[pve-devel] [RFC access-control/common 0/3] hash passwords using yescrypt
Fabian Grünbichler
f.gruenbichler at proxmox.com
Mon Mar 31 12:03:31 CEST 2025
Debian switched the default hash algorithm for /etc/shadow to yescrypt
for Bullseye. Our installer uses it for the root password set during
installation. But any PAM/PVE user created over the API, or any password
change triggered afterwards for such users, will fallback to
sha256crypt.
Since the helper in pve-common is also used by cloud-init (which is
stuck not supporting yescrypt for the time being for unrelated reasons),
make the new behaviour opt-in (which might be handy for future
migrations as well).
sending as RFC in case I missed some usage of this, and also to discuss
whether we might just want to move PVE/PAM realms over to a proxmox-sys
perlmod-wrapped helper instead (proxmox-sys and thus PBS defaults to
yescrypt and binds to the C lib interfaces that actually allow
specifying hashing parameters somewhat sanely)
pve-access-control:
Fabian Grünbichler (1):
PVE/PAM: switch to yescrypt by default
src/PVE/Auth/PAM.pm | 2 +-
src/PVE/Auth/PVE.pm | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
pve-common:
Fabian Grünbichler (2):
encrypt_pw: allow yescrypt in addition to sha256
encrypt_pw: check return value matches expected format
src/PVE/Tools.pm | 20 ++++++++++++++++++--
1 file changed, 18 insertions(+), 2 deletions(-)
--
2.39.5
More information about the pve-devel
mailing list