From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id C0FF61FF13E for ; Fri, 06 Feb 2026 11:53:01 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 5617D24D9A; Fri, 6 Feb 2026 11:53:35 +0100 (CET) Date: Fri, 6 Feb 2026 11:53:28 +0100 From: Stoiko Ivanov To: Samuel FORESTIER Subject: Re: [pmg-devel] [PATCH pmg-api 0/1] user config: password: allows (gost-)yescrypt, hashes Message-ID: <20260206115328.74115c4a@rosa.proxmox.com> In-Reply-To: <576e113b-a610-47d6-99fa-c980e8c96e57@forestier.app> References: <576e113b-a610-47d6-99fa-c980e8c96e57@forestier.app> X-Mailer: Claws Mail 4.3.1 (GTK 3.24.49; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1770375130308 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.069 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: GPYNBHHGDV2HN3HOEJTSM4CX6XBCH7IL X-Message-ID-Hash: GPYNBHHGDV2HN3HOEJTSM4CX6XBCH7IL X-MailFrom: s.ivanov@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: pmg-devel@lists.proxmox.com X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox Mail Gateway development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Hi, Thank you for the patch and your interest in contributing to Proxmox Mail Gateway! question/comment inline: On Fri, 23 Jan 2026 18:13:16 +0000 Samuel FORESTIER wrote: > From 208b1364b8b83324aef594eb66794c231e162cb9 Mon Sep 17 00:00:00 2001 > From: Samuel FORESTIER > Date: Fri, 23 Jan 2026 18:45:43 +0100 > Subject: [PATCH pmg-api 0/1] user config: password: allows > (gost-)yescrypt hashes > > Dear developers, > > This patch extends user config 'crypt_pass' field validation pattern to > support > yescrypt and gost-yescrypt hash formats (regarding crypt(5) documentation). > This allows direct synchronization of PAM users to PMG realm, when their > passwords are hashed using yescrypt. It is possible to create a user in the PAM realm (just like in our other products) - then you can simply login with the user - and their password should be checked by PAM. This has the advantage that you do not duplicate the password information and it stays consistent. Currently creating users with realm PAM in the GUI is disabled (afair simply because we haven't seen reports where people would want to have many system-users as users in their PMG), but this could potentially be allowed - if there is a use-case which benefits from this. see: https://bugzilla.proxmox.com/show_bug.cgi?id=6488 for the request to hide the realm (expecting it not to be needed) What is your use-case - how do you create the users on the system, and would there be any upside for you to keep 2 copies of the password (compared to having the user@pam directly ask PAM)? Regarding the patch itself allowing other password-hashes (and maybe changing the default to yescrypt - as currently recommended by mkpasswd) might be ok. Thanks again! stoiko > > BR > > Samuel FORESTIER (1): > user config: password: allows (gost-)yescrypt hashes > > src/PMG/UserConfig.pm | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) >