From Fedora Project Wiki

< Changes

Revision as of 15:16, 5 June 2021 by Besser82 (talk | contribs) (Add discussion on Debian bugtracker)

Use yescrypt as default hashing method for shadow passwords

Summary

Make the yescrypt hashing method the default method used for new user passwords stored in /etc/shadow.


Owner


Current status

  • Targeted release: Fedora Linux 35
  • Last updated: 2021-06-05
  • FESCo issue: <will be assigned by the Wrangler>
  • Tracker bug: <will be assigned by the Wrangler>
  • Release notes tracker: <will be assigned by the Wrangler>


Detailed Description

Also see yescrypt - scalable KDF and password hashing scheme and the discussion on the Debian bugtracker.


Feedback

No feedback, yet.


Benefit to Fedora

yescrypt is the default password hashing scheme on recent ALT Linux, Debian testing, and Kali Linux 2021.1+, so we should adopt it as the default, too. Also, it is already the recommended hashing method in the Fedora CoreOS documentation.


Scope

  • Proposal owners: Help with integration for yescrypt support in some packages. See Dependencies.
  • Other developers: Integrate yescrypt support in some packages. See Dependencies.
  • Release engineering: #10150
  • Policies and guidelines: N/A (not needed for this Change)
  • Trademark approval: N/A (not needed for this Change)
  • Alignment with Objectives: N/A (not needed for this Change)


Upgrade/compatibility impact

No impact, as password hashes, that have been computed using the former default sha512crypt, will continue to work.


How To Test

  • Existing installations: Change your user password and check whether the computed password hash in /etc/shadow starts with $y$.
  • Fresh installations: Check whether the password hash(es) for the user(s) created by anaconda in /etc/shadow start(s) with $y$.


User Experience

No user visible changes, but they can rely on safer hashing for their user passwords.


Dependencies

  • pam: Is already capable to use yescrypt.
  • libxcrypt: Is already capable for computing yescrypt hashes.


Contingency Plan

  • Blocks release? Yes

Partially revert the changes, that have been applied to anaconda, authselect and shadow-utils, and rebuild those packages.


Documentation

Release Notes

Retrieved from "https://fedoraproject.org/w/index.php?title=Changes/yescrypt_as_default_hashing_method_for_shadow&oldid=616770"