Debian switched the default hash algorithm for /etc/shadow to yescrypt for Bullseye. Our installer uses it for the root password set during installation. But any PAM/PVE user created over the API, or any password change triggered afterwards for such users, will fallback to sha256crypt.
Since the helper in pve-common is also used by cloud-init (which is stuck not supporting yescrypt for the time being for unrelated reasons), make the new behaviour opt-in (which might be handy for future migrations as well). sending as RFC in case I missed some usage of this, and also to discuss whether we might just want to move PVE/PAM realms over to a proxmox-sys perlmod-wrapped helper instead (proxmox-sys and thus PBS defaults to yescrypt and binds to the C lib interfaces that actually allow specifying hashing parameters somewhat sanely) pve-access-control: Fabian Grünbichler (1): PVE/PAM: switch to yescrypt by default src/PVE/Auth/PAM.pm | 2 +- src/PVE/Auth/PVE.pm | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) pve-common: Fabian Grünbichler (2): encrypt_pw: allow yescrypt in addition to sha256 encrypt_pw: check return value matches expected format src/PVE/Tools.pm | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) -- 2.39.5 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
