(Initial draft, but detailed description.) |
mNo edit summary |
||
Line 21: | Line 21: | ||
* Tracker bug: <will be assigned by the Wrangler> | * Tracker bug: <will be assigned by the Wrangler> | ||
* Release notes tracker: <will be assigned by the Wrangler> | * Release notes tracker: <will be assigned by the Wrangler> | ||
== Detailed Description == | == Detailed Description == |
Revision as of 15:07, 5 June 2021
Use yescrypt as default hashing method for shadow passwords
Summary
Make the yescrypt hashing method the default method used for new user passwords stored in /etc/shadow
.
Owner
- Name: Björn Esser
- Email: besser82@fedoraproject.org
Current status
- Targeted release: Fedora Linux 35
- Last updated: 2021-06-05
- FESCo issue: <will be assigned by the Wrangler>
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
Also see yescrypt - scalable KDF and password hashing scheme.
Feedback
No feedback, yet.
Benefit to Fedora
yescrypt is the default password hashing scheme on recent ALT Linux, Debian testing, and Kali Linux 2021.1+, so we should adopt it as the default, too. Also, it is already the recommended hashing method in the Fedora CoreOS documentation.
Scope
- Proposal owners: Help with integration for yescrypt support in some packages. See Dependencies.
- Other developers: Integrate yescrypt support in some packages. See Dependencies.
- Release engineering: #Releng issue number
- Policies and guidelines: N/A (not needed for this Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with Objectives: N/A (not needed for this Change)
Upgrade/compatibility impact
No impact, as password hashes, that have been computed using the former default sha512crypt, will continue to work.
How To Test
- Existing installations: Change your user password and check whether the computed password hash in
/etc/shadow
starts with$y$
. - Fresh installations: Check whether the password hash(es) for the user(s) created by anaconda in
/etc/shadow
start(s) with$y$
.
User Experience
No user visible changes, but they can rely on safer hashing for their user passwords.
Dependencies
- anaconda: https://github.com/rhinstaller/anaconda/pull/3431
- authselect: https://github.com/authselect/authselect/pull/253
- shadow-utils: https://src.fedoraproject.org/rpms/shadow-utils/pull-request/10
- pam: Is already capable to use yescrypt.
- libxcrypt: Is already capable for computing yescrypt hashes.
Contingency Plan
- Blocks release? Yes
Partially revert the changes, that have been applied to anaconda, authselect and shadow-utils, and rebuild those packages.