[pmg-devel] [PATCH pmg-api 0/1] user config: password: allows (gost-)yescrypt, hashes

[pmg-devel] [PATCH pmg-api 0/1] user config: password: allows (gost-)yescrypt, hashes

[Samuel FORESTIER]

 From 208b1364b8b83324aef594eb66794c231e162cb9 Mon Sep 17 00:00:00 2001
From: Samuel FORESTIER <samuel+dev@forestier.app>
Date: Fri, 23 Jan 2026 18:45:43 +0100
Subject: [PATCH pmg-api 0/1] user config: password: allows 
(gost-)yescrypt hashes

Dear developers,

This patch extends user config 'crypt_pass' field validation pattern to 
support
yescrypt and gost-yescrypt hash formats (regarding crypt(5) documentation).
This allows direct synchronization of PAM users to PMG realm, when their
passwords are hashed using yescrypt.

BR

Samuel FORESTIER (1):
   user config: password: allows (gost-)yescrypt hashes

  src/PMG/UserConfig.pm | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)

-- 
2.39.5


_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel

[pmg-devel] [PATCH pmg-api 1/1] user config: password: allows (gost-)yescrypt hashes

[Samuel FORESTIER]

 From 208b1364b8b83324aef594eb66794c231e162cb9 Mon Sep 17 00:00:00 2001
From: Samuel FORESTIER <samuel+dev@forestier.app>
Date: Fri, 23 Jan 2026 18:33:06 +0100
Subject: [PATCH pmg-api 1/1] user config: password: allows 
(gost-)yescrypt hashes

Signed-off-by: Samuel FORESTIER <samuel+dev@forestier.app>
---
  src/PMG/UserConfig.pm | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/PMG/UserConfig.pm b/src/PMG/UserConfig.pm
index 5ee7333..c672af9 100644
--- a/src/PMG/UserConfig.pm
+++ b/src/PMG/UserConfig.pm
@@ -109,7 +109,7 @@ my $schema = {
          crypt_pass => {
              description => "Encrypted password (see `man crypt`)",
              type => 'string',
-            pattern => '\$\d\$[a-zA-Z0-9\.\/]+\$[a-zA-Z0-9\.\/]+',
+            pattern => 
'\$(?:\d|g?y\$[a-zA-Z0-9\.\/]+)\$[a-zA-Z0-9\.\/]+\$[a-zA-Z0-9\.\/]+',
              optional => 1,
          },
          role => {
-- 
2.39.5


_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel

Re: [pmg-devel] [PATCH pmg-api 0/1] user config: password: allows (gost-)yescrypt, hashes

[Stoiko Ivanov]

Hi,

Thank you for the patch and your interest in contributing to Proxmox Mail
Gateway!

question/comment inline:
On Fri, 23 Jan 2026 18:13:16 +0000
Samuel FORESTIER <samuel+dev@forestier.app> wrote:

>  From 208b1364b8b83324aef594eb66794c231e162cb9 Mon Sep 17 00:00:00 2001
> From: Samuel FORESTIER <samuel+dev@forestier.app>
> Date: Fri, 23 Jan 2026 18:45:43 +0100
> Subject: [PATCH pmg-api 0/1] user config: password: allows 
> (gost-)yescrypt hashes
> 
> Dear developers,
> 
> This patch extends user config 'crypt_pass' field validation pattern to 
> support
> yescrypt and gost-yescrypt hash formats (regarding crypt(5) documentation).
> This allows direct synchronization of PAM users to PMG realm, when their
> passwords are hashed using yescrypt.
It is possible to create a user in the PAM realm (just like in our other
products) - then you can simply login with the user - and their password
should be checked by PAM. This has the advantage that you do not duplicate
the password information and it stays consistent.

Currently creating users with realm PAM in the GUI is disabled (afair
simply because we haven't seen reports where people would want to have
many system-users as users in their PMG), but this could potentially be
allowed - if there is a use-case which benefits from this.
see: https://bugzilla.proxmox.com/show_bug.cgi?id=6488 for the request to
hide the realm (expecting it not to be needed)

What is your use-case - how do you create the users on the system, and
would there be any upside for you to keep 2 copies of the password
(compared to having the user@pam directly ask PAM)?

Regarding the patch itself allowing other password-hashes (and maybe
changing the default to yescrypt - as currently recommended by mkpasswd)
might be ok.

Thanks again!
stoiko


> 
> BR
> 
> Samuel FORESTIER (1):
>    user config: password: allows (gost-)yescrypt hashes
> 
>   src/PMG/UserConfig.pm | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 

Re: [pmg-devel] [PATCH pmg-api 0/1] user config: password: allows (gost-)yescrypt, hashes

[Stoiko Ivanov]

On Fri, 6 Feb 2026 11:53:28 +0100
Stoiko Ivanov <s.ivanov@proxmox.com> wrote:

> Hi,
>..snip..
> It is possible to create a user in the PAM realm (just like in our other
> products) - then you can simply login with the user - and their password
> should be checked by PAM. This has the advantage that you do not duplicate
> the password information and it stays consistent.
Seems I was mistaken on that - currently we do have a few checks which
only allow root in the pam realm - but that could be changed to be more in
line with the other products - if the use-case of having many system-users
accessing PMG is there.