Arch-announce

Download

arch-announce@lists.archlinux.org

September 2023

1 participants
1 discussions

[arch-announce] Changes to default password hashing algorithm and umask settings
by Arch Linux: Recent news updates: David Runge 22 Sep '23

22 Sep '23

With *shadow* >= `4.14.0`, Arch Linux's default password hashing algorithm changed from **SHA512** to **yescrypt** [1]. Furthermore, the `umask` [2] settings are now configured in `/etc/login.defs` instead of `/etc/profile`. This should not require any manual intervention. ## Reasons for Yescrypt The password-based key derivation function (KDF) and password hashing scheme **yescrypt** has been chosen due to its adoption (readily available in *libxcrypt*, which is used by *pam* [3]) and its stronger resilience towards password cracking attempts over **SHA512**. Although the winner of the Password Hashing Competition [4] has been **argon2**, this even more resilient algorithm is not yet available in *libxcrypt* [5][6]. ## Configuring yescrypt The `YESCRYPT_COST_FACTOR` setting in `/etc/login.defs` is currently without effect, until *pam* implements reading its value [7]. If a `YESCRYPT_COST_FACTOR` higher (or lower) than the default (`5`) is needed, it can be set using the `rounds` option of the `pam_unix` [8] module (i.e. in `/etc/pam.d/system-auth`). ## General list of changes - **yescrypt** is used as default password hashing algorithm, instead of **SHA512** - *pam* honors the chosen `ENCRYPT_METHOD` in `/etc/login.defs` and does not override the chosen method anymore - changes in the *filesystem* (>= `2023.09.18`) and *pambase* (>= `20230918`) packages ensure, that `umask` is set centrally in `/etc/login.defs` instead of `/etc/profile` [1] https://www.openwall.com/yescrypt/ [2] https://man.archlinux.org/man/umask.1p [3] https://wiki.archlinux.org/title/PAM [4] https://www.password-hashing.net/ [5] https://github.com/besser82/libxcrypt/pull/113 [6] https://github.com/besser82/libxcrypt/pull/150 [7] https://github.com/linux-pam/linux-pam/issues/607 [8] https://man.archlinux.org/man/pam_unix.8 URL: https://archlinux.org/news/changes-to-default-password-hashing-algorithm-an…

1 0