[arch-dev-public] News draft: sorting old password hashes
Hello everybody,
old password hashes like MD5 are no longer accepted by recent libxcrypt. On
next login user may be enforced to update password. To make sure nobody is
worried I would like to add install message and news post:
--- >8 ---
Starting with libxcrypt 4.4.21 weak password hashes are no longer accepted.
If you still have one in your shadow file do not worry if you are enforced to
update your password on next login.
--- >8 ---
--
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}
pgpNLraJ7Yuvx.pgp
Description: OpenPGP digital signature
Re: [arch-dev-public] News draft: sorting old password hashes
On Sun, Jun 6, 2021 at 9:38 PM Christian Hesse via arch-dev-public < arch-dev-public@lists.archlinux.org> wrote: > Hello everybody, > > old password hashes like MD5 are no longer accepted by recent libxcrypt. On > next login user may be enforced to update password. To make sure nobody is > worried I would like to add install message and news post: > > --- >8 --- > Starting with libxcrypt 4.4.21 weak password hashes are no longer accepted. > If you still have one in your shadow file do not worry if you are enforced > to > update your password on next login. > --- >8 --- > It confused me a bit. I think we can phrase this better: ``` Starting with libxcrypt 4.4.21, weak password hashes (such as MD5 and SHA1) are no longer accepted for new passwords. Users that still have their passwords stored with a weak hash will be asked to update their password on their next login. ``` But is this really what is happening? I thought we had a complete failure to login, not a "forced to update". I'm also not clear if the latter would work with the display managers.
Re: [arch-dev-public] retracting libxcrypt 4.4.22-1 from [testing]
Christian Hesse via arch-dev-public on
Fri, 2021/05/28 17:48:
> Hello everybody,
>
> the testing package libxcrypt 4.4.22-1 was reported to be bad... Andreas was
> forced to change his password on login, which resulted in him being locked
> out of his system. We are trying to clarify...
>
> So I removed libxcrypt from [testing] for the time being.
I found the real issue: Our pam configurations for 'login' and 'su' were
missing the configuration for 'password', thus updating expired password
failed. This is now fixed in util-linux 2.37-2, which will move with
libxcrypt 4.4.22.
--
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}
pgpzfclhprRDQ.pgp
Description: OpenPGP digital signature
Re: [arch-dev-public] News draft: sorting old password hashes
Jan Alexander Steffens via arch-dev-public
on Sun, 2021/06/06 21:49:
> On Sun, Jun 6, 2021 at 9:38 PM Christian Hesse via arch-dev-public <
> arch-dev-public@lists.archlinux.org> wrote:
>
> > Hello everybody,
> >
> > old password hashes like MD5 are no longer accepted by recent libxcrypt.
> > On next login user may be enforced to update password. To make sure
> > nobody is worried I would like to add install message and news post:
> >
> > --- >8 ---
> > Starting with libxcrypt 4.4.21 weak password hashes are no longer
> > accepted. If you still have one in your shadow file do not worry if you
> > are enforced to
> > update your password on next login.
> > --- >8 ---
> >
>
> It confused me a bit. I think we can phrase this better:
>
> ```
> Starting with libxcrypt 4.4.21, weak password hashes (such as MD5 and SHA1)
> are
> no longer accepted for new passwords. Users that still have their passwords
> stored with a weak hash will be asked to update their password on their next
> login.
> ```
>
> But is this really what is happening? I thought we had a complete failure
> to login,
> not a "forced to update".
There was a force to update, but that failed. It was an issue in pam
configuration, fixed in util-linux 2.37-2.
> I'm also not clear if the latter would work with the display managers.
I think it should... But we could add another sentence for safety:
```
Starting with `libxcrypt` 4.4.21, weak password hashes (such as MD5 and SHA1)
are no longer accepted for new passwords. Users that still have their
passwords stored with a weak hash will be asked to update their password on
their next login.
If the login just fails (for example from display manager) switch to a
virtual terminal (`Ctrl-Alt-F2`) and login there once.
```
--
main(a){char*c=/*Schoene Gruesse */"B?IJj;MEH"
"CX:;",b;for(a/*Best regards my address:*/=0;b=c[a++];)
putchar(b-1/(/*Chriscc -ox -xc - && ./x*/b/42*2-3)*42);}
pgpphSysNmjJu.pgp
Description: OpenPGP digital signature
Re: [arch-dev-public] Transitioning out my master key
On 01/06/2021 16:24, Giancarlo Razzolini via arch-dev-public wrote: Em junho 1, 2021 10:54 Allan McRae via arch-dev-public escreveu: It is time for my master key to be retired. That can not happen any time soon, as revoking my key means ~25% of packagers will not be able to validly sign packages... For now, I will no longer be signing new packager keys with my master key. I am unlikely to revoke signatures for people who retire from packaging either. Allan I have been discussing with Dave, and I would be up for holding a MK, or revocation key. I support you as a new master key holder, can be a revoker if required. I think we should add another master key holder, as david is replacing barthaltion's key. Greetings, Jelle van der Waa OpenPGP_signature Description: OpenPGP digital signature
Re: [arch-dev-public] News draft: sorting old password hashes
On 2021-06-06 22:08, Christian Hesse via arch-dev-public wrote: Jan Alexander Steffens via arch-dev-public on Sun, 2021/06/06 21:49: On Sun, Jun 6, 2021 at 9:38 PM Christian Hesse via arch-dev-public < arch-dev-public@lists.archlinux.org> wrote: > Hello everybody, > > old password hashes like MD5 are no longer accepted by recent libxcrypt. > On next login user may be enforced to update password. To make sure > nobody is worried I would like to add install message and news post: > > --- >8 --- > Starting with libxcrypt 4.4.21 weak password hashes are no longer > accepted. If you still have one in your shadow file do not worry if you > are enforced to > update your password on next login. > --- >8 --- > It confused me a bit. I think we can phrase this better: ``` Starting with libxcrypt 4.4.21, weak password hashes (such as MD5 and SHA1) are no longer accepted for new passwords. Users that still have their passwords stored with a weak hash will be asked to update their password on their next login. ``` But is this really what is happening? I thought we had a complete failure to login, not a "forced to update". There was a force to update, but that failed. It was an issue in pam configuration, fixed in util-linux 2.37-2. I'm also not clear if the latter would work with the display managers. I think it should... But we could add another sentence for safety: ``` Starting with `libxcrypt` 4.4.21, weak password hashes (such as MD5 and SHA1) are no longer accepted for new passwords. Users that still have their passwords stored with a weak hash will be asked to update their password on their next login. If the login just fails (for example from display manager) switch to a virtual terminal (`Ctrl-Alt-F2`) and login there once. I think that's nice and clear. Though it should be "log in there once" instead of "login there once". :) signature.asc Description: PGP signature
