On Wed, Jan 07, 2026 at 11:18:49AM +0100, Chris Hofstaedtler wrote: > Hi, > > thanks. I've opened a report upstream. > https://github.com/shadow-maint/shadow/issues/1483 > > On Wed, Jan 07, 2026 at 09:24:35AM +0100, Marc Haber wrote: > > On Wed, Jan 07, 2026 at 08:58:15AM +0100, Marc Haber wrote: > > > This is even worse now, chpasswd won't accept a perfectly valid yescrypt > > > hash: > > > > > > $ echo 9hKGOX79oaP4FEhQ2xQ6wLvPXsTTUtPiYu4QCXsc | mkpasswd > > > --hash=yescrypt --stdin > > > $y$j9T$VPuG6eC6CTZG7fxHR1YwP0$kZeswr5rIJKCXbeLvE/R412AO4vB1HLwuBrqg1nnPU4 > > > # echo > > > "aust:$y$j9T$VPuG6eC6CTZG7fxHR1YwP0$kZeswr5rIJKCXbeLvE/R412AO4vB1HLwuBrqg1nnPU4" > > > | chpasswd --encrypted > > > chpasswd: (line 1, user aust) invalid password hash > > > chpasswd: error detected, changes ignored > > > > > > I think that would now warrant Severity: serious. > > > > # echo "aust:*" | chpasswd --encrypted > > chpasswd: (line 1, user aust) invalid password hash > > chpasswd: error detected, changes ignored > > I'm kinda onboard with rejecting things that are not actual hashes, > because that would seem consistent to me with what chpasswd is > supposed to do. > > However breaking yescrypt hashes is quite something.
Yeah, this must be an unintended bug in commit c44f1e096a19a7d356da5969295393247e61874f Author: vinz <[email protected]> Date: Fri Jul 11 16:08:22 2025 +0000 chpasswd: Check hash before write when using -e Definitely not intentional. vinz, do you have time to take a look? (If not, then I'll find time tonight). > I'll disable the entire check in 4.19.0-3, and we'll see what > upstream says. > > Best, > Chris > > _______________________________________________ > Pkg-shadow-devel mailing list > [email protected] > https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-shadow-devel
