Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#71393 - [shadow] Use yescrypt hash for passwords for improve security

Attached to Project: Arch Linux
Opened by leazar (leazar) - Tuesday, 29 June 2021, 09:04 GMT
Last edited by Andreas Radke (AndyRTR) - Wednesday, 30 June 2021, 05:33 GMT
Task Type Feature Request
Category Packages: Core
Status Assigned
Assigned To Christian Hesse (eworm)
Giancarlo Razzolini (grazzolini)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 5
Private No

Details

SHA512 is designed to be fast (which makes it easier to brute-force), while yescrypt is designed to resist password cracking because it's computationally expensive and hard on memory & GPU. Fedora is going to use it in its next release (https://fedoraproject.org/wiki/Changes/yescrypt_as_default_hashing_method_for_shadow).

Please consider changing the default hashing method for passwords to yescrypt.
This task depends upon

Comment by loqs (loqs) - Tuesday, 29 June 2021, 15:45 GMT
I added support for yescrypt (the current release of shadow does not support it, Fedora uses [1]) and ENCRYPT_METHOD YESCRYPT to FS#69933 if FS#67393 is implemented these changes would be enough otherwise the encryption method would need to be changed in the pam configs supplied by util-linux and pambase.

[1] https://src.fedoraproject.org/rpms/shadow-utils/blob/rawhide/f/shadow-4.8.1-yescrypt-support.patch
Comment by Rodolphe (br.r) - Sunday, 26 September 2021, 13:58 GMT
I would also be very interested in yescrypt being the default password hashing method. In case anyone would like additional reasons to switch from sha512crypt to yescrypt, I would like to share some resources about the danger of sha512crypt [1][2] as well as one that recommends yescrypt [3]. By the way, as stated in Fedora's rationale linked above, yescrypt is compatible with the NIST SP 800-63B.

Good news: shadow 4.9 has been released with yescrypt support [4], there is no need to patch it anymore. However, the package has not been updated yet.
Ideally, the shadow and pambase could be updated simultaneously in order to use yescrypt as the default password hashing method.

[1]: https://pthree.org/2018/05/23/do-not-use-sha256crypt-sha512crypt-theyre-dangerous/
[2]: https://tches.iacr.org/index.php/TCHES/article/view/8675
[3]: https://www.mdpi.com/2410-387X/1/2/10
[4]: https://github.com/shadow-maint/shadow/releases/tag/v4.9
Comment by mark roi (markroi) - Thursday, 10 February 2022, 18:11 GMT
So we have shadow 4.11 but the pam encryption method is still overridden with sha512 (and FS#67393 seems dead). I wonder why isn't security taken more seriously.
Comment by Andrew (drew33) - Thursday, 14 April 2022, 12:06 GMT
Hi package maintainers, I've created a patch for enabling both yescrypt & bcrypt in the current PKGBUILD.

I quickly tested locally with yescrypt & sha512, and works for login and changing passwords as expected. Let me know if there's anything I can do to help push this through?
Many thanks!

Update: I tested rolling back shadow to the official package, but with 'yescrypt' still enabled in /etc/pam.d/passwd and it seems that this patch isn't necessary - yescrypt still works without the change in the shadow PKGBUILD. Given that, it's hard for me to say how useful this change to shadow is...
   enable-yes-n-b-crypt.patch (0.5 KiB)

Loading...