Archives
Archives
| From: | Mikhail Koliada <zlogene@g.o> |
|---|---|
| To: | gentoo-dev <gentoo-dev@l.g.o> |
| Subject: | [gentoo-dev] Switching default password hashes from sha512 to yescrypt |
| Date: | Fri, 22 Jul 2022 19:11:27 |
| Message-Id: | 8DB1FE57-055F-4E32-BC23-731F69165116@gentoo.org |
| 1 | Hello! |
| 2 | |
| 3 | |
| 4 | |
| 5 | This idea has been fluctuating in my head for quite a while given that the migration had happened |
| 6 | |
| 7 | a while ago [0] and some other major distributions have already adopted yescrypt as their default algo |
| 8 | |
| 9 | by now [1]. For us switching is as easy as changing the default use flag in pambase and rehashing the password |
| 10 | |
| 11 | with the ‘passwd’ call (a news item will be required). |
| 12 | |
| 13 | |
| 14 | |
| 15 | What do you think? |
| 16 | |
| 17 | |
| 18 | |
| 19 | P.S. surely, I am only speaking about the local auth method based on shadow and also about the pam-based systems as the change is going |
| 20 | |
| 21 | to mainly impact the pam_unix.so calls in the pam’s stack. |
| 22 | |
| 23 | Pamless or the systems with an alternative auth methods is a different story. |
| 24 | |
| 25 | |
| 26 | |
| 27 | [0] - https://www.gentoo.org/support/news-items/2021-10-18-libxcrypt-migration-stable.html |
| 28 | |
| 29 | [1] - https://fedoraproject.org/wiki/Changes/yescrypt_as_default_hashing_method_for_shadow |
| Subject | Author |
|---|---|
| Re: [gentoo-dev] Switching default password hashes from sha512 to yescrypt | Mike Gilbert <floppym@g.o> |
| Re: [gentoo-dev] Switching default password hashes from sha512 to yescrypt | Peter Stuge <peter@×××××.se> |
| Re: [gentoo-dev] Switching default password hashes from sha512 to yescrypt | Sam James <sam@g.o> |
| Re: [gentoo-dev] Switching default password hashes from sha512 to yescrypt | Conrad Kostecki <conikost@g.o> |