Am Di., 8. Juni 2021 um 14:35 Uhr schrieb Richard W.M. Jones <rjo...@redhat.com>: > > On Mon, Jun 07, 2021 at 02:59:54PM -0400, Ben Cotton wrote: > > == Dependencies == > > * anaconda: https://github.com/rhinstaller/anaconda/pull/3431 > > * authselect: https://github.com/authselect/authselect/pull/253 > > * libuser: WIP ongoing > > * shadow-utils: > > https://src.fedoraproject.org/rpms/shadow-utils/pull-request/10 > > > > * pam: Is already capable to use yescrypt. > > * libxcrypt: Is already capable for computing yescrypt hashes. > > libguestfs (virt-customize etc.) might also need changing. What > happens if a new user account is created with (eg) $6$ sha512. Does > it use that scheme forever? Attempt to upgrade it? Break?
Well, yes, that needs to be updated, too, but it's written in OCAML… I suppose, you want to volunteer, and get a well deserved F35 change badge for doing so?! :P If a user account is created with a sha512crypt hash, it will keep it as long as the password remains unchanged. I'm currently thinking of a way to migrate all local users to use yescrypt hashes, but it's not that easy: Human users could be prompted on first login to change their password, if the hash in shadow is not yescrypt - there is a way to force that. But what about local users with older password hashes that get logged in by any non-human interaction, like www-cron; those would need to be updated manually by the system admin. Maybe I can write a CLI-tool for doing so. Unfortunately there is no automatic way to update the hash from anything, but yescrypt, to yescrypt without knowing / entering the actual user password; in the future existing yescrypt hashes can be updated to new yescrypt hashes with stronger salts and/or cost parameters in-place without changing the password, and without user interaction. Has anyone some better idea? Björn _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
