgrade-in-hash-functions/
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux