×

[Unstable Update] Changes to default password hashing algorithm and umask settings – Unstable Updates

Manjaro

[Unstable Update] Changes to default password hashing algorithm and umask settings – Unstable Updates


Hello community,

Another unstable branch update with some (un)usual package updates for you.

In summary, this should not require any manual intervention.

Note that we have our own filesystem package which is currently 2023.09.22-1.

2023-09-22 – David Runge

With shadow >= 4.14.0, Arch Linux’s default password hashing algorithm changed from SHA512 to yescrypt [1].

Furthermore, the umask [2] settings are now configured in /etc/login.defs instead of /etc/profile.

This should not require any manual intervention.

Reasons for Yescrypt

The password-based key derivation function (KDF) and password hashing scheme yescrypt has been chosen due to its adoption (readily available in libxcrypt, which is used by pam [3]) and its stronger resilience towards password cracking attempts over SHA512.

Although the winner of the Password Hashing Competition [4] has been argon2, this even more resilient algorithm is not yet available in libxcrypt [5][6].

Configuring yescrypt

The YESCRYPT_COST_FACTOR setting in /etc/login.defs is currently without effect, until pam implements reading its value [7]. If a YESCRYPT_COST_FACTOR higher (or lower) than the default (5) is needed, it can be set using the rounds option of the pam_unix [8] module (i.e. in /etc/pam.d/system-auth).

General list of changes

  • yescrypt is used as default password hashing algorithm, instead of SHA512
  • pam honors the chosen ENCRYPT_METHOD in /etc/login.defs and does not override the chosen method anymore
  • changes in the filesystem (>= 2023.09.18) and pambase (>= 20230918) packages ensure, that umask is set centrally in /etc/login.defs instead of /etc/profile

[1] yescrypt – scalable KDF and password hashing scheme

[2] umask(1p) — Arch manual pages

[3] PAM – ArchWiki

[4] https://www.password-hashing.net/

[5] [RFC] Add argon2 backend. by ferivoz · Pull Request #113 · besser82/libxcrypt · GitHub

[6] Add support for Argon2 by maandree · Pull Request #150 · besser82/libxcrypt · GitHub

[7] Support reading YESCRYPT_COST_FACTOR from /etc/login.defs · Issue #607 · linux-pam/linux-pam · GitHub

[8] pam_unix(8) — Arch manual pages

Info about AUR packages

AUR (Arch User Repository) packages are neither supported by Arch nor Manjaro. Posts about them in Announcement topics are off-topic and will be flagged, moved or removed without warning.

Get our latest daily developer images now from Github: Plasma, GNOME, XFCE. You can get the latest stable releases of Manjaro from CDN77.

  • No issue, everything went smoothly
  • Yes there was an issue. I was able to resolve it myself.(Please post your solution)
  • Yes i am currently experiencing an issue due to the update. (Please post about it)

Check if your mirror has already synced:

Saw this earlier, with the main bit for most people being

This should not require any manual intervention.

I know, I figured it was time to create a new Unstable Updates thread regardless. :man_shrugging:



2 Likes



Source link