[pve-devel] [PATCH access-control 1/1] PVE/PAM: switch to yescrypt by default

Fabian Grünbichler f.gruenbichler at proxmox.com
Mon Mar 31 12:03:32 CEST 2025


this will hash the password of new users or rehash the password on
password changes using 'yescrypt', which is the default in Debian since
Bullseye[0].

0: https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#pam-default-password

Reported-by: Trent W. Buck <trentbuck at gmail.com>
Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---

Notes:
    requires corresponding pve-common change, but will fallback to previous default
    sha256 on older pve-common versions by virtue of the new parameter being
    ignored.

 src/PVE/Auth/PAM.pm | 2 +-
 src/PVE/Auth/PVE.pm | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/PVE/Auth/PAM.pm b/src/PVE/Auth/PAM.pm
index feabc0b..85c6d12 100755
--- a/src/PVE/Auth/PAM.pm
+++ b/src/PVE/Auth/PAM.pm
@@ -72,7 +72,7 @@ sub store_password {
 
     my $cmd = ['usermod'];
 
-    my $epw = PVE::Tools::encrypt_pw($password);
+    my $epw = PVE::Tools::encrypt_pw($password, 'y');
 
     push @$cmd, '-p', $epw, $username;
 
diff --git a/src/PVE/Auth/PVE.pm b/src/PVE/Auth/PVE.pm
index de39d35..f17d716 100755
--- a/src/PVE/Auth/PVE.pm
+++ b/src/PVE/Auth/PVE.pm
@@ -95,7 +95,7 @@ sub store_password {
 
     lock_shadow_config(sub {
 	my $shadow_cfg = cfs_read_file($shadowconfigfile);
-	my $epw = PVE::Tools::encrypt_pw($password);
+	my $epw = PVE::Tools::encrypt_pw($password, 'y');
 	$shadow_cfg->{users}->{$username}->{shadow} = $epw;
 	cfs_write_file($shadowconfigfile, $shadow_cfg);
     });
-- 
2.39.5





More information about the pve-devel mailing list