On 2021-06-06 22:08, Christian Hesse via arch-dev-public wrote:
Jan Alexander Steffens via arch-dev-public <arch-dev-public@lists.archlinux.org> on Sun, 2021/06/06 21:49:
On Sun, Jun 6, 2021 at 9:38 PM Christian Hesse via arch-dev-public < arch-dev-public@lists.archlinux.org> wrote:
Hello everybody,
old password hashes like MD5 are no longer accepted by recent libxcrypt. On next login user may be enforced to update password. To make sure nobody is worried I would like to add install message and news post:
--- >8 --- Starting with libxcrypt 4.4.21 weak password hashes are no longer accepted. If you still have one in your shadow file do not worry if you are enforced to update your password on next login. --- >8 ---
It confused me a bit. I think we can phrase this better:
``` Starting with libxcrypt 4.4.21, weak password hashes (such as MD5 and SHA1) are no longer accepted for new passwords. Users that still have their passwords stored with a weak hash will be asked to update their password on their next login. ```
But is this really what is happening? I thought we had a complete failure to login, not a "forced to update".
There was a force to update, but that failed. It was an issue in pam configuration, fixed in util-linux 2.37-2.
I'm also not clear if the latter would work with the display managers.
I think it should... But we could add another sentence for safety:
``` Starting with `libxcrypt` 4.4.21, weak password hashes (such as MD5 and SHA1) are no longer accepted for new passwords. Users that still have their passwords stored with a weak hash will be asked to update their password on their next login. If the login just fails (for example from display manager) switch to a virtual terminal (`Ctrl-Alt-F2`) and login there once.
I think that's nice and clear. Though it should be "log in there once" instead of "login there once". :)