mNo edit summary |
(Add releng issue no) |
||
| Line 39: | Line 39: | ||
* Proposal owners: Help with integration for yescrypt support in some packages. See Dependencies. | * Proposal owners: Help with integration for yescrypt support in some packages. See Dependencies. | ||
* Other developers: Integrate yescrypt support in some packages. See Dependencies. | * Other developers: Integrate yescrypt support in some packages. See Dependencies. | ||
* Release engineering: [https://pagure.io/releng/issues # | * Release engineering: [https://pagure.io/releng/issues/10150 #10150] | ||
* Policies and guidelines: N/A (not needed for this Change) | * Policies and guidelines: N/A (not needed for this Change) | ||
* Trademark approval: N/A (not needed for this Change) | * Trademark approval: N/A (not needed for this Change) | ||
Revision as of 15:12, 5 June 2021
Use yescrypt as default hashing method for shadow passwords
Summary
Make the yescrypt hashing method the default method used for new user passwords stored in /etc/shadow.
Owner
- Name: Björn Esser
- Email: besser82@fedoraproject.org
Current status
- Targeted release: Fedora Linux 35
- Last updated: 2021-06-05
- FESCo issue: <will be assigned by the Wrangler>
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
Also see yescrypt - scalable KDF and password hashing scheme.
Feedback
No feedback, yet.
Benefit to Fedora
yescrypt is the default password hashing scheme on recent ALT Linux, Debian testing, and Kali Linux 2021.1+, so we should adopt it as the default, too. Also, it is already the recommended hashing method in the Fedora CoreOS documentation.
Scope
- Proposal owners: Help with integration for yescrypt support in some packages. See Dependencies.
- Other developers: Integrate yescrypt support in some packages. See Dependencies.
- Release engineering: #10150
- Policies and guidelines: N/A (not needed for this Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with Objectives: N/A (not needed for this Change)
Upgrade/compatibility impact
No impact, as password hashes, that have been computed using the former default sha512crypt, will continue to work.
How To Test
- Existing installations: Change your user password and check whether the computed password hash in
/etc/shadowstarts with$y$. - Fresh installations: Check whether the password hash(es) for the user(s) created by anaconda in
/etc/shadowstart(s) with$y$.
User Experience
No user visible changes, but they can rely on safer hashing for their user passwords.
Dependencies
- anaconda: https://github.com/rhinstaller/anaconda/pull/3431
- authselect: https://github.com/authselect/authselect/pull/253
- shadow-utils: https://src.fedoraproject.org/rpms/shadow-utils/pull-request/10
- pam: Is already capable to use yescrypt.
- libxcrypt: Is already capable for computing yescrypt hashes.
Contingency Plan
- Blocks release? Yes
Partially revert the changes, that have been applied to anaconda, authselect and shadow-utils, and rebuild those packages.