1 |
> On 22 Jul 2022, at 20:10, Mikhail Koliada <zlogene@g.o> wrote: |
2 |
> |
3 |
> Hello! |
4 |
> |
5 |
> This idea has been fluctuating in my head for quite a while given that the migration had happened |
6 |
> a while ago [0] and some other major distributions have already adopted yescrypt as their default algo |
7 |
> by now [1]. For us switching is as easy as changing the default use flag in pambase and rehashing the password |
8 |
> with the ‘passwd’ call (a news item will be required). |
9 |
> |
10 |
> What do you think? |
11 |
> |
12 |
> P.S. surely, I am only speaking about the local auth method based on shadow and also about the pam-based systems as the change is going |
13 |
> to mainly impact the pam_unix.so calls in the pam’s stack. |
14 |
> Pamless or the systems with an alternative auth methods is a different story. |
15 |
> |
16 |
> [0] - https://www.gentoo.org/support/news-items/2021-10-18-libxcrypt-migration-stable.html |
17 |
> [1] - https://fedoraproject.org/wiki/Changes/yescrypt_as_default_hashing_method_for_shadow |
18 |
|
19 |
It's fine with me although I guess I'm a bit reluctant when the libxcrypt stuff is still biting |
20 |
some users. |
21 |
|
22 |
My preference would be to wait a few more months, but I don't feel strongly about it, |
23 |
and won't object if we want to move forward sooner. |
24 |
|
25 |
Overall though, it's a good idea, although I'd welcome Jason's input |
26 |
on alternatives first. CC'd. |
27 |
|
28 |
Best, |
29 |
sam |