[arch-dev-public] News draft: sorting old password hashes

Brett Cornwall brett at i--b.com
Sun Jun 6 21:50:22 UTC 2021


On 2021-06-06 22:08, Christian Hesse via arch-dev-public wrote:
>Jan Alexander Steffens via arch-dev-public
><arch-dev-public at lists.archlinux.org> on Sun, 2021/06/06 21:49:
>> On Sun, Jun 6, 2021 at 9:38 PM Christian Hesse via arch-dev-public <
>> arch-dev-public at lists.archlinux.org> wrote:
>>
>> > Hello everybody,
>> >
>> > old password hashes like MD5 are no longer accepted by recent libxcrypt.
>> > On next login user may be enforced to update password. To make sure
>> > nobody is worried I would like to add install message and news post:
>> >
>> > --- >8 ---
>> > Starting with libxcrypt 4.4.21 weak password hashes are no longer
>> > accepted. If you still have one in your shadow file do not worry if you
>> > are enforced to
>> > update your password on next login.
>> > --- >8 ---
>> >
>>
>> It confused me a bit. I think we can phrase this better:
>>
>> ```
>> Starting with libxcrypt 4.4.21, weak password hashes (such as MD5 and SHA1)
>> are
>> no longer accepted for new passwords. Users that still have their passwords
>> stored with a weak hash will be asked to update their password on their next
>> login.
>> ```
>>
>> But is this really what is happening? I thought we had a complete failure
>> to login,
>> not a "forced to update".
>
>There was a force to update, but that failed. It was an issue in pam
>configuration, fixed in util-linux 2.37-2.
>
>> I'm also not clear if the latter would work with the display managers.
>
>I think it should... But we could add another sentence for safety:
>
>```
>Starting with `libxcrypt` 4.4.21, weak password hashes (such as MD5 and SHA1)
>are no longer accepted for new passwords. Users that still have their
>passwords stored with a weak hash will be asked to update their password on
>their next login.
>If the login just fails (for example from display manager) switch to a
>virtual terminal (`Ctrl-Alt-F2`) and login there once.

I think that's nice and clear. Though it should be "log in there once" 
instead of "login there once". :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-dev-public/attachments/20210606/71a89ef8/attachment-0001.sig>


More information about the arch-dev-public mailing list