Control: tags -1 patch pending Hi,
On Tue, 02 Feb 2021 17:27:38 -0500 Sam Hartman <hartm...@debian.org> wrote: > I'd recommend text like the following for the release notes > > Password Hashing Uses Yescript by Default > > The default password hash for local system accounts has been changed to > yescrypt (https://www.openwall.com/yescrypt/ ). This is expected to > provide improve security against dictionary-based password guessing > attacks, focusing both on the space as well as time complexity of the > attack. > To take advantage of this improved security, change local passwords; for > example use the `passwd` command. > > Old passwords will continue to work using whatever password hash was > used to create them. > > > Yescrypt is not supported by Debian 10 (Buster). As a result, shadow > password files (`/etc/shadow`) cannot be copied from a Debian 11 system > back to a Debian 10 system. If these files are copied, passwords that > have been changed on the Debian 11 system will not work on the Debian 10 > system. > Similarly, password hashes cannot be cut&paste from a Debian 11 to a > Debian 10 system. > > If compatibility is required for password hashes between Debian 11 and > Debian 10, modify `/etc/pam.d/common-password`. Find the line that > looks like: > > password [success=1 default=ignore] pam_unix.so obscure > yescrypt > > > > and replace `yescrypt` with `sha512`. I converted (with small modifications) this into the attached patch, ready to push. Paul
From b784bf1fc83700a7651af66ad8c23b01df10407a Mon Sep 17 00:00:00 2001
From: Sam Hartman <hartm...@debian.org>
Date: Thu, 18 Mar 2021 15:14:41 +0100
Subject: [PATCH] issues.dbk: PAM changed the default password hash
Closes: #981693
---
en/issues.dbk | 39 +++++++++++++++++++++++++++++++++++++++
1 file changed, 39 insertions(+)
diff --git a/en/issues.dbk b/en/issues.dbk
index fbe357b8..f3ff6d48 100644
--- a/en/issues.dbk
+++ b/en/issues.dbk
@@ -82,6 +82,45 @@ information mentioned in <xref linkend="morereading"/>.
</para>
</section>
+ <section id="pam-default-password">
+ <!-- buster to bullseye -->
+ <title>Password hashing uses yescript by default</title>
+ <para>
+ The default password hash for local system accounts has been
+ changed to <ulink
+ url="https://www.openwall.com/yescrypt/";>yescrypt</ulink>. This
+ is expected to provide improve security against dictionary-based
+ password guessing attacks, focusing both on the space as well as
+ time complexity of the attack.
+ </para>
+ <para>
+ To take advantage of this improved security, change local
+ passwords; for example use the <command>passwd</command> command.
+ </para>
+ <para>
+ Old passwords will continue to work using whatever password hash
+ was used to create them.
+ </para>
+ <para>
+ Yescrypt is not supported by Debian 10 (buster). As a result,
+ shadow password files (<filename>/etc/shadow</filename>) cannot be
+ copied from a bullseye system back to a buster system. If these
+ files are copied, passwords that have been changed on the bullseye
+ system will not work on the buster system. Similarly, password
+ hashes cannot be cut&aml;paste from a bullseye to a buster system.
+ </para>
+ <para>
+ If compatibility is required for password hashes between bullseye
+ and buster, modify
+ <filename>/etc/pam.d/common-password</filename>. Find the line
+ that looks like:
+ <programlisting>
+ password [success=1 default=ignore] pam_unix.so obscure yescrypt
+ </programlisting>
+ and replace <literal>yescrypt</literal> with <literal>sha512</literal>.
+ </para>
+ </section>
+
<section id="noteworthy-obsolete-packages">
<title>Noteworthy obsolete packages</title>
<para>
--
2.30.2
OpenPGP_signature
Description: OpenPGP digital signature
