Hi, thanks. I've opened a report upstream. https://github.com/shadow-maint/shadow/issues/1483
On Wed, Jan 07, 2026 at 09:24:35AM +0100, Marc Haber wrote: > On Wed, Jan 07, 2026 at 08:58:15AM +0100, Marc Haber wrote: > > This is even worse now, chpasswd won't accept a perfectly valid yescrypt > > hash: > > > > $ echo 9hKGOX79oaP4FEhQ2xQ6wLvPXsTTUtPiYu4QCXsc | mkpasswd --hash=yescrypt > > --stdin > > $y$j9T$VPuG6eC6CTZG7fxHR1YwP0$kZeswr5rIJKCXbeLvE/R412AO4vB1HLwuBrqg1nnPU4 > > # echo > > "aust:$y$j9T$VPuG6eC6CTZG7fxHR1YwP0$kZeswr5rIJKCXbeLvE/R412AO4vB1HLwuBrqg1nnPU4" > > | chpasswd --encrypted > > chpasswd: (line 1, user aust) invalid password hash > > chpasswd: error detected, changes ignored > > > > I think that would now warrant Severity: serious. > > # echo "aust:*" | chpasswd --encrypted > chpasswd: (line 1, user aust) invalid password hash > chpasswd: error detected, changes ignored I'm kinda onboard with rejecting things that are not actual hashes, because that would seem consistent to me with what chpasswd is supposed to do. However breaking yescrypt hashes is quite something. I'll disable the entire check in 4.19.0-3, and we'll see what upstream says. Best, Chris
