Gentoo Archives: gentoo-dev

From: Joshua Kinard <kumba@g.o>
To: gentoo-dev@l.g.o
Cc: zx2c4@g.o
Subject: Re: [gentoo-dev] Switching default password hashes from sha512 to yescrypt
Date: Mon, 25 Jul 2022 19:30:16
In Reply to: Re: [gentoo-dev] Switching default password hashes from sha512 to yescrypt by Sam James
1 On 7/25/2022 14:44, Sam James wrote:
2 >
3 >
4 >> On 22 Jul 2022, at 20:10, Mikhail Koliada <zlogene@g.o> wrote:
5 >>
6 >> Hello!
7 >>
8 >> This idea has been fluctuating in my head for quite a while given that the migration had happened
9 >> a while ago [0] and some other major distributions have already adopted yescrypt as their default algo
10 >> by now [1]. For us switching is as easy as changing the default use flag in pambase and rehashing the password
11 >> with the ‘passwd’ call (a news item will be required).
12 >>
13 >> What do you think?
14 >>
15 >> P.S. surely, I am only speaking about the local auth method based on shadow and also about the pam-based systems as the change is going
16 >> to mainly impact the calls in the pam’s stack.
17 >> Pamless or the systems with an alternative auth methods is a different story.
18 >>
19 >> [0] -
20 >> [1] -
21 >
22 > It's fine with me although I guess I'm a bit reluctant when the libxcrypt stuff is still biting
23 > some users.
24 >
25 > My preference would be to wait a few more months, but I don't feel strongly about it,
26 > and won't object if we want to move forward sooner.
27 >
28 > Overall though, it's a good idea, although I'd welcome Jason's input
29 > on alternatives first. CC'd.
30 >
31 > Best,
32 > sam
34 "yescrypt" is an odd name for a hashing algorithm. I looked it up on
35 Wikipedia, and it just redirects to the 2013 Password Hashing Competition
36 (PHC)[1], in which yescrypt was just a runner-up (along w/ catena, makwa,
37 and lyra2). The winner was argon2. So unless something has changed in the
38 last nine years or there is more recent information, wouldn't it make more
39 sense to go with the winner of such a competition (argon2) instead of a
40 runner-up? I know marecki said Fedora was waiting for an official RFC for
41 argon2, but the wait for that ended almost a year ago in Sept 2021 when
42 RFC9106[2] was released.
44 Some really quick looking around, I'm not finding any substantive
45 discussions on why yescrypt is better than argon2. It so far seems that it
46 just got implemented in libxcrypt sooner than argon2 did, so that's why
47 there is this sudden push for it.
49 E.g., on Issue #45 in linux-pam[3], user ldv-alt just states "I'd recommend
50 yescrypt instead. Anyway, it has to be implemented in libcrypt.", but
51 provides no justification for why they recommend yescrypt. Since we're
52 dealing with a fairly important function for system security, I kinda want
53 something with much more context that presents pros and cons for this
54 algorithm over others, especially argon2.
56 That said, there does appear to be an open pull request on libxcrypt for
57 argon2[4], so maybe that is something to follow to see where it goes?
59 1.
60 2.
61 3.
62 4.
64 tl;dr, I'm just a bit uncomfortable adopting a new hashing algo just because
65 it seems popular. I would prefer something that's been thoroughly tested.
66 The scant info I've found thus far, that points to argon2, not yescrypt.
68 --
69 Joshua Kinard
70 Gentoo/MIPS
71 kumba@g.o
72 rsa6144/5C63F4E3F5C6C943 2015-04-27
73 177C 1972 1FB8 F254 BAD0 3E72 5C63 F4E3 F5C6 C943
75 "The past tempts us, the present confuses us, the future frightens us. And
76 our lives slip away, moment by moment, lost in that vast, terrible in-between."
78 --Emperor Turhan, Centauri Republic