Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 905678 - sys-auth/pambase: please consider using a safer password hashing function by default (e.g. yescrypt)
Summary: sys-auth/pambase: please consider using a safer password hashing function by ...
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo's Team for Core System packages
Depends on:
Reported: 2023-05-04 06:10 UTC by Hanno Böck
Modified: 2023-05-16 18:58 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Hanno Böck gentoo-dev 2023-05-04 06:10:15 UTC
Currently Gentoo uses sha512 passwords in /etc/shadow by default.

This isn't ideal, as sha512 is not a dedicated password hashing function. Modern password hashing functions are designed to be difficult to bruteforce due to their memory use and other features.

For a long time, sha512 was the best that glibc supported. But newer versions of glibc use libxcrypt, and that supports a wider variety of hash functions. It appears that other distros go for yescrypt as the preferrable modern hash function supported by libxcrypt.

Latest versions of Debian, Ubuntu, and Fedora already use yescrypt.

Here's a discussion from Fedora:

I therefore recommend that Gentoo also changes the default to yescrypt. This is configured in the file /etc/pam.d/system-auth, which is part of pambase.
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2023-05-04 06:11:19 UTC

IIRC (I haven't re-read the discussion yet), the consensus was positive.

For the record, it's fine with me and I like the idea.
Comment 2 Mike Gilbert gentoo-dev 2023-05-16 18:58:04 UTC
We should also update ENCRYPT_METHOD in /etc/login.defs (sys-apps/shadow) for non-PAM installs.