[pve-devel] [RFC access-control/common 0/3] hash passwords using yescrypt

Fabian Grünbichler f.gruenbichler at proxmox.com
Mon Mar 31 12:03:31 CEST 2025


Debian switched the default hash algorithm for /etc/shadow to yescrypt
for Bullseye. Our installer uses it for the root password set during
installation. But any PAM/PVE user created over the API, or any password
change triggered afterwards for such users, will fallback to
sha256crypt.

Since the helper in pve-common is also used by cloud-init (which is
stuck not supporting yescrypt for the time being for unrelated reasons),
make the new behaviour opt-in (which might be handy for future
migrations as well).

sending as RFC in case I missed some usage of this, and also to discuss
whether we might just want to move PVE/PAM realms over to a proxmox-sys
perlmod-wrapped helper instead (proxmox-sys and thus PBS defaults to
yescrypt and binds to the C lib interfaces that actually allow
specifying hashing parameters somewhat sanely)

pve-access-control:

Fabian Grünbichler (1):
  PVE/PAM: switch to yescrypt by default

 src/PVE/Auth/PAM.pm | 2 +-
 src/PVE/Auth/PVE.pm | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

pve-common:

Fabian Grünbichler (2):
  encrypt_pw: allow yescrypt in addition to sha256
  encrypt_pw: check return value matches expected format

 src/PVE/Tools.pm | 20 ++++++++++++++++++--
 1 file changed, 18 insertions(+), 2 deletions(-)

-- 
2.39.5





More information about the pve-devel mailing list