From: Samuel FORESTIER <samuel+dev@forestier.app>
To: Stoiko Ivanov <s.ivanov@proxmox.com>
Cc: pmg-devel@lists.proxmox.com
Subject: Re: [pmg-devel] [PATCH pmg-api 0/1] user config: password: allows (gost-)yescrypt, hashes
Date: Sun, 08 Feb 2026 13:26:02 +0000 [thread overview]
Message-ID: <2b4c5404-bb61-4a91-8eb2-681b8f20e406@forestier.app> (raw)
In-Reply-To: <20260206115328.74115c4a@rosa.proxmox.com>
Hi Stoiko !
Thanks for your feedback, my responses inline.
BR
Stoiko Ivanov wrote:
> It is possible to create a user in the PAM realm (just like in our other
> products) - then you can simply login with the user - and their password
> should be checked by PAM. This has the advantage that you do not duplicate
> the password information and it stays consistent.
>
> Currently creating users with realm PAM in the GUI is disabled (afair
> simply because we haven't seen reports where people would want to have
> many system-users as users in their PMG), but this could potentially be
> allowed - if there is a use-case which benefits from this.
> see: https://bugzilla.proxmox.com/show_bug.cgi?id=6488 for the request to
> hide the realm (expecting it not to be needed)
Indeed it would have been possible to do so, but as you pointed out, PMG
currently doesn't honor system users through the PAM realm (bar root
itself, mainly for node bootstrapping and to limit the number of
passwords, I guess).
> What is your use-case - how do you create the users on the system, and
> would there be any upside for you to keep 2 copies of the password
> (compared to having the user@pam directly ask PAM)?
In my use case, PMG users are provisioned through a system configuration
manager, which doesn't know password clear texts (yescrypt hashes are
directly passed to shadow). These users are then synchronized from PAM
to PMG realm, by still using their hashed passwords.
As of PMG 9.0, this patch is the only quick win I've come up with so far.
> Regarding the patch itself allowing other password-hashes (and maybe
> changing the default to yescrypt - as currently recommended by mkpasswd)
> might be ok.
Awesome ! No strong opinion about improving consistency across other
Proxmox' products or _simply_ applying this patch to PMG, to extend
UserConfig compatibility with more CRYPT(5) supported hash types.
From a security point of view, I second your idea of defaulting to
yescrypt in the future, maybe in the next major PMG release (according
to your roadmap and "important" changes policy regarding semantic
versioning).
prev parent reply other threads:[~2026-02-08 13:26 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-23 18:13 Samuel FORESTIER
2026-01-23 18:18 ` [pmg-devel] [PATCH pmg-api 1/1] user config: password: allows (gost-)yescrypt hashes Samuel FORESTIER
2026-02-06 10:53 ` [pmg-devel] [PATCH pmg-api 0/1] user config: password: allows (gost-)yescrypt, hashes Stoiko Ivanov
2026-02-06 11:02 ` Stoiko Ivanov
2026-02-08 13:26 ` Samuel FORESTIER [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2b4c5404-bb61-4a91-8eb2-681b8f20e406@forestier.app \
--to=samuel+dev@forestier.app \
--cc=pmg-devel@lists.proxmox.com \
--cc=s.ivanov@proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.