rpms / pam

Clone
Source Code
GIT

#17 Change the default password hash method to yescrypt
Merged 2 years ago by besser82. Opened 3 years ago by besser82.
rpms/ besser82/pam topic/besser82/yescrypt  into  main

file modified
+4 -1 
@@ -3,7 +3,7 @@ 
 

  Summary: An extensible library which provides authentication for applications
 

  Name: pam
 

  Version: 1.5.1
 

- Release: 6%{?dist}
 

+ Release: 7%{?dist}
 

  # The library is BSD licensed with option to relicense as GPLv2+
 

  # - this option is redundant as the BSD license allows that anyway.
 

  # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
 
@@ -381,6 +381,9 @@ 
 

  exit 0
 

  

  %changelog
 

+ * Thu Jun 10 2021 Björn Esser <besser82@fedoraproject.org> - 1.5.1-7
 

+ - Change the default password hash method to yescrypt
 

+ 

  * Thu Jun 10 2021 Björn Esser <besser82@fedoraproject.org> - 1.5.1-6
 

  - Add a patch to not use crypt_checksalt for password expiration
 

    Resolves: #1965345, #1967150

file modified
+1 -1 
@@ -6,7 +6,7 @@ 
 

  account     required      pam_unix.so
 

  

  password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
 

- password    sufficient    pam_unix.so try_first_pass use_authtok nullok sha512 shadow
 

+ password    sufficient    pam_unix.so try_first_pass use_authtok nullok yescrypt shadow
 

  password    required      pam_deny.so
 

  

  session     optional      pam_keyinit.so revoke

file modified
+1 -1 
@@ -6,7 +6,7 @@ 
 

  account     required      pam_unix.so
 

  

  password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
 

- password    sufficient    pam_unix.so try_first_pass use_authtok nullok sha512 shadow
 

+ password    sufficient    pam_unix.so try_first_pass use_authtok nullok yescrypt shadow
 

  password    required      pam_deny.so
 

  

  session     optional      pam_keyinit.so revoke

The yescrypt hashing method is considered to be much stronger than sha512crypt and fully supported by libxcrypt. It is based on NIST-approved primitives and on par with argon2 in strength.

Fresh installed systems, as well as newly computed hashes for the UNIX shadow file should prefer this method.

See also:

Metadata Update from @besser82:
- Request assigned
3 years ago

Thanks for the changes, they LGTM!

I'll wait until the SWC has been accepted to merge the request.

rebased onto 9ba9b6c
2 years ago

Build failed. More information on how to proceed and troubleshoot errors available at https://fedoraproject.org/wiki/Zuul-based-ci

Merging, as the SWC has been accepted in yesterdays FESCo meeting.

Pull-Request has been merged by besser82
2 years ago

Build is running in the f35-build-side-42911 sidetag: https://koji.fedoraproject.org/koji/buildinfo?buildID=1774660
Metadata
No Tags
Changes Summary 3
+4 -1
file changed
pam.spec
+1 -1
file changed
password-auth.pamd
+1 -1
file changed
system-auth.pamd
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.