[pmg-devel] [PATCH pmg-api 0/1] user config: password: allows (gost-)yescrypt, hashes

[pmg-devel] [PATCH pmg-api 0/1] user config: password: allows (gost-)yescrypt, hashes

[Samuel FORESTIER]

 From 208b1364b8b83324aef594eb66794c231e162cb9 Mon Sep 17 00:00:00 2001
From: Samuel FORESTIER <samuel+dev@forestier.app>
Date: Fri, 23 Jan 2026 18:45:43 +0100
Subject: [PATCH pmg-api 0/1] user config: password: allows 
(gost-)yescrypt hashes

Dear developers,

This patch extends user config 'crypt_pass' field validation pattern to 
support
yescrypt and gost-yescrypt hash formats (regarding crypt(5) documentation).
This allows direct synchronization of PAM users to PMG realm, when their
passwords are hashed using yescrypt.

BR

Samuel FORESTIER (1):
   user config: password: allows (gost-)yescrypt hashes

  src/PMG/UserConfig.pm | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)

-- 
2.39.5


_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel

[pmg-devel] [PATCH pmg-api 1/1] user config: password: allows (gost-)yescrypt hashes

[Samuel FORESTIER]

 From 208b1364b8b83324aef594eb66794c231e162cb9 Mon Sep 17 00:00:00 2001
From: Samuel FORESTIER <samuel+dev@forestier.app>
Date: Fri, 23 Jan 2026 18:33:06 +0100
Subject: [PATCH pmg-api 1/1] user config: password: allows 
(gost-)yescrypt hashes

Signed-off-by: Samuel FORESTIER <samuel+dev@forestier.app>
---
  src/PMG/UserConfig.pm | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/PMG/UserConfig.pm b/src/PMG/UserConfig.pm
index 5ee7333..c672af9 100644
--- a/src/PMG/UserConfig.pm
+++ b/src/PMG/UserConfig.pm
@@ -109,7 +109,7 @@ my $schema = {
          crypt_pass => {
              description => "Encrypted password (see `man crypt`)",
              type => 'string',
-            pattern => '\$\d\$[a-zA-Z0-9\.\/]+\$[a-zA-Z0-9\.\/]+',
+            pattern => 
'\$(?:\d|g?y\$[a-zA-Z0-9\.\/]+)\$[a-zA-Z0-9\.\/]+\$[a-zA-Z0-9\.\/]+',
              optional => 1,
          },
          role => {
-- 
2.39.5


_______________________________________________
pmg-devel mailing list
pmg-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pmg-devel

Re: [pmg-devel] [PATCH pmg-api 0/1] user config: password: allows (gost-)yescrypt, hashes

[Stoiko Ivanov]

Hi,

Thank you for the patch and your interest in contributing to Proxmox Mail
Gateway!

question/comment inline:
On Fri, 23 Jan 2026 18:13:16 +0000
Samuel FORESTIER <samuel+dev@forestier.app> wrote:

>  From 208b1364b8b83324aef594eb66794c231e162cb9 Mon Sep 17 00:00:00 2001
> From: Samuel FORESTIER <samuel+dev@forestier.app>
> Date: Fri, 23 Jan 2026 18:45:43 +0100
> Subject: [PATCH pmg-api 0/1] user config: password: allows 
> (gost-)yescrypt hashes
> 
> Dear developers,
> 
> This patch extends user config 'crypt_pass' field validation pattern to 
> support
> yescrypt and gost-yescrypt hash formats (regarding crypt(5) documentation).
> This allows direct synchronization of PAM users to PMG realm, when their
> passwords are hashed using yescrypt.
It is possible to create a user in the PAM realm (just like in our other
products) - then you can simply login with the user - and their password
should be checked by PAM. This has the advantage that you do not duplicate
the password information and it stays consistent.

Currently creating users with realm PAM in the GUI is disabled (afair
simply because we haven't seen reports where people would want to have
many system-users as users in their PMG), but this could potentially be
allowed - if there is a use-case which benefits from this.
see: https://bugzilla.proxmox.com/show_bug.cgi?id=6488 for the request to
hide the realm (expecting it not to be needed)

What is your use-case - how do you create the users on the system, and
would there be any upside for you to keep 2 copies of the password
(compared to having the user@pam directly ask PAM)?

Regarding the patch itself allowing other password-hashes (and maybe
changing the default to yescrypt - as currently recommended by mkpasswd)
might be ok.

Thanks again!
stoiko


> 
> BR
> 
> Samuel FORESTIER (1):
>    user config: password: allows (gost-)yescrypt hashes
> 
>   src/PMG/UserConfig.pm | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 

Re: [pmg-devel] [PATCH pmg-api 0/1] user config: password: allows (gost-)yescrypt, hashes

[Stoiko Ivanov]

On Fri, 6 Feb 2026 11:53:28 +0100
Stoiko Ivanov <s.ivanov@proxmox.com> wrote:

> Hi,
>..snip..
> It is possible to create a user in the PAM realm (just like in our other
> products) - then you can simply login with the user - and their password
> should be checked by PAM. This has the advantage that you do not duplicate
> the password information and it stays consistent.
Seems I was mistaken on that - currently we do have a few checks which
only allow root in the pam realm - but that could be changed to be more in
line with the other products - if the use-case of having many system-users
accessing PMG is there.

Re: [pmg-devel] [PATCH pmg-api 0/1] user config: password: allows (gost-)yescrypt, hashes

[Samuel FORESTIER]

Hi Stoiko !

Thanks for your feedback, my responses inline.

BR

Stoiko Ivanov wrote:
> It is possible to create a user in the PAM realm (just like in our other
> products) - then you can simply login with the user - and their password
> should be checked by PAM. This has the advantage that you do not duplicate
> the password information and it stays consistent.
> 
> Currently creating users with realm PAM in the GUI is disabled (afair
> simply because we haven't seen reports where people would want to have
> many system-users as users in their PMG), but this could potentially be
> allowed - if there is a use-case which benefits from this.
> see: https://bugzilla.proxmox.com/show_bug.cgi?id=6488 for the request to
> hide the realm (expecting it not to be needed)

Indeed it would have been possible to do so, but as you pointed out, PMG 
currently doesn't honor system users through the PAM realm (bar root 
itself, mainly for node bootstrapping and to limit the number of 
passwords, I guess).

> What is your use-case - how do you create the users on the system, and
> would there be any upside for you to keep 2 copies of the password
> (compared to having the user@pam directly ask PAM)?

In my use case, PMG users are provisioned through a system configuration 
manager, which doesn't know password clear texts (yescrypt hashes are 
directly passed to shadow). These users are then synchronized from PAM 
to PMG realm, by still using their hashed passwords.
As of PMG 9.0, this patch is the only quick win I've come up with so far.

> Regarding the patch itself allowing other password-hashes (and maybe
> changing the default to yescrypt - as currently recommended by mkpasswd)
> might be ok.

Awesome ! No strong opinion about improving consistency across other 
Proxmox' products or _simply_ applying this patch to PMG, to extend 
UserConfig compatibility with more CRYPT(5) supported hash types.

 From a security point of view, I second your idea of defaulting to 
yescrypt in the future, maybe in the next major PMG release (according 
to your roadmap and "important" changes policy regarding semantic 
versioning).