Bug 2218330
| Summary: | Add support for bcrypt password hashes for local users | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Abhijit Roy <abroy> |
| Component: | pam | Assignee: | Iker Pedrosa <ipedrosa> |
| Status: | NEW --- | QA Contact: | Anuj Borah <aborah> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | high | ||
| Version: | 9.4 | CC: | dominik.mierzejewski, fweimer, hartsjc, jjelen, pbrezina |
| Target Milestone: | rc | Keywords: | Reopened, Triaged |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-07-10 12:09:09 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Abhijit Roy
2023-06-28 18:48:32 UTC
*** Bug 2218318 has been marked as a duplicate of this bug. *** bcrypt is supported in both RHEL-9 and RHEL-8, see `man 5 crypt`. Argon2 is not yet merged in upstream. We should let RHEL get it in natural way (through Fedora -> RHEL major release) unless there is a really strong reason for other approach. Hi, With RHEL 9.2 everything works fine. But with RHEL 8.8 seeing: pam_unix.so using blowfish errors with: Algo blowfish not supported by the crypto backend. pam_unix.so using bcrypot no errors, logs: Algo blowfish not supported by the crypto backend. # passwd test-user Changing password for user test-user. New password: Retype new password: Jul 21 10:50:51 rhel8-8 passwd[1830]: pam_unix(passwd:chauthtok): unrecognized option [pam_unix.so] Jul 21 10:51:01 rhel8-8 passwd[1830]: pam_unix(passwd:chauthtok): unrecognized option [pam_unix.so] Jul 21 10:51:01 rhel8-8 passwd[1830]: pam_unix(passwd:chauthtok): username [test-user] obtained Jul 21 10:51:01 rhel8-8 passwd[1830]: pam_unix(passwd:chauthtok): Algo blowfish not supported by the crypto backend. <------------ Jul 21 10:51:01 rhel8-8 passwd[1830]: pam_unix(passwd:chauthtok): crypt() failure or out of memory for password passwd: Authentication token manipulation error Interesting! I investigated the matter further and found out that there is no behavioral difference of libxcrypt, but the issue lies in pam, more specifically in `pam_unix/passverify.c` function `create_password_hash,`. RHEL-8 version produces salt such as: $2a$rounds=5$NQmy8VgfwDrJ6TLG (refused by libxcrypt) RHEL-9 version produces salt such as: $2b$05$TcYR.q0EWpO8l5LI8QgoV. (works fine with libxcrypt) Problem is in the 'rounds=XX' part, which is not supported for bcrypt as far as I can tell. I suggest opening a bug for pam, or change the component of this one. (In reply to Stanislav Zidek from comment #6) > Interesting! I investigated the matter further and found out that there is > no behavioral difference of libxcrypt, but the issue lies in pam, more > specifically in `pam_unix/passverify.c` function `create_password_hash,`. > > RHEL-8 version produces salt such as: $2a$rounds=5$NQmy8VgfwDrJ6TLG (refused > by libxcrypt) > RHEL-9 version produces salt such as: $2b$05$TcYR.q0EWpO8l5LI8QgoV. (works > fine with libxcrypt) > > Problem is in the 'rounds=XX' part, which is not supported for bcrypt as far > as I can tell. > > I suggest opening a bug for pam, or change the component of this one. Thanks for your reply I will change the component to keep the background intact. (In reply to Abhijit Roy from comment #7) > Thanks for your reply I will change the component to keep the background > intact. I'd also suggest to remove "FutureFeature" keyword and change summary to something like "bcrypt does not work in RHEL-8" so pam people are not confused by adding Argon2 support of this being a feature request. |