(Add releng issue no) |
(Add discussion on Debian bugtracker) |
||
Line 25: | Line 25: | ||
== Detailed Description == | == Detailed Description == | ||
Also see [https://www.openwall.com/yescrypt/ yescrypt - scalable KDF and password hashing scheme]. | Also see [https://www.openwall.com/yescrypt/ yescrypt - scalable KDF and password hashing scheme] and [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=978553 the discussion on the Debian bugtracker]. | ||
Revision as of 15:16, 5 June 2021
Use yescrypt as default hashing method for shadow passwords
Summary
Make the yescrypt hashing method the default method used for new user passwords stored in /etc/shadow
.
Owner
- Name: Björn Esser
- Email: besser82@fedoraproject.org
Current status
- Targeted release: Fedora Linux 35
- Last updated: 2021-06-05
- FESCo issue: <will be assigned by the Wrangler>
- Tracker bug: <will be assigned by the Wrangler>
- Release notes tracker: <will be assigned by the Wrangler>
Detailed Description
Also see yescrypt - scalable KDF and password hashing scheme and the discussion on the Debian bugtracker.
Feedback
No feedback, yet.
Benefit to Fedora
yescrypt is the default password hashing scheme on recent ALT Linux, Debian testing, and Kali Linux 2021.1+, so we should adopt it as the default, too. Also, it is already the recommended hashing method in the Fedora CoreOS documentation.
Scope
- Proposal owners: Help with integration for yescrypt support in some packages. See Dependencies.
- Other developers: Integrate yescrypt support in some packages. See Dependencies.
- Release engineering: #10150
- Policies and guidelines: N/A (not needed for this Change)
- Trademark approval: N/A (not needed for this Change)
- Alignment with Objectives: N/A (not needed for this Change)
Upgrade/compatibility impact
No impact, as password hashes, that have been computed using the former default sha512crypt, will continue to work.
How To Test
- Existing installations: Change your user password and check whether the computed password hash in
/etc/shadow
starts with$y$
. - Fresh installations: Check whether the password hash(es) for the user(s) created by anaconda in
/etc/shadow
start(s) with$y$
.
User Experience
No user visible changes, but they can rely on safer hashing for their user passwords.
Dependencies
- anaconda: https://github.com/rhinstaller/anaconda/pull/3431
- authselect: https://github.com/authselect/authselect/pull/253
- shadow-utils: https://src.fedoraproject.org/rpms/shadow-utils/pull-request/10
- pam: Is already capable to use yescrypt.
- libxcrypt: Is already capable for computing yescrypt hashes.
Contingency Plan
- Blocks release? Yes
Partially revert the changes, that have been applied to anaconda, authselect and shadow-utils, and rebuild those packages.