From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [RFC access-control/common 0/3] hash passwords using yescrypt
Date: Mon, 31 Mar 2025 12:03:31 +0200 [thread overview]
Message-ID: <20250331100334.252390-1-f.gruenbichler@proxmox.com> (raw)
Debian switched the default hash algorithm for /etc/shadow to yescrypt
for Bullseye. Our installer uses it for the root password set during
installation. But any PAM/PVE user created over the API, or any password
change triggered afterwards for such users, will fallback to
sha256crypt.
Since the helper in pve-common is also used by cloud-init (which is
stuck not supporting yescrypt for the time being for unrelated reasons),
make the new behaviour opt-in (which might be handy for future
migrations as well).
sending as RFC in case I missed some usage of this, and also to discuss
whether we might just want to move PVE/PAM realms over to a proxmox-sys
perlmod-wrapped helper instead (proxmox-sys and thus PBS defaults to
yescrypt and binds to the C lib interfaces that actually allow
specifying hashing parameters somewhat sanely)
pve-access-control:
Fabian Grünbichler (1):
PVE/PAM: switch to yescrypt by default
src/PVE/Auth/PAM.pm | 2 +-
src/PVE/Auth/PVE.pm | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
pve-common:
Fabian Grünbichler (2):
encrypt_pw: allow yescrypt in addition to sha256
encrypt_pw: check return value matches expected format
src/PVE/Tools.pm | 20 ++++++++++++++++++--
1 file changed, 18 insertions(+), 2 deletions(-)
--
2.39.5
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
next reply other threads:[~2025-03-31 10:03 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-31 10:03 Fabian Grünbichler [this message]
2025-03-31 10:03 ` [pve-devel] [PATCH access-control 1/1] PVE/PAM: switch to yescrypt by default Fabian Grünbichler
2025-03-31 10:03 ` [pve-devel] [PATCH common 1/2] encrypt_pw: allow yescrypt in addition to sha256 Fabian Grünbichler
2025-03-31 10:42 ` Shannon Sterz
2025-04-07 19:26 ` [pve-devel] applied: " Thomas Lamprecht
2025-03-31 10:03 ` [pve-devel] [PATCH common 2/2] encrypt_pw: check return value matches expected format Fabian Grünbichler
2025-04-07 19:27 ` [pve-devel] applied: " Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250331100334.252390-1-f.gruenbichler@proxmox.com \
--to=f.gruenbichler@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal