Can not login to personal user, but as root

Aragorn · 4 October 2023 17:14

Did you install today’s Stable Update? If so, then you should have paid attention to this…

[Stable Update] 2023-10-04 - Kernels, Systemd, LibreOffice, NVIDIA, Mesa, GNOME, AMDVLK

2023-09-22 - David Runge

With shadow >= 4.14.0, Arch Linux’s default password hashing algorithm changed from SHA512 to yescrypt [1].

Furthermore, the umask [2] settings are now configured in /etc/login.defs instead of /etc/profile.

This should not require any manual intervention.

Reasons for Yescrypt

The password-based key derivation function (KDF) and password hashing scheme yescrypt has been chosen due to its adoption (readily available in libxcrypt, which is used by pam [3]) and its stronger resilience towards password cracking attempts over SHA512.

Although the winner of the Password Hashing Competition [4] has been argon2, this even more resilient algorithm is not yet available in libxcrypt [5][6].

Configuring yescrypt

The YESCRYPT_COST_FACTOR setting in /etc/login.defs is currently without effect, until pam implements reading its value [7]. If a YESCRYPT_COST_FACTOR higher (or lower) than the default (5) is needed, it can be set using the rounds option of the pam_unix [8] module (i.e. in /etc/pam.d/system-auth).

General list of changes

yescrypt is used as default password hashing algorithm, instead of SHA512

pam honors the chosen ENCRYPT_METHOD in /etc/login.defs and does not override the chosen method anymore

changes in the filesystem (>= 2023.09.18) and pambase (>= 20230918) packages ensure, that umask is set centrally in /etc/login.defs instead of /etc/profile

[1] yescrypt - scalable KDF and password hashing scheme

[2] umask(1p) — Arch manual pages

[3] PAM - ArchWiki

[4] https://www.password-hashing.net/

[5] [RFC] Add argon2 backend. by ferivoz · Pull Request #113 · besser82/libxcrypt · GitHub

[6] Add support for Argon2 by maandree · Pull Request #150 · besser82/libxcrypt · GitHub

[7] pam_unix: Support reading YESCRYPT_COST_FACTOR from /etc/login.defs · Issue #607 · linux-pam/linux-pam · GitHub

[8] pam_unix(8) — Arch manual pages

You probably need to set a new password in order for yescrypt to be able to work on your old login, because your old login was still using sha512, and with the new encryption algorithm in place, logind can probably not recognize the sha512-encrypted password for your account in /etc/shadow.