[elbe-devel] [PATCH v2 6/8] proprocess: migrate root and user passwords
Holger Dengler
holger at hdengler.de
Mon Jun 27 15:10:34 CEST 2022
Hi Bastian,
thanks for providing this information.
On 27.06.22 14:14, Bastian Germann wrote:
> Am 25.06.22 um 12:27 schrieb Holger Dengler:
>> I also found the following hint in /etc/pam.d/common-password (sid):
>> "Explanation of pam_unix options: The "yescrypt" option enables hashed passwords using the yescrypt algorithm, introduced in Debian 11. Without this option, the default is Unix crypt. Prior releases used the option "sha512"; if a shadow password hash will be shared between Debian 11 and older releases replace "yescrypt" with "sha512" for compatibility."
>
> That file refers only to the default method. According to crypt(3) (up to buster; bullseye has the xcrypt man):
>
> "The following values of id are supported:
>
> ID | Method
> ---------------------------------------------------------
> 1 | MD5
> 2a | Blowfish (not in mainline glibc; added in some
> | Linux distributions)
> 5 | SHA-256 (since glibc 2.7)
> 6 | SHA-512 (since glibc 2.7)"
>
>> I assume, that all releases from stretch to current support sha256 and sha512 (including rounds), but no bcrypt. I've currently no access to a jessie system, maybe someone else can provide some information, which algorithms are supported there. If jessie has no support for sha512 but for sha256, I personally would prefer to use sha256, at least for jessie. I'll prepare v3 (presumably next weekend).
>
> I have tried to use bcrypt with jessie using the documented 2a prefix over the 2b that is OpenBSD's prefix for it.
> But still I could not login. So just stick to sha512crypt.
I also tested on an older ubuntu image (12.04) and it also supports sha512crypt. So I will use just only sha512crypt for the XML preprocessing. If someone needs other hash methods, the "passwd_hashed" in XML should be used directly.
--
Gruß,
Holger Dengler
--
holger at hdengler.de
More information about the elbe-devel
mailing list