[elbe-devel] [PATCH v2 6/8] proprocess: migrate root and user passwords

Bastian Germann bage at linutronix.de
Mon Jun 27 14:14:15 CEST 2022


Am 25.06.22 um 12:27 schrieb Holger Dengler:
> I also found the following hint in /etc/pam.d/common-password (sid):
> "Explanation of pam_unix options: The "yescrypt" option enables hashed passwords using the yescrypt algorithm, introduced in Debian 11.  Without this option, the default is Unix crypt.  Prior releases used the option "sha512"; if a shadow password hash will be shared between Debian 11 and older releases replace "yescrypt" with "sha512" for compatibility."

That file refers only to the default method. According to crypt(3) (up to buster; bullseye has the xcrypt man):

"The following values of id are supported:

               ID  | Method
               ---------------------------------------------------------
               1   | MD5
               2a  | Blowfish (not in mainline glibc; added in some
                   | Linux distributions)
               5   | SHA-256 (since glibc 2.7)
               6   | SHA-512 (since glibc 2.7)"

> I assume, that all releases from stretch to current support sha256 and sha512 (including rounds), but no bcrypt. I've currently no access to a jessie system, maybe someone else can provide some information, which algorithms are supported there. If jessie has no support for sha512 but for sha256, I personally would prefer to use sha256, at least for jessie. I'll prepare v3 (presumably next weekend).

I have tried to use bcrypt with jessie using the documented 2a prefix over the 2b that is OpenBSD's prefix for it.
But still I could not login. So just stick to sha512crypt.


More information about the elbe-devel mailing list