Comments (4)
My bad: Additional information.
A look at /etc/shadow suggests that the passwords are indeed hashed using yescrypt. So what is missing is the ability to set the yescrypt_cost_factor in /etc/login.defs.
root@REDACTED:/etc# grep -irl cost_factor
root@REDACTED:/etc#
from yescrypt.
Of course it is there in common-password; but that is certainly not the place to set the cost_factor.
Why not? I think it is the primary place to set it, with rounds=
to pam_unix.so
. Does that not work for you? With typical ways to set/change a user password, which go via PAM, it should work.
As to login.defs
, I don't know (haven't checked) whether or not Ubuntu has also updated to sufficiently recent shadow
package to support yescrypt
there (such version of shadow
does exist, I just don't know whether it's in Ubuntu). Anyway, the password hashing specified/configured in there is normally only used by relatively obscure tools that bypass PAM: chpasswd
and newusers
(for users) and gpasswd
and chgpasswd
(for groups - an even more obscure feature).
from yescrypt.
Thanks. It seems the two concepts are somewhat different.
For SHA512 rounds=10000 would make SHA512 relatively more difficult to crack compared to rounds=5000 (default). More CPU cycles.
The YESCRYPT_COST_FACTOR=11 would make it logarithmically more difficult compared with =5. Longer salt(?) probably.
Doing a bit more research, it seems to appear as a bug in login.defs and its lack of consistency with common-password.
In sum, as of this morning the yescrypt implementation of Jammy needs bugfix. I see that login.defs is already fixed in Debian Sid.
In Debian Sid, it is clear that rounds will be ignored for yescrypt, but the cost_factor will apply.
from yescrypt.
Yes, there's the linear vs. logarithmic difference in how the rounds
setting is treated by sha512crypt vs. yescrypt. No, this has nothing to do with salt length.
However, regardless of this, on systems that use PAM (like Debian and Ubuntu do), you can use the rounds
setting in common-password
to adjust yescrypt cost factor. The settings in login.defs
are relatively less important (are rarely used).
And yes, if login.defs
comments have not yet been updated for yescrypt, that's something to fix. It makes me wonder, though, whether the shadow
package itself has been updated to include yescrypt support or possibly not yet - which would make no difference for most usage, as I explained above.
I'll close this issue now as there's nothing for us to do on it - the yescrypt documentation is correct in claiming yescrypt is default on Ubuntu 22.04.
There may be something for Ubuntu to do - please feel free to open an issue with them. Thank you!
from yescrypt.
Related Issues (3)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from yescrypt.