Hi again, as the changes are rather diverse and manual intervention should not be needed, Leonidas and I have spent some time to restructure the text a bit for readability (also altered title slightly):
```markdown With shadow >= `4.14.0`, Arch Linux's default password hashing algorithm changed from `SHA512` to [yescrypt](https://www.openwall.com/yescrypt/). Furthermore, the [umask](https://man.archlinux.org/man/umask.1p) settings are now configured in `/etc/login.defs` instead of `/etc/profile`. This should not require any manual intervention. ## Reasons for Yescrypt The password-based key derivation function (KDF) and password hashing scheme `yescrypt` has been chosen due to its adoption (readily available in *libxcrypt*, which is used by [PAM](https://wiki.archlinux.org/title/PAM)) and its stronger resilience towards password cracking attempts over `SHA512`. Although the winner of the [Password Hashing Competition](https://www.password-hashing.net/) has been `argon2`, this even more resilient algorithm is [not yet available in libxcrypt](https://github.com/besser82/libxcrypt/pull/150). ## Configuring yescrypt The `YESCRYPT_COST_FACTOR` setting in `/etc/login.defs` is currently without effect, until [PAM implements reading its value](https://github.com/linux-pam/linux-pam/issues/607). If a `YESCRYPT_COST_FACTOR` higher (or lower) than the default (`5`) is needed, it can be set using the `rounds` option of the [pam_unix](https://man.archlinux.org/man/pam_unix.8) module (i.e. in `/etc/pam.d/system-auth`). ## General list of changes - `yescrypt` is used as default password hashing algorithm, instead of `SHA512` - PAM honors the chosen `ENCRYPT_METHOD` in `/etc/login.defs` and does not override the chosen method anymore - changes in the filesystem (>= `2023.09.18`) and pambase (>= `20230918`) packages ensure, that [umask](https://man.archlinux.org/man/umask.1p) is set centrally in `/etc/login.defs` instead of `/etc/profile` ``` Changes have been done collaboratively in a pad [1] as doing them bit by bit over mail is rather cumbersome. Best, David [1] https://md.archlinux.org/Y5YE6OV8SCePY-sx-hVVXQ?view -- https://sleepmap.de
signature.asc
Description: PGP signature
