Bug#1001353: libpam-modules: common-password doesn't handle rounds parameter when using yescrypt

2022-03-22 Thread Brian Minton 
Package: libpam-modules
Version: 1.4.0-11
Followup-For: Bug #1001353

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


After some additional testing (the mkpasswd utilitity was helpful as well), I
discovered that settings of the rounds parameter from 1 to 11 actually do make
a difference for the shadow file.  With rounds=11 I got the following:

bminton:$y$jFT$XX:19073:0:9:7:::

That hash actually took about half a second to calculate:
time echo 'asdf
asdf'|passwd bminton
New password: Retype new password: passwd: password updated successfully

real0m0.637s
user0m0.535s
sys 0m0.088s


So, I propose that this is a documentation issue.  The valid range of the
rounds parameter should be documented.


- -- System Information:
Debian Release: bookworm/sid
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'stable-updates'), (500, 
'stable-security'), (400, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.10.0-11-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_USER
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libpam-modules depends on:
ii  debconf [debconf-2.0]  1.5.79
ii  libaudit1  1:3.0.6-1+b1
ii  libc6  2.33-7
ii  libcrypt1  1:4.4.27-1.1
ii  libdb5.3   5.3.28+dfsg1-0.8
ii  libnsl21.3.0-2
ii  libpam-modules-bin 1.4.0-11
ii  libpam0g   1.4.0-11
ii  libselinux13.3-1+b1
ii  libtirpc3  1.3.2-2

libpam-modules recommends no packages.

libpam-modules suggests no packages.

- -- debconf information:
  libpam-modules/deprecate-tally:
  libpam-modules/profiles-disabled:
* libpam-modules/disable-screensaver:

-BEGIN PGP SIGNATURE-

iHUEAREIAB0WIQT5xLt2Dng/DewQpoprjrOgZc+6qQUCYjnqTQAKCRBrjrOgZc+6
qSeUAP9l7LdaNHwUTGKkCA5gG1ldDFURkaUo66Q0YgucQdHu1AD7B+olID3isq8V
QBUdvzUhpo3v1aM3cB5yQqdvqvJiJSk=
=H6Y2
-END PGP SIGNATURE-

Bug#1001353: libpam-modules: common-password doesn't handle rounds parameter when using yescrypt

2021-12-08 Thread Brian Minton 
Package: libpam-modules
Version: 1.4.0-10
Severity: normal

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256


In /etc/pam.d/common-password I have the following:
password[success=1 default=ignore]  pam_unix.so obscure yescrypt 
rounds=2097152

I've experiemented with various values of the rounds parameter, but no value I
can put in produces a difference in the shadow file, or in the time to hash a
password.  According to the documentation for the yescrypt algorithm, the N
parameter must be a power of two.  

Here's an example:

with rounds=524288
bminton:$y$j9T$XX:18969:0:9:7:::

and with rounds=16777216
bminton:$y$j9T$XX:18969:0:9:7:::

Note that the parameters section of the modular crypt entry, j9T is the same in
both cases.  I've also confirmed that when using sha256, sha512, or blowfish
(for bcrypt) options,  the shadow file contains the correct rounds parameter.
It's also worth noting that with sha256 or sha512, the rounds parameter is the
actual number of rounds, while with blowfish the rounds parameter is raised to
the power of 2.  I've tried both sizes of integers for yescrypt but haven't
ever seen any change in the output.


- - -- System Information:
Debian Release: 11.1
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'stable-updates'), (500, 
'stable-security'), (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.10.0-9-amd64 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_USER
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libpam-modules depends on:
ii  debconf [debconf-2.0]  1.5.77
ii  libaudit1  1:3.0-2
ii  libc6  2.32-5
ii  libcrypt1  1:4.4.18-4
ii  libdb5.3   5.3.28+dfsg1-0.8
ii  libnsl21.3.0-2
ii  libpam-modules-bin 1.4.0-10
ii  libpam0g   1.4.0-9+deb11u1
ii  libselinux13.1-3
ii  libtirpc3  1.3.1-1

libpam-modules recommends no packages.

libpam-modules suggests no packages.

- - -- debconf information:
  libpam-modules/profiles-disabled:
* libpam-modules/disable-screensaver:
  libpam-modules/deprecate-tally:


-BEGIN PGP SIGNATURE-

iHUEAREIAB0WIQT5xLt2Dng/DewQpoprjrOgZc+6qQUCYbE4uAAKCRBrjrOgZc+6
qZPNAP9uA/ML3jPJ2Dqc3Gj59zlM7rlPI7sLD5JAvt1JPS0JKAD7BXO5ngx5wwUv
Rgq202b3p7pfLAf+DlhvSoZLNlXiX9k=
=45LD
-END PGP SIGNATURE-