Gentoo Archives: gentoo-dev

From: Sam James <sam@g.o>
To: gentoo-dev@l.g.o
Cc: zx2c4@g.o
Subject: Re: [gentoo-dev] Switching default password hashes from sha512 to yescrypt
Date: Mon, 25 Jul 2022 18:44:27
In Reply to: [gentoo-dev] Switching default password hashes from sha512 to yescrypt by Mikhail Koliada
1 > On 22 Jul 2022, at 20:10, Mikhail Koliada <zlogene@g.o> wrote:
2 >
3 > Hello!
4 >
5 > This idea has been fluctuating in my head for quite a while given that the migration had happened
6 > a while ago [0] and some other major distributions have already adopted yescrypt as their default algo
7 > by now [1]. For us switching is as easy as changing the default use flag in pambase and rehashing the password
8 > with the ‘passwd’ call (a news item will be required).
9 >
10 > What do you think?
11 >
12 > P.S. surely, I am only speaking about the local auth method based on shadow and also about the pam-based systems as the change is going
13 > to mainly impact the calls in the pam’s stack.
14 > Pamless or the systems with an alternative auth methods is a different story.
15 >
16 > [0] -
17 > [1] -
19 It's fine with me although I guess I'm a bit reluctant when the libxcrypt stuff is still biting
20 some users.
22 My preference would be to wait a few more months, but I don't feel strongly about it,
23 and won't object if we want to move forward sooner.
25 Overall though, it's a good idea, although I'd welcome Jason's input
26 on alternatives first. CC'd.
28 Best,
29 sam


File name MIME type
signature.asc application/pgp-signature