securitybreach Posted September 22, 2023 Posted September 22, 2023 Quote Changes to default password hashing algorithm and umask settings 2023-09-22 - David Runge With shadow >= 4.14.0, Arch Linux's default password hashing algorithm changed from SHA512 to yescrypt [1]. Furthermore, the umask [2] settings are now configured in /etc/login.defs instead of /etc/profile. This should not require any manual intervention. Reasons for Yescrypt The password-based key derivation function (KDF) and password hashing scheme yescrypt has been chosen due to its adoption (readily available in libxcrypt, which is used by pam [3]) and its stronger resilience towards password cracking attempts over SHA512. Although the winner of the Password Hashing Competition [4] has been argon2, this even more resilient algorithm is not yet available in libxcrypt [5][6]. Configuring yescrypt The YESCRYPT_COST_FACTOR setting in /etc/login.defs is currently without effect, until pam implements reading its value [7]. If a YESCRYPT_COST_FACTOR higher (or lower) than the default (5) is needed, it can be set using the rounds option of the pam_unix [8] module (i.e. in /etc/pam.d/system-auth). General list of changes yescrypt is used as default password hashing algorithm, instead of SHA512 pam honors the chosen ENCRYPT_METHOD in /etc/login.defs and does not override the chosen method anymore changes in the filesystem (>= 2023.09.18) and pambase (>= 20230918) packages ensure, that umask is set centrally in /etc/login.defs instead of /etc/profile [1] https://www.openwall.com/yescrypt/ [2] https://man.archlinux.org/man/umask.1p [3] https://wiki.archlinux.org/title/PAM [4] https://www.password-hashing.net/ [5] https://github.com/besser82/libxcrypt/pull/113 [6] https://github.com/besser82/libxcrypt/pull/150 [7] https://github.com/linux-pam/linux-pam/issues/607 [8] https://man.archlinux.org/man/pam_unix.8 Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.