On Tue, Jun 8, 2021 at 2:46 PM Zbigniew Jędrzejewski-Szmek < zbys...@in.waw.pl> wrote:
> On Tue, Jun 08, 2021 at 03:18:10PM +0200, Björn 'besser82' Esser wrote: > > Am Di., 8. Juni 2021 um 14:35 Uhr schrieb Richard W.M. Jones > > <rjo...@redhat.com>: > > > > > > On Mon, Jun 07, 2021 at 02:59:54PM -0400, Ben Cotton wrote: > > > > == Dependencies == > > > > * anaconda: https://github.com/rhinstaller/anaconda/pull/3431 > > > > * authselect: https://github.com/authselect/authselect/pull/253 > > > > * libuser: WIP ongoing > > > > * shadow-utils: > https://src.fedoraproject.org/rpms/shadow-utils/pull-request/10 > > > > > > > > * pam: Is already capable to use yescrypt. > > > > * libxcrypt: Is already capable for computing yescrypt hashes. > > > > > > libguestfs (virt-customize etc.) might also need changing. What > > > happens if a new user account is created with (eg) $6$ sha512. Does > > > it use that scheme forever? Attempt to upgrade it? Break? > > > > Well, yes, that needs to be updated, too, but it's written in OCAML… > > I suppose, you want to volunteer, and get a well deserved F35 change > > badge for doing so?! :P > > > > If a user account is created with a sha512crypt hash, it will keep it > > as long as the password remains unchanged. I'm currently thinking of > > a way to migrate all local users to use yescrypt hashes, but it's not > > that easy: Human users could be prompted on first login to change > > their password, if the hash in shadow is not yescrypt - there is a way > > to force that. But what about local users with older password hashes > > that get logged in by any non-human interaction, like www-cron; those > > would need to be updated manually by the system admin. Maybe I can > > write a CLI-tool for doing so. > > > > Unfortunately there is no automatic way to update the hash from > > anything, but yescrypt, to yescrypt without knowing / entering the > > actual user password; > > I think it's better to leave existing passwords in place. You can't > really force people to log in as all users, so the only realistic > scenario is to keep existing passwords if there's more than one user. > > And I don't think there's a reason to try to force immediate password > switch. As far as we know, previous defaults like sha256 are OK. > Yes, please do not force users to change their password just to use the new hash. Fedora can be used as a personal workstation distribution, so people may have their own policies/decisions on when they want to change passwords - and simply upgrading the OS may not be part of that policy. -Ian
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure