[pve-devel] [PATCH common 1/2] encrypt_pw: allow yescrypt in addition to sha256

Fabian Grünbichler f.gruenbichler at proxmox.com
Mon Mar 31 12:03:33 CEST 2025


this has been the default for Debian since Bullseye[0].

besides password setting for the PAM/PVE/PMG realms, this is also used
to hash cloud-init passwords for Linux VMs, where only a subset of
prefixes is currently allowed.

'j9T' is the default cost factor for yescrypt.

0: https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#pam-default-password

Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---

Notes:
    instead of opt-in to yescrypt, we could also default to it and opt-into sha256
    in qemu-server for cloud init.. but that means breaking old qemu-server, as
    opposed to the change being completely backwards compatible..

 src/PVE/Tools.pm | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/src/PVE/Tools.pm b/src/PVE/Tools.pm
index 57eb86c..95cd93c 100644
--- a/src/PVE/Tools.pm
+++ b/src/PVE/Tools.pm
@@ -1805,7 +1805,7 @@ sub fchownat($$$$$) {
 my $salt_starter = time();
 
 sub encrypt_pw {
-    my ($pw) = @_;
+    my ($pw, $prefix) = @_;
 
     $salt_starter++;
     my $salt = substr(Digest::SHA::sha1_base64(time() + $salt_starter + $$), 0, 8);
@@ -1813,7 +1813,18 @@ sub encrypt_pw {
     # crypt does not want '+' in salt (see 'man crypt')
     $salt =~ s/\+/X/g;
 
-    return crypt(encode("utf8", $pw), "\$5\$$salt\$");
+    $prefix = '5' if !$prefix;
+
+    my $input;
+    if ($prefix eq '5') {
+        $input = "\$5\$$salt\$";
+    } elsif ($prefix eq 'y') {
+        $input = "\$y\$j9T\$$salt\$"
+    } else {
+        die "Cannot hash password, unknown crypt prefix '$prefix'\n";
+    }
+
+    return crypt(encode("utf8", $pw), $input);
 }
 
 # intended usage: convert_size($val, "kb" => "gb")
-- 
2.39.5





More information about the pve-devel mailing list