Bug#981693: Default Password hash Changes to Yescript for Bullseye

[Paul Gevers <elbrus@debian.org>]

Control: tags -1 patch pending

Hi,

On Tue, 02 Feb 2021 17:27:38 -0500 Sam Hartman <hartmans@debian.org> wrote:
> I'd recommend text like the following for the release notes
> 
> Password Hashing Uses Yescript by Default
> 
> The default password hash for local system accounts has been changed to
> yescrypt (https://www.openwall.com/yescrypt/ ).  This is expected to
> provide improve security against dictionary-based password guessing
> attacks, focusing both on the space as well as time complexity of the
> attack.
> To take advantage of this improved security, change local passwords; for
> example use the `passwd` command.
> 
> Old passwords will continue to work using whatever password hash was
> used to create them.
> 
> 
> Yescrypt is not supported by Debian 10 (Buster).  As a result, shadow
> password files (`/etc/shadow`) cannot be copied from a Debian 11 system
> back to a Debian 10 system.  If these files are copied, passwords that
> have been changed on the Debian 11 system will not work on the Debian 10
> system.
> Similarly, password hashes cannot be cut&paste from a Debian 11 to a
> Debian 10 system.
> 
> If compatibility is required for password hashes between Debian 11 and
> Debian 10, modify `/etc/pam.d/common-password`.  Find the line that
> looks like:
> 
>     password        [success=1 default=ignore]      pam_unix.so obscure
>         yescrypt
> 
> 
> 
> and replace `yescrypt` with `sha512`.

I converted (with small modifications) this into the attached patch,
ready to push.

Paul

From b784bf1fc83700a7651af66ad8c23b01df10407a Mon Sep 17 00:00:00 2001
From: Sam Hartman <hartmans@debian.org>
Date: Thu, 18 Mar 2021 15:14:41 +0100
Subject: [PATCH] issues.dbk: PAM changed the default password hash

Closes: #981693
---
 en/issues.dbk | 39 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)

diff --git a/en/issues.dbk b/en/issues.dbk
index fbe357b8..f3ff6d48 100644
--- a/en/issues.dbk
+++ b/en/issues.dbk
@@ -82,6 +82,45 @@ information mentioned in <xref linkend="morereading"/>.
     </para>
   </section>
 
+  <section id="pam-default-password">
+    <!-- buster to bullseye -->
+    <title>Password hashing uses yescript by default</title>
+    <para>
+      The default password hash for local system accounts has been
+      changed to <ulink
+      url="https://www.openwall.com/yescrypt/";>yescrypt</ulink>. This
+      is expected to provide improve security against dictionary-based
+      password guessing attacks, focusing both on the space as well as
+      time complexity of the attack.
+    </para>
+    <para>
+      To take advantage of this improved security, change local
+      passwords; for example use the <command>passwd</command> command.
+    </para>
+    <para>
+      Old passwords will continue to work using whatever password hash
+      was used to create them.
+    </para>
+    <para>
+      Yescrypt is not supported by Debian 10 (buster). As a result,
+      shadow password files (<filename>/etc/shadow</filename>) cannot be
+      copied from a bullseye system back to a buster system.  If these
+      files are copied, passwords that have been changed on the bullseye
+      system will not work on the buster system.  Similarly, password
+      hashes cannot be cut&aml;paste from a bullseye to a buster system.
+    </para>
+    <para>
+      If compatibility is required for password hashes between bullseye
+      and buster, modify
+      <filename>/etc/pam.d/common-password</filename>. Find the line
+      that looks like:
+      <programlisting>
+	password [success=1 default=ignore] pam_unix.so obscure yescrypt
+      </programlisting>
+      and replace <literal>yescrypt</literal> with <literal>sha512</literal>.
+    </para>
+  </section>
+
   <section id="noteworthy-obsolete-packages">
     <title>Noteworthy obsolete packages</title>
     <para>
-- 
2.30.2

Attachment: OpenPGP_signature
Description: OpenPGP digital signature