On 2021-06-06 22:08, Christian Hesse via arch-dev-public wrote:
Jan Alexander Steffens via arch-dev-public <arch-dev-public@lists.archlinux.org> on Sun, 2021/06/06 21:49:On Sun, Jun 6, 2021 at 9:38 PM Christian Hesse via arch-dev-public < arch-dev-public@lists.archlinux.org> wrote:> Hello everybody, > > old password hashes like MD5 are no longer accepted by recent libxcrypt. > On next login user may be enforced to update password. To make sure > nobody is worried I would like to add install message and news post: > > --- >8 --- > Starting with libxcrypt 4.4.21 weak password hashes are no longer > accepted. If you still have one in your shadow file do not worry if you > are enforced to > update your password on next login. > --- >8 --- > It confused me a bit. I think we can phrase this better: ``` Starting with libxcrypt 4.4.21, weak password hashes (such as MD5 and SHA1) are no longer accepted for new passwords. Users that still have their passwords stored with a weak hash will be asked to update their password on their next login. ``` But is this really what is happening? I thought we had a complete failure to login, not a "forced to update".There was a force to update, but that failed. It was an issue in pam configuration, fixed in util-linux 2.37-2.I'm also not clear if the latter would work with the display managers.I think it should... But we could add another sentence for safety: ``` Starting with `libxcrypt` 4.4.21, weak password hashes (such as MD5 and SHA1) are no longer accepted for new passwords. Users that still have their passwords stored with a weak hash will be asked to update their password on their next login. If the login just fails (for example from display manager) switch to a virtual terminal (`Ctrl-Alt-F2`) and login there once.
I think that's nice and clear. Though it should be "log in there once" instead of "login there once". :)
signature.asc
Description: PGP signature
