Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1975402 (yescrypt_shadow)

Summary: Use yescrypt as default hashing method for shadow passwords
Product: [Fedora] Fedora Reporter: Ben Cotton <bcotton>
Component: Changes TrackingAssignee: Björn 'besser82' Esser <besser82>
Status: ON_QA --- QA Contact:
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: bcotton, besser82
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Release Note
Doc Text:
Fedora now uses the yescrypt hash method for new passwords. There are no visible changes nor impacts to the end-user. Users are recommended to change their existing passwords after upgrading.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1976334, 1976335    
Bug Blocks: 1894270    

Description Ben Cotton 2021-06-23 15:34:22 UTC 
This is a tracking bug for Change: Use yescrypt as default hashing method for shadow passwords
For more details, see: https://fedoraproject.org/wiki/Changes/yescrypt_as_default_hashing_method_for_shadow

Make the yescrypt hashing method the default method used for new user passwords stored in /etc/shadow.

If you encounter a bug related to this Change, please do not comment here. Instead create a new bug and set it to block this bug.
Comment 1 Björn 'besser82' Esser 2021-06-23 18:19:40 UTC 
The userspace packages have been adjusted for this change and the corresponding builds should be in the next compose.


https://bodhi.fedoraproject.org/updates/FEDORA-2021-273253eaf1

***

The only package left, thats needs to be updated and build is anaconda.
Comment 2 Björn 'besser82' Esser 2021-06-25 19:09:06 UTC 
(In reply to Björn 'besser82' Esser from comment #1)
> The only package left, thats needs to be updated and build is anaconda.

accountsservice needs to be patched [1,2], too.


[1]  https://gitlab.freedesktop.org/accountsservice/accountsservice/-/merge_requests/74
[2]  https://src.fedoraproject.org/rpms/accountsservice/pull-request/4
Comment 3 Björn 'besser82' Esser 2021-06-27 21:45:59 UTC 
(In reply to Björn 'besser82' Esser from comment #2)
> (In reply to Björn 'besser82' Esser from comment #1)
> > The only package left, thats needs to be updated and build is anaconda.
> 
> accountsservice needs to be patched [1,2], too.
> 
> 
> [1] 
> https://gitlab.freedesktop.org/accountsservice/accountsservice/-/
> merge_requests/74
> [2]  https://src.fedoraproject.org/rpms/accountsservice/pull-request/4


Now there is just anaconda left to be released by upstream and updated in Fedora.

Changing to status modified, as the change is testable by the means of userspace tooling.
Comment 4 Björn 'besser82' Esser 2021-06-28 21:03:56 UTC 
anaconda-35.18-1 has landed in Rawhide and should be picked up in the next compose.

Changing to status ON_QA, as the change should very likely be 100% code complete now.