Sam Hartman
2021-02-02 22:40:02 UTC
package: release-notes
x-debbuggs-cc: ***@packages.debian.org
Hi. I've never filed one of these before, and I'm in the middle of
several other things, so I decided to file the bug even if I get it not
quite right rather than forgetting.
Pam 1.4.0-3 changes the default password hash to yescript. That means
that users may get a security improvement if they reset their
passwords. It also has compatibility implications.
I'd recommend text like the following for the release notes
Password Hashing Uses Yescript by Default
The default password hash for local system accounts has been changed to
yescrypt (https://www.openwall.com/yescrypt/ ). This is expected to
provide improve security against dictionary-based password guessing
attacks, focusing both on the space as well as time complexity of the
attack.
To take advantage of this improved security, change local passwords; for
example use the `passwd` command.
Old passwords will continue to work using whatever password hash was
used to create them.
Yescrypt is not supported by Debian 10 (Buster). As a result, shadow
password files (`/etc/shadow`) cannot be copied from a Debian 11 system
back to a Debian 10 system. If these files are copied, passwords that
have been changed on the Debian 11 system will not work on the Debian 10
system.
Similarly, password hashes cannot be cut&paste from a Debian 11 to a
Debian 10 system.
If compatibility is required for password hashes between Debian 11 and
Debian 10, modify `/etc/pam.d/common-password`. Find the line that
looks like:
password [success=1 default=ignore] pam_unix.so obscure
yescrypt
and replace `yescrypt` with `sha512`.
x-debbuggs-cc: ***@packages.debian.org
Hi. I've never filed one of these before, and I'm in the middle of
several other things, so I decided to file the bug even if I get it not
quite right rather than forgetting.
Pam 1.4.0-3 changes the default password hash to yescript. That means
that users may get a security improvement if they reset their
passwords. It also has compatibility implications.
I'd recommend text like the following for the release notes
Password Hashing Uses Yescript by Default
The default password hash for local system accounts has been changed to
yescrypt (https://www.openwall.com/yescrypt/ ). This is expected to
provide improve security against dictionary-based password guessing
attacks, focusing both on the space as well as time complexity of the
attack.
To take advantage of this improved security, change local passwords; for
example use the `passwd` command.
Old passwords will continue to work using whatever password hash was
used to create them.
Yescrypt is not supported by Debian 10 (Buster). As a result, shadow
password files (`/etc/shadow`) cannot be copied from a Debian 11 system
back to a Debian 10 system. If these files are copied, passwords that
have been changed on the Debian 11 system will not work on the Debian 10
system.
Similarly, password hashes cannot be cut&paste from a Debian 11 to a
Debian 10 system.
If compatibility is required for password hashes between Debian 11 and
Debian 10, modify `/etc/pam.d/common-password`. Find the line that
looks like:
password [success=1 default=ignore] pam_unix.so obscure
yescrypt
and replace `yescrypt` with `sha512`.