Re: F35 Change: Use yescrypt as default hashing method for shadow passwords (System-Wide Change proposal)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Am Dienstag, dem 08.06.2021 um 09:22 -0500 schrieb Martin Jackson:
> 
> On 6/8/21 9:13 AM, Ewoud Kohl van Wijngaarden wrote:
> > On Tue, Jun 08, 2021 at 03:18:10PM +0200, Björn 'besser82' Esser
> > wrote:
> > > Unfortunately there is no automatic way to update the hash from
> > > anything, but yescrypt, to yescrypt without knowing / entering the
> > > actual user password; in the future existing yescrypt hashes can be
> > > updated to new yescrypt hashes with stronger salts and/or cost
> > > parameters in-place without changing the password, and without user
> > > interaction.
> > > 
> > > Has anyone some better idea?
> > 
> > they use older distros that don't support it, it'll end up flapping 
> > where one system sets it to the older hashing and one to the newer.
> > 
> > Or maybe I'm just the only person who does this.
>
> Indeed you are not the only one.  Even in large LDAP shops, there
> could 
> be a local "break-glass" account, so managing hashes could still be a 
> factor in those environments.
> 
> One of the pain points of managing a large-scale Puppet infrastructure
> is supporting different hashes for different OS's. I've seen this
> done, 
> and the result is...not always pretty.
> 
> What does usage of yescrypt look like in the rest of the ecosystem? 
> Are 
> other major distros moving to it, or likely to?

Debian is moving to yescrypt; ALT Linux and Kali Linux have already
switched.  Most other distributions, that ship libxcrypt >= 4.3 have
support for yescrypt and are able to deal with $y$ shadow hashes out of
the box; they simply just lack the adaption of the tools (shadow-utils,
pam, etc.) to use it as hash method for *creating* shadow hashes.
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux