[elbe-devel] [PATCH v2 6/8] proprocess: migrate root and user passwords

Holger Dengler holger at hdengler.de
Mon Jun 27 15:10:34 CEST 2022


Hi Bastian,

thanks for providing this information.

On 27.06.22 14:14, Bastian Germann wrote:
> Am 25.06.22 um 12:27 schrieb Holger Dengler:
>> I also found the following hint in /etc/pam.d/common-password (sid):
>> "Explanation of pam_unix options: The "yescrypt" option enables hashed passwords using the yescrypt algorithm, introduced in Debian 11.  Without this option, the default is Unix crypt.  Prior releases used the option "sha512"; if a shadow password hash will be shared between Debian 11 and older releases replace "yescrypt" with "sha512" for compatibility."
> 
> That file refers only to the default method. According to crypt(3) (up to buster; bullseye has the xcrypt man):
> 
> "The following values of id are supported:
> 
>               ID  | Method
>               ---------------------------------------------------------
>               1   | MD5
>               2a  | Blowfish (not in mainline glibc; added in some
>                   | Linux distributions)
>               5   | SHA-256 (since glibc 2.7)
>               6   | SHA-512 (since glibc 2.7)"
> 
>> I assume, that all releases from stretch to current support sha256 and sha512 (including rounds), but no bcrypt. I've currently no access to a jessie system, maybe someone else can provide some information, which algorithms are supported there. If jessie has no support for sha512 but for sha256, I personally would prefer to use sha256, at least for jessie. I'll prepare v3 (presumably next weekend).
> 
> I have tried to use bcrypt with jessie using the documented 2a prefix over the 2b that is OpenBSD's prefix for it.
> But still I could not login. So just stick to sha512crypt.

I also tested on an older ubuntu image (12.04) and it also supports sha512crypt. So I will use just only sha512crypt for the XML preprocessing. If someone needs other hash methods, the "passwd_hashed" in XML should be used directly.

-- 
Gruß,
Holger Dengler
--
holger at hdengler.de


More information about the elbe-devel mailing list