Description of problem: Consider adding bcrypt (or scrypt) support in libxcrypt References: https://access.redhat.com/articles/1519843 https://sourceware.org/bugzilla/show_bug.cgi?id=2100 https://github.com/besser82/libxcrypt/issues/104 https://github.com/besser82/libxcrypt/pull/113 https://github.com/besser82/libxcrypt/pull/150 https://github.com/linux-pam/linux-pam/issues/45 https://github.com/linux-pam/linux-pam/pull/84 Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
*** Bug 2218318 has been marked as a duplicate of this bug. ***
bcrypt is supported in both RHEL-9 and RHEL-8, see `man 5 crypt`. Argon2 is not yet merged in upstream. We should let RHEL get it in natural way (through Fedora -> RHEL major release) unless there is a really strong reason for other approach.
Hi, With RHEL 9.2 everything works fine. But with RHEL 8.8 seeing: pam_unix.so using blowfish errors with: Algo blowfish not supported by the crypto backend. pam_unix.so using bcrypot no errors, logs: Algo blowfish not supported by the crypto backend. # passwd test-user Changing password for user test-user. New password: Retype new password: Jul 21 10:50:51 rhel8-8 passwd[1830]: pam_unix(passwd:chauthtok): unrecognized option [pam_unix.so] Jul 21 10:51:01 rhel8-8 passwd[1830]: pam_unix(passwd:chauthtok): unrecognized option [pam_unix.so] Jul 21 10:51:01 rhel8-8 passwd[1830]: pam_unix(passwd:chauthtok): username [test-user] obtained Jul 21 10:51:01 rhel8-8 passwd[1830]: pam_unix(passwd:chauthtok): Algo blowfish not supported by the crypto backend. <------------ Jul 21 10:51:01 rhel8-8 passwd[1830]: pam_unix(passwd:chauthtok): crypt() failure or out of memory for password passwd: Authentication token manipulation error
Interesting! I investigated the matter further and found out that there is no behavioral difference of libxcrypt, but the issue lies in pam, more specifically in `pam_unix/passverify.c` function `create_password_hash,`. RHEL-8 version produces salt such as: $2a$rounds=5$NQmy8VgfwDrJ6TLG (refused by libxcrypt) RHEL-9 version produces salt such as: $2b$05$TcYR.q0EWpO8l5LI8QgoV. (works fine with libxcrypt) Problem is in the 'rounds=XX' part, which is not supported for bcrypt as far as I can tell. I suggest opening a bug for pam, or change the component of this one.
(In reply to Stanislav Zidek from comment #6) > Interesting! I investigated the matter further and found out that there is > no behavioral difference of libxcrypt, but the issue lies in pam, more > specifically in `pam_unix/passverify.c` function `create_password_hash,`. > > RHEL-8 version produces salt such as: $2a$rounds=5$NQmy8VgfwDrJ6TLG (refused > by libxcrypt) > RHEL-9 version produces salt such as: $2b$05$TcYR.q0EWpO8l5LI8QgoV. (works > fine with libxcrypt) > > Problem is in the 'rounds=XX' part, which is not supported for bcrypt as far > as I can tell. > > I suggest opening a bug for pam, or change the component of this one. Thanks for your reply I will change the component to keep the background intact.
(In reply to Abhijit Roy from comment #7) > Thanks for your reply I will change the component to keep the background > intact. I'd also suggest to remove "FutureFeature" keyword and change summary to something like "bcrypt does not work in RHEL-8" so pam people are not confused by adding Argon2 support of this being a feature request.