Re: F35 Change: Use yescrypt as default hashing method for shadow passwords (System-Wide Change proposal)

Tue, 08 Jun 2021 07:23:19 -0700

Indeed you are not the only one.  Even in large LDAP shops, there could be a local "break-glass" account, so managing hashes could still be a factor in those environments.
One of the pain points of managing a large-scale Puppet infrastructure is supporting different hashes for different OS's. I've seen this done, and the result is...not always pretty. 


What does usage of yescrypt look like in the rest of the ecosystem?  Are 
other major distros moving to it, or likely to?


Marty

On 6/8/21 9:13 AM, Ewoud Kohl van Wijngaarden wrote:

On Tue, Jun 08, 2021 at 03:18:10PM +0200, Björn 'besser82' Esser wrote:

Unfortunately there is no automatic way to update the hash from
anything, but yescrypt, to yescrypt without knowing / entering the
actual user password; in the future existing yescrypt hashes can be
updated to new yescrypt hashes with stronger salts and/or cost
parameters in-place without changing the password, and without user
interaction.

Has anyone some better idea?



I'd advise against this. People can use a system like Puppet to sync 
password hashes between systems (as a cheap alternative to LDAP). If 
they use older distros that don't support it, it'll end up flapping 
where one system sets it to the older hashing and one to the newer.


Or maybe I'm just the only person who does this.
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/

List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure























					Reply via email to