[arch-dev-public] News draft: sorting old password hashes

Christian Hesse list at eworm.de
Sun Jun 6 20:08:43 UTC 2021 

Jan Alexander Steffens via arch-dev-public
<arch-dev-public at lists.archlinux.org> on Sun, 2021/06/06 21:49:
> On Sun, Jun 6, 2021 at 9:38 PM Christian Hesse via arch-dev-public <
> arch-dev-public at lists.archlinux.org> wrote:
> 
> > Hello everybody,
> >
> > old password hashes like MD5 are no longer accepted by recent libxcrypt.
> > On next login user may be enforced to update password. To make sure
> > nobody is worried I would like to add install message and news post:
> >  
> > --- >8 ---  
> > Starting with libxcrypt 4.4.21 weak password hashes are no longer
> > accepted. If you still have one in your shadow file do not worry if you
> > are enforced to
> > update your password on next login.  
> > --- >8 ---  
> >  
> 
> It confused me a bit. I think we can phrase this better:
> 
> ```
> Starting with libxcrypt 4.4.21, weak password hashes (such as MD5 and SHA1)
> are
> no longer accepted for new passwords. Users that still have their passwords
> stored with a weak hash will be asked to update their password on their next
> login.
> ```
> 
> But is this really what is happening? I thought we had a complete failure
> to login,
> not a "forced to update".

There was a force to update, but that failed. It was an issue in pam
configuration, fixed in util-linux 2.37-2.

> I'm also not clear if the latter would work with the display managers.

I think it should... But we could add another sentence for safety:

```
Starting with `libxcrypt` 4.4.21, weak password hashes (such as MD5 and SHA1)
are no longer accepted for new passwords. Users that still have their
passwords stored with a weak hash will be asked to update their password on
their next login.
If the login just fails (for example from display manager) switch to a
virtual terminal (`Ctrl-Alt-F2`) and login there once.
```
-- 
main(a){char*c=/*    Schoene Gruesse                         */"B?IJj;MEH"
"CX:;",b;for(a/*    Best regards             my address:    */=0;b=c[a++];)
putchar(b-1/(/*    Chris            cc -ox -xc - && ./x    */b/42*2-3)*42);}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-dev-public/attachments/20210606/62642702/attachment.sig>

More information about the arch-dev-public mailing list