[Unstable Update] Changes to default password hashing algorithm and umask settings

Yochanan · 22 September 2023 23:45

Hello community,

Another unstable branch update with some (un)usual package updates for you.

In summary, this should not require any manual intervention.

Note that we have our own filesystem package which is currently 2023.09.22-1.

Changes to default password hashing algorithm and umask settings

2023-09-22 - David Runge

With shadow >= 4.14.0, Arch Linux’s default password hashing algorithm changed from SHA512 to yescrypt [1].

Furthermore, the umask [2] settings are now configured in /etc/login.defs instead of /etc/profile.

This should not require any manual intervention.

Reasons for Yescrypt

The password-based key derivation function (KDF) and password hashing scheme yescrypt has been chosen due to its adoption (readily available in libxcrypt, which is used by pam [3]) and its stronger resilience towards password cracking attempts over SHA512.

Although the winner of the Password Hashing Competition [4] has been argon2, this even more resilient algorithm is not yet available in libxcrypt [5][6].

Configuring yescrypt

The YESCRYPT_COST_FACTOR setting in /etc/login.defs is currently without effect, until pam implements reading its value [7]. If a YESCRYPT_COST_FACTOR higher (or lower) than the default (5) is needed, it can be set using the rounds option of the pam_unix [8] module (i.e. in /etc/pam.d/system-auth).

General list of changes

yescrypt is used as default password hashing algorithm, instead of SHA512

pam honors the chosen ENCRYPT_METHOD in /etc/login.defs and does not override the chosen method anymore

changes in the filesystem (>= 2023.09.18) and pambase (>= 20230918) packages ensure, that umask is set centrally in /etc/login.defs instead of /etc/profile

[1] yescrypt - scalable KDF and password hashing scheme

[2] umask(1p) — Arch manual pages

[3] PAM - ArchWiki

[4] https://www.password-hashing.net/

[5] [RFC] Add argon2 backend. by ferivoz · Pull Request #113 · besser82/libxcrypt · GitHub

[6] Add support for Argon2 by maandree · Pull Request #150 · besser82/libxcrypt · GitHub

[7] pam_unix: Support reading YESCRYPT_COST_FACTOR from /etc/login.defs · Issue #607 · linux-pam/linux-pam · GitHub

[8] pam_unix(8) — Arch manual pages

Info about AUR packages

AUR (Arch User Repository) packages are neither supported by Arch nor Manjaro. Posts about them in Announcement topics are off-topic and will be flagged, moved or removed without warning.

Get our latest daily developer images now from Github: Plasma, GNOME, XFCE. You can get the latest stable releases of Manjaro from CDN77.

No issue, everything went smoothly
Yes there was an issue. I was able to resolve it myself.(Please post your solution)
Yes i am currently experiencing an issue due to the update. (Please post about it)

0 voters

Check if your mirror has already synced:

Mirror-Check Service

cscs · 23 September 2023 00:22

Saw this earlier, with the main bit for most people being

This should not require any manual intervention.

Yochanan · 23 September 2023 00:27

I know, I figured it was time to create a new Unstable Updates thread regardless.

Zesko · 23 September 2023 09:14

Essentially, the initial characters of the password field value in /etc/shadow identify the encryption algorithm:

$1$ is MD5

$2a$ is blowfish

$5$ is SHA-256

$6$ is SHA-512

$y$ (or $7$) is yescrypt

Source: https://www.baeldung.com/linux/shadow-passwords

I checked /etc/shadow, it does not use the default hashing algorithm Yescrypt after this update and reboot.

Edit:

How to switch SHA512 to Yescrypt:

Change your pw in CLI: $ sudo passwd [USER_NAME]

Attention: Do not use GUI e.g. “KDE Manage Users” that still uses SHA512 by default.

Aragorn · 23 September 2023 14:13

Which is a Bad Idea™, because this means that there can now be only one umask setting for all user accounts. Before, one could distinguish between the root account’s umask (which needs to be 022) and that of unprivileged users. The following is from my own /etc/profile.

if [ ${UID} -lt 1000 ]
then
    umask 022
else
    umask 077
fi

/etc/login.defs has only one umask setting…

# Default initial "umask" value used by login(1) on non-PAM enabled systems.
# Default "umask" value for pam_umask(8) on PAM enabled systems.
# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
# home directories if HOME_MODE is not set.
# 022 is the default value, but 027, or even 077, could be considered
# for increased privacy. There is no One True Answer here: each sysadmin
# must make up their mind.
UMASK           077

cscs · 23 September 2023 20:23

So … why not use HOME_MODE to achieve the same thing, as outlined in the header comments?

Aragorn · 24 September 2023 03:38

That’s not the same thing. It only pertains to the creation of the home directories.

Yochanan · 25 September 2023 00:27

anon51566685 · 25 September 2023 04:19

It doesn’t work retroactively. Think about it: how will it decrypt current SHA-512 ones? Change your pw.

Zesko · 25 September 2023 06:24

2 days ago, I had created a new user via KDE Manage Users and changed its pw, it still uses SHA512 by default.

Today I tried to create another new user with useradd and passwd in CLI . Ah yes, It uses yescrypt.
It looks like this “KDE Manage Users” does not use passwd.

I change root’s pw and my account’s pw in CLI, do not use “KDE Manage Users”. Thank you.

cscs · 30 September 2023 17:24

So it begins?

:: Starting full system upgrade...
:: Replace attica with extra/attica5? [Y/n] 
:: Replace baloo with extra/baloo5? [Y/n] 
:: Replace bluez-qt with extra/bluez-qt5? [Y/n] 
:: Replace frameworkintegration with extra/frameworkintegration5? [Y/n] 
:: Replace kactivities with extra/kactivities5? [Y/n] 
:: Replace kactivities-stats with extra/kactivities-stats5? [Y/n] 
:: Replace karchive with extra/karchive5? [Y/n] 
:: Replace kauth with extra/kauth5? [Y/n] 
:: Replace kbookmarks with extra/kbookmarks5? [Y/n] 
:: Replace kcmutils with extra/kcmutils5? [Y/n] 
:: Replace kcodecs with extra/kcodecs5? [Y/n] 
:: Replace kcompletion with extra/kcompletion5? [Y/n] 
:: Replace kconfig with extra/kconfig5? [Y/n] 
:: Replace kconfigwidgets with extra/kconfigwidgets5? [Y/n] 
:: Replace kcoreaddons with extra/kcoreaddons5? [Y/n] 
:: Replace kcrash with extra/kcrash5? [Y/n] 
:: Replace kdbusaddons with extra/kdbusaddons5? [Y/n] 
:: Replace kdeclarative with extra/kdeclarative5? [Y/n] 
:: Replace kded with extra/kded5? [Y/n] 
:: Replace kdesu with extra/kdesu5? [Y/n] 
:: Replace kdnssd with extra/kdnssd5? [Y/n] 
:: Replace kdoctools with extra/kdoctools5? [Y/n] 
:: Replace kfilemetadata with extra/kfilemetadata5? [Y/n] 
:: Replace kglobalaccel with extra/kglobalaccel5? [Y/n] 
:: Replace kguiaddons with extra/kguiaddons5? [Y/n] 
:: Replace kholidays with extra/kholidays5? [Y/n] 
:: Replace ki18n with extra/ki18n5? [Y/n] 
:: Replace kiconthemes with extra/kiconthemes5? [Y/n] 
:: Replace kidletime with extra/kidletime5? [Y/n]   
:: Replace kimageformats with extra/kimageformats5? [Y/n] 
:: Replace kio with extra/kio5? [Y/n] 
:: Replace kitemmodels with extra/kitemmodels5? [Y/n] 
:: Replace kitemviews with extra/kitemviews5? [Y/n] 
:: Replace kjobwidgets with extra/kjobwidgets5? [Y/n] 
:: Replace knewstuff with extra/knewstuff5? [Y/n] 
:: Replace knotifications with extra/knotifications5? [Y/n] 
:: Replace knotifyconfig with extra/knotifyconfig5? [Y/n] 
:: Replace kpackage with extra/kpackage5? [Y/n] 
:: Replace kparts with extra/kparts5? [Y/n] 
:: Replace kpeople with extra/kpeople5? [Y/n] 
:: Replace kpty with extra/kpty5? [Y/n] 
:: Replace kquickcharts with extra/kquickcharts5? [Y/n] 
:: Replace krunner with extra/krunner5? [Y/n] 
:: Replace kservice with extra/kservice5? [Y/n] 
:: Replace ktexteditor with extra/ktexteditor5? [Y/n] 
:: Replace ktextwidgets with extra/ktextwidgets5? [Y/n] 
:: Replace kunitconversion with extra/kunitconversion5? [Y/n] 
:: Replace kwallet with extra/kwallet5? [Y/n] 
:: Replace kwayland with extra/kwayland5? [Y/n] 
:: Replace kwidgetsaddons with extra/kwidgetsaddons5? [Y/n] 
:: Replace kwindowsystem with extra/kwindowsystem5? [Y/n] 
:: Replace kxmlgui with extra/kxmlgui5? [Y/n] 
:: Replace modemmanager-qt with extra/modemmanager-qt5? [Y/n] 
:: Replace networkmanager-qt with extra/networkmanager-qt5? [Y/n] 
:: Replace prison with extra/prison5? [Y/n] 
:: Replace purpose with extra/purpose5? [Y/n] 
:: Replace qqc2-desktop-style with extra/qqc2-desktop-style5? [Y/n] 
:: Replace solid with extra/solid5? [Y/n] 
:: Replace sonnet with extra/sonnet5? [Y/n] 
:: Replace syndication with extra/syndication5? [Y/n] 
:: Replace syntax-highlighting with extra/syntax-highlighting5? [Y/n] 
:: Replace threadweaver with extra/threadweaver5? [Y/n]

ydar · 30 September 2023 17:48

Is that from pamac or pacman?

Anyway when I ran my update, today I did it through Octopi (normally I don’t do it that way, mostly use pacman cli) and it automatically upgraded all of those.

cscs · 30 September 2023 17:59

le pacman of course

I would think it means Plasma 6 should be here soon.

Zesko · 30 September 2023 18:01

Use pacman and just long press Enter to accept all “Yes”.

ydar · 30 September 2023 18:05

They say:
We’ve decided that Plasma 6 will be released in early February of 2024.

Aragorn · 30 September 2023 18:39

man yes

Yochanan · 30 September 2023 18:52

This is not a Plasma 6 discussion thread. Settle down, nothing actually happened.

anon51566685 · 30 September 2023 19:58

This is some manjaro thing, renaming packages I mean. Nothing changed.

cscs · 30 September 2023 20:00

I dont think so…

Arch Linux - Package Search
Arch Linux - Package Search

anon51566685 · 30 September 2023 20:05

Eh lol, indeed. I guess it’s an arch thing now. 5 is more than none though, so it’s better now. Next week 6 confirmed! But someone should still ask to be sure.