Bug#981693: Default Password hash Changes to Yescript for Bullseye
Paul Gevers wrote:
> index fbe357b8..f3ff6d48 100644
> --- a/en/issues.dbk
> +++ b/en/issues.dbk
> @@ -82,6 +82,45 @@ information mentioned in <xref linkend="morereading"/>.
> </para>
> </section>
>
> + <section id="pam-default-password">
> + <!-- buster to bullseye -->
> + <title>Password hashing uses yescript by default</title>
> + <para>
> + The default password hash for local system accounts has been
> + changed to <ulink
> + url="https://www.openwall.com/yescrypt/">yescrypt</ulink>. This
> + is expected to provide improve security against dictionary-based
^d
> + password guessing attacks, focusing both on the space as well as
> + time complexity of the attack.
Just what could it change to make such attacks harder *besides* space
or time complexity? If you're focusing on everything, you're not
focusing on anything! So I'd say it as
is expected to provide improved security against dictionary-based
password guessing attacks, in terms of both the space and time
complexity of the attack.
> + </para>
> + <para>
> + To take advantage of this improved security, change local
> + passwords; for example use the <command>passwd</command> command.
> + </para>
> + <para>
> + Old passwords will continue to work using whatever password hash
> + was used to create them.
> + </para>
> + <para>
> + Yescrypt is not supported by Debian 10 (buster). As a result,
> + shadow password files (<filename>/etc/shadow</filename>) cannot be
> + copied from a bullseye system back to a buster system. If these
> + files are copied, passwords that have been changed on the bullseye
> + system will not work on the buster system. Similarly, password
> + hashes cannot be cut&aml;paste from a bullseye to a buster system.
^ ^
That's &, and another lost inflection.
hashes cannot be cut&pasted from a bullseye to a buster system.
> + </para>
> + <para>
> + If compatibility is required for password hashes between bullseye
> + and buster, modify
> + <filename>/etc/pam.d/common-password</filename>. Find the line
> + that looks like:
> + <programlisting>
> + password [success=1 default=ignore] pam_unix.so obscure yescrypt
> + </programlisting>
> + and replace <literal>yescrypt</literal> with <literal>sha512</literal>.
> + </para>
> + </section>
(This seems a rather obscure corner case, but why not.)
--
JBR with qualifications in linguistics, experience as a Debian
sysadmin, and probably no clue about this particular package
Reply to: