[Unstable Update] Changes to default password hashing algorithm and umask settings – Unstable Updates
Hello community,
Another unstable branch update with some (un)usual package updates for you.
In summary, this should not require any manual intervention.
Note that we have our own filesystem
package which is currently 2023.09.22-1.
2023-09-22 – David Runge
With shadow >=
4.14.0
, Arch Linux’s default password hashing algorithm changed from SHA512 to yescrypt [1].Furthermore, the
umask
[2] settings are now configured in/etc/login.defs
instead of/etc/profile
.This should not require any manual intervention.
Reasons for Yescrypt
The password-based key derivation function (KDF) and password hashing scheme yescrypt has been chosen due to its adoption (readily available in libxcrypt, which is used by pam [3]) and its stronger resilience towards password cracking attempts over SHA512.
Although the winner of the Password Hashing Competition [4] has been argon2, this even more resilient algorithm is not yet available in libxcrypt [5][6].
Configuring yescrypt
The
YESCRYPT_COST_FACTOR
setting in/etc/login.defs
is currently without effect, until pam implements reading its value [7]. If aYESCRYPT_COST_FACTOR
higher (or lower) than the default (5
) is needed, it can be set using therounds
option of thepam_unix
[8] module (i.e. in/etc/pam.d/system-auth
).General list of changes
- yescrypt is used as default password hashing algorithm, instead of SHA512
- pam honors the chosen
ENCRYPT_METHOD
in/etc/login.defs
and does not override the chosen method anymore- changes in the filesystem (>=
2023.09.18
) and pambase (>=20230918
) packages ensure, thatumask
is set centrally in/etc/login.defs
instead of/etc/profile
[1] yescrypt – scalable KDF and password hashing scheme
[2] umask(1p) — Arch manual pages
[3] PAM – ArchWiki
[4] https://www.password-hashing.net/
[5] [RFC] Add argon2 backend. by ferivoz · Pull Request #113 · besser82/libxcrypt · GitHub
[6] Add support for Argon2 by maandree · Pull Request #150 · besser82/libxcrypt · GitHub
Info about AUR packages
AUR (Arch User Repository) packages are neither supported by Arch nor Manjaro. Posts about them in Announcement topics are off-topic and will be flagged, moved or removed without warning.
Get our latest daily developer images now from Github: Plasma, GNOME, XFCE. You can get the latest stable releases of Manjaro from CDN77.
- No issue, everything went smoothly
- Yes there was an issue. I was able to resolve it myself.(Please post your solution)
- Yes i am currently experiencing an issue due to the update. (Please post about it)
Check if your mirror has already synced:
Saw this earlier, with the main bit for most people being
This should not require any manual intervention.
I know, I figured it was time to create a new Unstable Updates thread regardless.
2 Likes