[pve-devel] [PATCH access-control 1/1] PVE/PAM: switch to yescrypt by default
Fabian Grünbichler
f.gruenbichler at proxmox.com
Mon Mar 31 12:03:32 CEST 2025
this will hash the password of new users or rehash the password on
password changes using 'yescrypt', which is the default in Debian since
Bullseye[0].
0: https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#pam-default-password
Reported-by: Trent W. Buck <trentbuck at gmail.com>
Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---
Notes:
requires corresponding pve-common change, but will fallback to previous default
sha256 on older pve-common versions by virtue of the new parameter being
ignored.
src/PVE/Auth/PAM.pm | 2 +-
src/PVE/Auth/PVE.pm | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/PVE/Auth/PAM.pm b/src/PVE/Auth/PAM.pm
index feabc0b..85c6d12 100755
--- a/src/PVE/Auth/PAM.pm
+++ b/src/PVE/Auth/PAM.pm
@@ -72,7 +72,7 @@ sub store_password {
my $cmd = ['usermod'];
- my $epw = PVE::Tools::encrypt_pw($password);
+ my $epw = PVE::Tools::encrypt_pw($password, 'y');
push @$cmd, '-p', $epw, $username;
diff --git a/src/PVE/Auth/PVE.pm b/src/PVE/Auth/PVE.pm
index de39d35..f17d716 100755
--- a/src/PVE/Auth/PVE.pm
+++ b/src/PVE/Auth/PVE.pm
@@ -95,7 +95,7 @@ sub store_password {
lock_shadow_config(sub {
my $shadow_cfg = cfs_read_file($shadowconfigfile);
- my $epw = PVE::Tools::encrypt_pw($password);
+ my $epw = PVE::Tools::encrypt_pw($password, 'y');
$shadow_cfg->{users}->{$username}->{shadow} = $epw;
cfs_write_file($shadowconfigfile, $shadow_cfg);
});
--
2.39.5
More information about the pve-devel
mailing list