Bug#981693: Default Password hash Changes to Yescript for Bullseye

To: 981693@bugs.debian.org
Cc: Paul Gevers <elbrus@debian.org>
Subject: Bug#981693: Default Password hash Changes to Yescript for Bullseye
From: Justin B Rye <justin.byam.rye@gmail.com>
Date: Thu, 18 Mar 2021 15:05:19 +0000
Message-id: <[🔎] 20210318150519.GA21833@jbr.me.uk>
Reply-to: Justin B Rye <justin.byam.rye@gmail.com>, 981693@bugs.debian.org
In-reply-to: <[🔎] 1a2fb805-1b6a-e4a3-667b-f1c2c70dedb9@debian.org>
References: <tsly2g614x1.fsf@suchdamage.org> <tsly2g614x1.fsf@suchdamage.org> <tsly2g614x1.fsf@suchdamage.org> <[🔎] 1a2fb805-1b6a-e4a3-667b-f1c2c70dedb9@debian.org> <tsly2g614x1.fsf@suchdamage.org>

Paul Gevers wrote:
> index fbe357b8..f3ff6d48 100644
> --- a/en/issues.dbk
> +++ b/en/issues.dbk
> @@ -82,6 +82,45 @@ information mentioned in <xref linkend="morereading"/>.
>      </para>
>    </section>
>  
> +  <section id="pam-default-password">
> +    <!-- buster to bullseye -->
> +    <title>Password hashing uses yescript by default</title>
> +    <para>
> +      The default password hash for local system accounts has been
> +      changed to <ulink
> +      url="https://www.openwall.com/yescrypt/";>yescrypt</ulink>. This
> +      is expected to provide improve security against dictionary-based
                                       ^d
> +      password guessing attacks, focusing both on the space as well as
> +      time complexity of the attack.

Just what could it change to make such attacks harder *besides* space
or time complexity?  If you're focusing on everything, you're not
focusing on anything!  So I'd say it as

         is expected to provide improved security against dictionary-based
         password guessing attacks, in terms of both the space and time
         complexity of the attack.

> +    </para>
> +    <para>
> +      To take advantage of this improved security, change local
> +      passwords; for example use the <command>passwd</command> command.
> +    </para>
> +    <para>
> +      Old passwords will continue to work using whatever password hash
> +      was used to create them.
> +    </para>
> +    <para>
> +      Yescrypt is not supported by Debian 10 (buster). As a result,
> +      shadow password files (<filename>/etc/shadow</filename>) cannot be
> +      copied from a bullseye system back to a buster system.  If these
> +      files are copied, passwords that have been changed on the bullseye
> +      system will not work on the buster system.  Similarly, password
> +      hashes cannot be cut&aml;paste from a bullseye to a buster system.
                                ^      ^
That's &amp;, and another lost inflection.

         hashes cannot be cut&amp;pasted from a bullseye to a buster system.

> +    </para>
> +    <para>
> +      If compatibility is required for password hashes between bullseye
> +      and buster, modify
> +      <filename>/etc/pam.d/common-password</filename>. Find the line
> +      that looks like:
> +      <programlisting>
> +	password [success=1 default=ignore] pam_unix.so obscure yescrypt
> +      </programlisting>
> +      and replace <literal>yescrypt</literal> with <literal>sha512</literal>.
> +    </para>
> +  </section>

(This seems a rather obscure corner case, but why not.)
-- 
JBR	with qualifications in linguistics, experience as a Debian
	sysadmin, and probably no clue about this particular package

Reply to:

References:
- Bug#981693: Default Password hash Changes to Yescript for Bullseye
  - From: Paul Gevers <elbrus@debian.org>

Prev by Date: Bug#981693: Default Password hash Changes to Yescript for Bullseye
Next by Date: Processed: Re: Bug#985463: debian-installer: kernel complains about /boot partition in LVM install (ext2 filesystem being mounted at /boot supports timestamps until 2038)
Previous by thread: Processed: Re: Default Password hash Changes to Yescript for Bullseye
Next by thread: Processed: Re: Bug#985463: debian-installer: kernel complains about /boot partition in LVM install (ext2 filesystem being mounted at /boot supports timestamps until 2038)
Index(es):
- Date
- Thread