Your message dated Thu, 18 Mar 2021 21:27:12 +0100
with message-id <[email protected]>
and subject line Re: Bug#981693: Default Password hash Changes to Yescript for
Bullseye
has caused the Debian Bug report #981693,
regarding Default Password hash Changes to Yescript for Bullseye
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
981693: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=981693
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
package: release-notes
x-debbuggs-cc: [email protected]
Hi. I've never filed one of these before, and I'm in the middle of
several other things, so I decided to file the bug even if I get it not
quite right rather than forgetting.
Pam 1.4.0-3 changes the default password hash to yescript. That means
that users may get a security improvement if they reset their
passwords. It also has compatibility implications.
I'd recommend text like the following for the release notes
Password Hashing Uses Yescript by Default
The default password hash for local system accounts has been changed to
yescrypt (https://www.openwall.com/yescrypt/ ). This is expected to
provide improve security against dictionary-based password guessing
attacks, focusing both on the space as well as time complexity of the
attack.
To take advantage of this improved security, change local passwords; for
example use the `passwd` command.
Old passwords will continue to work using whatever password hash was
used to create them.
Yescrypt is not supported by Debian 10 (Buster). As a result, shadow
password files (`/etc/shadow`) cannot be copied from a Debian 11 system
back to a Debian 10 system. If these files are copied, passwords that
have been changed on the Debian 11 system will not work on the Debian 10
system.
Similarly, password hashes cannot be cut&paste from a Debian 11 to a
Debian 10 system.
If compatibility is required for password hashes between Debian 11 and
Debian 10, modify `/etc/pam.d/common-password`. Find the line that
looks like:
password [success=1 default=ignore] pam_unix.so obscure
yescrypt
and replace `yescrypt` with `sha512`.
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Hi Sam,
On 18-03-2021 16:05, Justin B Rye wrote:
> Paul Gevers wrote:
>> index fbe357b8..f3ff6d48 100644
>> --- a/en/issues.dbk
>> +++ b/en/issues.dbk
>> @@ -82,6 +82,45 @@ information mentioned in <xref linkend="morereading"/>.
>> </para>
>> </section>
>>
>> + <section id="pam-default-password">
>> + <!-- buster to bullseye -->
>> + <title>Password hashing uses yescript by default</title>
>> + <para>
>> + The default password hash for local system accounts has been
>> + changed to <ulink
>> + url="https://www.openwall.com/yescrypt/";>yescrypt</ulink>. This
>> + is expected to provide improve security against dictionary-based
> ^d
>> + password guessing attacks, focusing both on the space as well as
>> + time complexity of the attack.
>
> Just what could it change to make such attacks harder *besides* space
> or time complexity? If you're focusing on everything, you're not
> focusing on anything! So I'd say it as
>
> is expected to provide improved security against dictionary-based
> password guessing attacks, in terms of both the space and time
> complexity of the attack.
>
>> + </para>
>> + <para>
>> + To take advantage of this improved security, change local
>> + passwords; for example use the <command>passwd</command> command.
>> + </para>
>> + <para>
>> + Old passwords will continue to work using whatever password hash
>> + was used to create them.
>> + </para>
>> + <para>
>> + Yescrypt is not supported by Debian 10 (buster). As a result,
>> + shadow password files (<filename>/etc/shadow</filename>) cannot be
>> + copied from a bullseye system back to a buster system. If these
>> + files are copied, passwords that have been changed on the bullseye
>> + system will not work on the buster system. Similarly, password
>> + hashes cannot be cut&aml;paste from a bullseye to a buster system.
> ^ ^
> That's &, and another lost inflection.
>
> hashes cannot be cut&pasted from a bullseye to a buster system.
>
>> + </para>
>> + <para>
>> + If compatibility is required for password hashes between bullseye
>> + and buster, modify
>> + <filename>/etc/pam.d/common-password</filename>. Find the line
>> + that looks like:
>> + <programlisting>
>> + password [success=1 default=ignore] pam_unix.so obscure yescrypt
>> + </programlisting>
>> + and replace <literal>yescrypt</literal> with
>> <literal>sha512</literal>.
>> + </para>
>> + </section>
>
> (This seems a rather obscure corner case, but why not.)
With some minor updates, this is now committed.
Thanks
Paul
OpenPGP_signature
Description: OpenPGP digital signature
--- End Message ---
