Jan Alexander Steffens via arch-dev-public <arch-dev-public@lists.archlinux.org> on Sun, 2021/06/06 21:49: > On Sun, Jun 6, 2021 at 9:38 PM Christian Hesse via arch-dev-public < > arch-dev-public@lists.archlinux.org> wrote: > > > Hello everybody, > > > > old password hashes like MD5 are no longer accepted by recent libxcrypt. > > On next login user may be enforced to update password. To make sure > > nobody is worried I would like to add install message and news post: > > > > --- >8 --- > > Starting with libxcrypt 4.4.21 weak password hashes are no longer > > accepted. If you still have one in your shadow file do not worry if you > > are enforced to > > update your password on next login. > > --- >8 --- > > > > It confused me a bit. I think we can phrase this better: > > ``` > Starting with libxcrypt 4.4.21, weak password hashes (such as MD5 and SHA1) > are > no longer accepted for new passwords. Users that still have their passwords > stored with a weak hash will be asked to update their password on their next > login. > ``` > > But is this really what is happening? I thought we had a complete failure > to login, > not a "forced to update".
There was a force to update, but that failed. It was an issue in pam
configuration, fixed in util-linux 2.37-2.
> I'm also not clear if the latter would work with the display managers.
I think it should... But we could add another sentence for safety:
```
Starting with `libxcrypt` 4.4.21, weak password hashes (such as MD5 and SHA1)
are no longer accepted for new passwords. Users that still have their
passwords stored with a weak hash will be asked to update their password on
their next login.
If the login just fails (for example from display manager) switch to a
virtual terminal (`Ctrl-Alt-F2`) and login there once.
```
--
main(a){char*c=/* Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/* Best regards my address: */=0;b=c[a++];)
putchar(b-1/(/* Chris cc -ox -xc - && ./x */b/42*2-3)*42);}
pgpphSysNmjJu.pgp
Description: OpenPGP digital signature
