| 1 |
> On 22 Jul 2022, at 20:10, Mikhail Koliada <zlogene@g.o> wrote: |
| 2 |
> |
| 3 |
> Hello! |
| 4 |
> |
| 5 |
> This idea has been fluctuating in my head for quite a while given that the migration had happened |
| 6 |
> a while ago [0] and some other major distributions have already adopted yescrypt as their default algo |
| 7 |
> by now [1]. For us switching is as easy as changing the default use flag in pambase and rehashing the password |
| 8 |
> with the ‘passwd’ call (a news item will be required). |
| 9 |
> |
| 10 |
> What do you think? |
| 11 |
> |
| 12 |
> P.S. surely, I am only speaking about the local auth method based on shadow and also about the pam-based systems as the change is going |
| 13 |
> to mainly impact the pam_unix.so calls in the pam’s stack. |
| 14 |
> Pamless or the systems with an alternative auth methods is a different story. |
| 15 |
> |
| 16 |
> [0] - https://www.gentoo.org/support/news-items/2021-10-18-libxcrypt-migration-stable.html |
| 17 |
> [1] - https://fedoraproject.org/wiki/Changes/yescrypt_as_default_hashing_method_for_shadow |
| 18 |
|
| 19 |
It's fine with me although I guess I'm a bit reluctant when the libxcrypt stuff is still biting |
| 20 |
some users. |
| 21 |
|
| 22 |
My preference would be to wait a few more months, but I don't feel strongly about it, |
| 23 |
and won't object if we want to move forward sooner. |
| 24 |
|
| 25 |
Overall though, it's a good idea, although I'd welcome Jason's input |
| 26 |
on alternatives first. CC'd. |
| 27 |
|
| 28 |
Best, |
| 29 |
sam |
Archives