Bug 1975402 (yescrypt_shadow)

Summary: Use yescrypt as default hashing method for shadow passwords
Product: [Fedora] Fedora Reporter: Ben Cotton <bcotton>
Component: Changes TrackingAssignee: Björn Esser (besser82) <besser82>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: bcotton, besser82
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Release Note
Doc Text:
Fedora now uses the yescrypt hash method for new passwords. There are no visible changes nor impacts to the end-user. Users are recommended to change their existing passwords after upgrading.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-02 16:03:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1976334, 1976335    
Bug Blocks: 1894270    

Description Ben Cotton 2021-06-23 15:34:22 UTC 
This is a tracking bug for Change: Use yescrypt as default hashing method for shadow passwords
For more details, see: https://fedoraproject.org/wiki/Changes/yescrypt_as_default_hashing_method_for_shadow

Make the yescrypt hashing method the default method used for new user passwords stored in /etc/shadow.

If you encounter a bug related to this Change, please do not comment here. Instead create a new bug and set it to block this bug.
Comment 1 Björn Esser (besser82) 2021-06-23 18:19:40 UTC 
The userspace packages have been adjusted for this change and the corresponding builds should be in the next compose.


https://bodhi.fedoraproject.org/updates/FEDORA-2021-273253eaf1

***

The only package left, thats needs to be updated and build is anaconda.
Comment 2 Björn Esser (besser82) 2021-06-25 19:09:06 UTC 
(In reply to Björn 'besser82' Esser from comment #1)
> The only package left, thats needs to be updated and build is anaconda.

accountsservice needs to be patched [1,2], too.


[1]  https://gitlab.freedesktop.org/accountsservice/accountsservice/-/merge_requests/74
[2]  https://src.fedoraproject.org/rpms/accountsservice/pull-request/4
Comment 3 Björn Esser (besser82) 2021-06-27 21:45:59 UTC 
(In reply to Björn 'besser82' Esser from comment #2)
> (In reply to Björn 'besser82' Esser from comment #1)
> > The only package left, thats needs to be updated and build is anaconda.
> 
> accountsservice needs to be patched [1,2], too.
> 
> 
> [1] 
> https://gitlab.freedesktop.org/accountsservice/accountsservice/-/
> merge_requests/74
> [2]  https://src.fedoraproject.org/rpms/accountsservice/pull-request/4


Now there is just anaconda left to be released by upstream and updated in Fedora.

Changing to status modified, as the change is testable by the means of userspace tooling.
Comment 4 Björn Esser (besser82) 2021-06-28 21:03:56 UTC 
anaconda-35.18-1 has landed in Rawhide and should be picked up in the next compose.

Changing to status ON_QA, as the change should very likely be 100% code complete now.
Comment 5 Ben Cotton 2021-11-02 16:03:44 UTC 
F35 was released today. Closing the trackers.