This message is in MIME format. Since your mail reader does not understand

this format, some or all of this message may not be legible.

Hello!



This idea has been fluctuating in my head for quite a while given that the migration had happened

a while ago [0] and some other major distributions have already adopted yescrypt as their default algo

by now [1]. For us switching is as easy as changing the default use flag in pambase and rehashing the password

with the ‘passwd’ call (a news item will be required).



What do you think?



P.S. surely, I am only speaking about the local auth method based on shadow and also about the pam-based systems as the change is going

to mainly impact the pam_unix.so calls in the pam’s stack.

Pamless or the systems with an alternative auth methods is a different story.



[0] - https://www.gentoo.org/support/news-items/2021-10-18-libxcrypt-migration-stable.html

[1] - https://fedoraproject.org/wiki/Changes/yescrypt_as_default_hashing_method_for_shadow


<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/
html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}

</style></head><body lang=en-RU link="#0563C1" vlink="#954F72" style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><span lang=EN-US>Hello!<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p>&nbsp;</o:p></span></p><p

class=MsoNormal><span lang=EN-US>This idea has been fluctuating in my head for quite a while given that the migration had happened<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>a while ago [0] and some other major distributions have already
adopted yescrypt as their default algo<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>by now [1]. For us switching is as easy as changing the default use flag in pambase and rehashing the password<o:p></o:p></span></p><p class=MsoNormal><span
lang=EN-US>with the ‘passwd’ call (a news item will be required).<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span lang=EN-US>What do you think?<o:p></o:p></span></p><p class=MsoNormal><
span lang=EN-US><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span lang=EN-US>P.S. surely, I am only speaking about the local auth method based on shadow and also about the pam-based systems as the change is going<o:p></o:p></span></p><p class=
MsoNormal><span lang=EN-US>to mainly impact the pam_unix.so calls in the pam’s stack.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Pamless or the systems with an alternative auth methods is a different story.<o:p></o:p></span></p><p class=
MsoNormal><span lang=EN-US><o:p>&nbsp;</o:p></span></p><p class=MsoNormal><span lang=EN-US>[0] - <a href="https://www.gentoo.org/support/news-items/2021-10-18-libxcrypt-migration-stable.html">https://www.gentoo.org/support/news-items/2021-10-18-libxcrypt-
migration-stable.html</a><o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>[1] - https://fedoraproject.org/wiki/Changes/yescrypt_as_default_hashing_method_for_shadow<o:p></o:p></span></p></div></body></html>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, Jul 22, 2022 at 3:10 PM Mikhail Koliada <[email protected]> wrote:

Hello!

This idea has been fluctuating in my head for quite a while given that the migration had happened

a while ago [0] and some other major distributions have already adopted yescrypt as their default algo

by now [1]. For us switching is as easy as changing the default use flag in pambase and rehashing the password

with the ‘passwd’ call (a news item will be required).

What do you think?

Seems like a reasonable idea to me.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Mikhail Koliada wrote:

This idea has been fluctuating in my head for quite a while given
that the migration had happened a while ago [0] and some other
major distributions have already adopted yescrypt as their default algo
by now [1].

Please only do that based on proven merit and nothing else.

Fedora or anyone else for that matter making a change is a truly
terrible reason to take any action whatsoever, since other
organizations are driven by /their/ interests - with Fedora in
particular being driven by the business interests of Red Hat.

I consider Gentoo a leader in many regards and it makes me really
sad whenever Gentoo changes based on nothing more than "others did it".


Thanks and kind regards

//Peter

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --------------aUvltmFqKkbbYNRZZVeb04p3
Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: base64

T24gMjAyMi0wNy0yNSAxNTozNSwgUGV0ZXIgU3R1Z2Ugd3JvdGU6DQoNCj4gTWlraGFpbCBL b2xpYWRhIHdyb3RlOg0KPj4gVGhpcyBpZGVhIGhhcyBiZWVuIGZsdWN0dWF0aW5nIGluIG15 IGhlYWQgZm9yIHF1aXRlIGEgd2hpbGUgZ2l2ZW4NCj4+IHRoYXQgdGhlIG1pZ3JhdGlvbiBo YWQgaGFwcGVuZWQgYSB3aGlsZSBhZ28gWzBdIGFuZCBzb21lIG90aGVyDQo+PiBtYWpvciBk aXN0cmlidXRpb25zIGhhdmUgYWxyZWFkeSBhZG9wdGVkIHllc2NyeXB0IGFzIHRoZWlyIGRl ZmF1bHQgYWxnbw0KPj4gYnkgbm93IFsxXS4NCj4gDQo+IFBsZWFzZSBvbmx5IGRvIHRoYXQg YmFzZWQgb24gcHJvdmVuIG1lcml0IGFuZCBub3RoaW5nIGVsc2UuDQoNCmh0dHBzOi8vcHRo cmVlLm9yZy8yMDE4LzA1LzIzL2RvLW5vdC11c2Utc2hhMjU2Y3J5cHQtc2hhNTEyY3J5cHQt dGhleXJlLWRhbmdlcm91cy8gDQosIGh0dHBzOi8vd3d3LnBhc3N3b3JkLWhhc2hpbmcubmV0 LyAsIHRoZSBmYWN0IHdlIHN0aWxsIHVzIHRoZSBkZWZhdWx0IA0KbnVtYmVyIG9mIHJvdW5k cyAoaS5lLiA1MDAwKSB3aXRoIFNIQTUxMiB3aGljaCBpcyAqcmlkaWN1bG91c2x5KiB3ZWFr IA0KZm9yIG1vZGVybiBoYXJkd2FyZSwgbGFjayBvZiBBcmdvbjIgc3VwcG9ydCBpbiBsaWJ4 Y3J5cHQgZm9yIHRoZSB0aW1lIA0KYmVpbmcgZHVlIHRvIHVwc3RyZWFtIGhhdmluZyBkZWNp ZGVkIHRvIHdhaXQgZm9yIGFuIG9mZmljaWFsIFJGQy4gWW91IA0KY2FuIHByb2JhYmx5IGZp bmQgbW9yZSB5b3Vyc2VsZiBpZiB5b3UgbG9vay4NCg0KLS0gDQpNYXJlY2tpDQo=

--------------aUvltmFqKkbbYNRZZVeb04p3--

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE+MBeYVMkcD2jfqCrKMQ7KFUeMgEFAmLeso0ACgkQKMQ7KFUe MgGBSxAAjQLi4Z21QVkLpQZygkzokAUxEU9x04pnwx9xHg6H2bprB7CqsWMJCthQ bYB4FbvB5/PWJKFBhZzMdLdpq4cv+W3DaX8OAvkwWRUuWZT2Nv45mZXnQpByGsBH BwbKAtrIsASPH60xN5HAe11g5Uoq7To6CFUfRIAZRNQ2fh6LoH08zoTJTQIgsXza YMdL1UChfQ04ePrmXBtbCkLpavyxaSh7zlibCH8Ot0fe1ZZN6L8zMCyy1B5X9qwJ 5PeGYtaiRCQ1dh1BB5KPJ8ZY7eVKKHLFoazixl57SAPMRui9bRnMDysBQ58B5RVb G69RmTXvDOsHjUDxUyu3OFlHeD5hnqtPTCbIQOOIgIwc7sjN2Za1rCQ05di6RU59 xuUb7GeGmwGbjGuwrTwIvo3k49UYBXZmMNH5J5wXFQmP62FoZ8XbciIGqFISuwOR fwEdu4elnclOhHl+54TI3CYzX/c1dSK6aIodghso/ZqYgeuxoxjGmt4knKJz/6hW VLzqwDsPgIWLS53ZZWQeue8dBjOGcp/+451hjiFh3q4G19ckfDUScQfFneAMXz1n FRsJqEEJA5YP9WoghCB/DlyOBwx+yyFW+ZA0SqjfcGj0EHXcpIT7a1JefKX0fB/b fpb9tOUaj5tIbTwRCdafJVRX0CVXVEfeRxp0ThKFJD3dENzr9Mw=
=SmFs
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Mon, Jul 25, 2022 at 11:11 AM Marek Szuba <[email protected]> wrote:

On 2022-07-25 15:35, Peter Stuge wrote:

Please only do that based on proven merit and nothing else.

https://pthree.org/2018/05/23/do-not-use-sha256crypt-sha512crypt-theyre-dangerous/
, https://www.password-hashing.net/ , the fact we still us the default
number of rounds (i.e. 5000) with SHA512 which is *ridiculously* weak
for modern hardware, lack of Argon2 support in libxcrypt for the time
being due to upstream having decided to wait for an official RFC. You
can probably find more yourself if you look.

The fedora link in the original email details why they changed it. I
don't think regurgitating the argument will add to it. By all means
point out if there is a concern with their reasoning though.

My initial question was whether this was some vanity hash change but
the changes are intended to greatly increase the cost of cracking
attacks. I'm in no position to evaluate their merit but their
proposal contains various citations to people who presumably are.

--
Rich

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 22 Jul 2022, at 20:10, Mikhail Koliada <[email protected]> wrote:

Hello!

This idea has been fluctuating in my head for quite a while given that the migration had happened
a while ago [0] and some other major distributions have already adopted yescrypt as their default algo
by now [1]. For us switching is as easy as changing the default use flag in pambase and rehashing the password
with the ‘passwd’ call (a news item will be required).

What do you think?

P.S. surely, I am only speaking about the local auth method based on shadow and also about the pam-based systems as the change is going
to mainly impact the pam_unix.so calls in the pam’s stack.
Pamless or the systems with an alternative auth methods is a different story.

[0] - https://www.gentoo.org/support/news-items/2021-10-18-libxcrypt-migration-stable.html
[1] - https://fedoraproject.org/wiki/Changes/yescrypt_as_default_hashing_method_for_shadow

It's fine with me although I guess I'm a bit reluctant when the libxcrypt stuff is still biting
some users.

My preference would be to wait a few more months, but I don't feel strongly about it,
and won't object if we want to move forward sooner.

Overall though, it's a good idea, although I'd welcome Jason's input
on alternatives first. CC'd.

Best,
sam

-----BEGIN PGP SIGNATURE-----

iNUEARYKAH0WIQQlpruI3Zt2TGtVQcJzhAn1IN+RkAUCYt7kg18UgAAAAAAuAChp c3N1ZXItZnByQG5vdGF0aW9ucy5vcGVucGdwLmZpZnRoaG9yc2VtYW4ubmV0MjVB NkJCODhERDlCNzY0QzZCNTU0MUMyNzM4NDA5RjUyMERGOTE5MAAKCRBzhAn1IN+R kKbzAP9+iUPDaeAC4dz/Sd3tRUJDN/FZRlhRBUV3n8kQ3dsiLAEA67qX1uub+KXv kcn1NfptTdrkzZLs819okF+7zsU+Ugg=
=nGlM
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 7/25/2022 15:30, Joshua Kinard wrote:
[snip]

Some really quick looking around, I'm not finding any substantive
discussions on why yescrypt is better than argon2. It so far seems that it just got implemented in libxcrypt sooner than argon2 did, so that's why
there is this sudden push for it.

E.g., on Issue #45 in linux-pam[3], user ldv-alt just states "I'd recommend yescrypt instead. Anyway, it has to be implemented in libcrypt.", but provides no justification for why they recommend yescrypt. Since we're dealing with a fairly important function for system security, I kinda want something with much more context that presents pros and cons for this algorithm over others, especially argon2.

So there is this question and three answers on Crypto StackExchange. It is about five years-old, but it's got more detail on why argon2 won the PHC instead of one of the other contenders. It is still subjective information, but more thorough: https://crypto.stackexchange.com/questions/48933/why-did-argon2-win-the-phc

There's some more info if one continues to deep-dive on CSE, but I am
noticing a lot of the info is several years old. Some more recent things
make references to a newer algo called Balloon, but that seems to be going
off into side-tangents.

Anyways, I guess I am just being paranoid. If a change to hashing algos is made, it should be based on facts and not popularity contests or feelings.

--
Joshua Kinard
Gentoo/MIPS
[email protected]
rsa6144/5C63F4E3F5C6C943 2015-04-27
177C 1972 1FB8 F254 BAD0 3E72 5C63 F4E3 F5C6 C943

"The past tempts us, the present confuses us, the future frightens us. And
our lives slip away, moment by moment, lost in that vast, terrible in-between."

--Emperor Turhan, Centauri Republic

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 7/25/2022 15:34, John Helmert III wrote:

On Mon, Jul 25, 2022 at 03:30:08PM -0400, Joshua Kinard wrote:

[snip]

"yescrypt" is an odd name for a hashing algorithm. I looked it up on
Wikipedia, and it just redirects to the 2013 Password Hashing Competition
(PHC)[1], in which yescrypt was just a runner-up (along w/ catena, makwa,
and lyra2). The winner was argon2. So unless something has changed in the >> last nine years or there is more recent information, wouldn't it make more >> sense to go with the winner of such a competition (argon2) instead of a
runner-up? I know marecki said Fedora was waiting for an official RFC for >> argon2, but the wait for that ended almost a year ago in Sept 2021 when
RFC9106[2] was released.

Some really quick looking around, I'm not finding any substantive
discussions on why yescrypt is better than argon2. It so far seems that it >> just got implemented in libxcrypt sooner than argon2 did, so that's why
there is this sudden push for it.

E.g., on Issue #45 in linux-pam[3], user ldv-alt just states "I'd recommend >> yescrypt instead. Anyway, it has to be implemented in libcrypt.", but
provides no justification for why they recommend yescrypt. Since we're
dealing with a fairly important function for system security, I kinda want >> something with much more context that presents pros and cons for this
algorithm over others, especially argon2.

That said, there does appear to be an open pull request on libxcrypt for
argon2[4], so maybe that is something to follow to see where it goes?

1. https://en.wikipedia.org/wiki/Password_Hashing_Competition
2. https://datatracker.ietf.org/doc/html/rfc9106
3. https://github.com/linux-pam/linux-pam/issues/45
4. https://github.com/besser82/libxcrypt/pull/150

tl;dr, I'm just a bit uncomfortable adopting a new hashing algo just because >> it seems popular. I would prefer something that's been thoroughly tested. >> The scant info I've found thus far, that points to argon2, not yescrypt.

There's justification for this in one of the references in zlogene's
original mail:

https://fedoraproject.org/wiki/Changes/yescrypt_as_default_hashing_method_for_shadow#Detailed_Description

Yeah, I did read that bit, but it still feels like it is written as
someone's opinion rather than as an objective comparison. It also states
that yescrypt is "based on NIST-approved primitives", whereas argon2 is
based on Blake2 (which I assume is not NIST-approved" at this time). But
just because something uses a NIST-approved mechanism does not mean it
inherits that approval, so that argument doesn't completely convince me.

--
Joshua Kinard
Gentoo/MIPS
[email protected]
rsa6144/5C63F4E3F5C6C943 2015-04-27
177C 1972 1FB8 F254 BAD0 3E72 5C63 F4E3 F5C6 C943

"The past tempts us, the present confuses us, the future frightens us. And
our lives slip away, moment by moment, lost in that vast, terrible in-between."

--Emperor Turhan, Centauri Republic

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Mon, Jul 25, 2022 at 03:30:08PM -0400, Joshua Kinard wrote:

On 7/25/2022 14:44, Sam James wrote:

On 22 Jul 2022, at 20:10, Mikhail Koliada <[email protected]> wrote:

Hello!

This idea has been fluctuating in my head for quite a while given that the migration had happened
a while ago [0] and some other major distributions have already adopted yescrypt as their default algo
by now [1]. For us switching is as easy as changing the default use flag in pambase and rehashing the password
with the ‘passwd’ call (a news item will be required).

What do you think?

P.S. surely, I am only speaking about the local auth method based on shadow and also about the pam-based systems as the change is going
to mainly impact the pam_unix.so calls in the pam’s stack.
Pamless or the systems with an alternative auth methods is a different story.

[0] - https://www.gentoo.org/support/news-items/2021-10-18-libxcrypt-migration-stable.html
[1] - https://fedoraproject.org/wiki/Changes/yescrypt_as_default_hashing_method_for_shadow

It's fine with me although I guess I'm a bit reluctant when the libxcrypt stuff is still biting
some users.

My preference would be to wait a few more months, but I don't feel strongly about it,
and won't object if we want to move forward sooner.

Overall though, it's a good idea, although I'd welcome Jason's input
on alternatives first. CC'd.

Best,
sam

"yescrypt" is an odd name for a hashing algorithm. I looked it up on Wikipedia, and it just redirects to the 2013 Password Hashing Competition (PHC)[1], in which yescrypt was just a runner-up (along w/ catena, makwa,
and lyra2). The winner was argon2. So unless something has changed in the last nine years or there is more recent information, wouldn't it make more sense to go with the winner of such a competition (argon2) instead of a runner-up? I know marecki said Fedora was waiting for an official RFC for argon2, but the wait for that ended almost a year ago in Sept 2021 when RFC9106[2] was released.

Some really quick looking around, I'm not finding any substantive
discussions on why yescrypt is better than argon2. It so far seems that it just got implemented in libxcrypt sooner than argon2 did, so that's why
there is this sudden push for it.

E.g., on Issue #45 in linux-pam[3], user ldv-alt just states "I'd recommend yescrypt instead. Anyway, it has to be implemented in libcrypt.", but provides no justification for why they recommend yescrypt. Since we're dealing with a fairly important function for system security, I kinda want something with much more context that presents pros and cons for this algorithm over others, especially argon2.

That said, there does appear to be an open pull request on libxcrypt for argon2[4], so maybe that is something to follow to see where it goes?

1. https://en.wikipedia.org/wiki/Password_Hashing_Competition
2. https://datatracker.ietf.org/doc/html/rfc9106
3. https://github.com/linux-pam/linux-pam/issues/45
4. https://github.com/besser82/libxcrypt/pull/150

tl;dr, I'm just a bit uncomfortable adopting a new hashing algo just because it seems popular. I would prefer something that's been thoroughly tested. The scant info I've found thus far, that points to argon2, not yescrypt.

There's justification for this in one of the references in zlogene's
original mail:

https://fedoraproject.org/wiki/Changes/yescrypt_as_default_hashing_method_for_shadow#Detailed_Description

--
Joshua Kinard
Gentoo/MIPS
[email protected]
rsa6144/5C63F4E3F5C6C943 2015-04-27
177C 1972 1FB8 F254 BAD0 3E72 5C63 F4E3 F5C6 C943

"The past tempts us, the present confuses us, the future frightens us. And our lives slip away, moment by moment, lost in that vast, terrible in-between."

--Emperor Turhan, Centauri Republic

-----BEGIN PGP SIGNATURE-----

iHUEABYKAB0WIQQyG9yfCrmO0LPSdG2gXq2+aa/JtQUCYt7wSAAKCRCgXq2+aa/J tZ/KAPsG/iH9yGum/mbihs+eZ5PxJ0v5HqxNYI+tDRHMakJvUgEA1FvIQV29W5Ty u50lug+NscGAUvL/sfE7HBXXbqrSigI=
=G5hj
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 7/25/2022 14:44, Sam James wrote:

On 22 Jul 2022, at 20:10, Mikhail Koliada <[email protected]> wrote:

Hello!

This idea has been fluctuating in my head for quite a while given that the migration had happened
a while ago [0] and some other major distributions have already adopted yescrypt as their default algo
by now [1]. For us switching is as easy as changing the default use flag in pambase and rehashing the password
with the ‘passwd’ call (a news item will be required).

What do you think?

P.S. surely, I am only speaking about the local auth method based on shadow and also about the pam-based systems as the change is going
to mainly impact the pam_unix.so calls in the pam’s stack.
Pamless or the systems with an alternative auth methods is a different story.

[0] - https://www.gentoo.org/support/news-items/2021-10-18-libxcrypt-migration-stable.html
[1] - https://fedoraproject.org/wiki/Changes/yescrypt_as_default_hashing_method_for_shadow

It's fine with me although I guess I'm a bit reluctant when the libxcrypt stuff is still biting
some users.

My preference would be to wait a few more months, but I don't feel strongly about it,
and won't object if we want to move forward sooner.

Overall though, it's a good idea, although I'd welcome Jason's input
on alternatives first. CC'd.

Best,
sam

"yescrypt" is an odd name for a hashing algorithm. I looked it up on Wikipedia, and it just redirects to the 2013 Password Hashing Competition (PHC)[1], in which yescrypt was just a runner-up (along w/ catena, makwa,
and lyra2). The winner was argon2. So unless something has changed in the last nine years or there is more recent information, wouldn't it make more sense to go with the winner of such a competition (argon2) instead of a runner-up? I know marecki said Fedora was waiting for an official RFC for argon2, but the wait for that ended almost a year ago in Sept 2021 when RFC9106[2] was released.

Some really quick looking around, I'm not finding any substantive
discussions on why yescrypt is better than argon2. It so far seems that it just got implemented in libxcrypt sooner than argon2 did, so that's why
there is this sudden push for it.

E.g., on Issue #45 in linux-pam[3], user ldv-alt just states "I'd recommend yescrypt instead. Anyway, it has to be implemented in libcrypt.", but
provides no justification for why they recommend yescrypt. Since we're
dealing with a fairly important function for system security, I kinda want something with much more context that presents pros and cons for this
algorithm over others, especially argon2.

That said, there does appear to be an open pull request on libxcrypt for argon2[4], so maybe that is something to follow to see where it goes?

1. https://en.wikipedia.org/wiki/Password_Hashing_Competition
2. https://datatracker.ietf.org/doc/html/rfc9106
3. https://github.com/linux-pam/linux-pam/issues/45
4. https://github.com/besser82/libxcrypt/pull/150

tl;dr, I'm just a bit uncomfortable adopting a new hashing algo just because
it seems popular. I would prefer something that's been thoroughly tested.
The scant info I've found thus far, that points to argon2, not yescrypt.

--
Joshua Kinard
Gentoo/MIPS
[email protected]
rsa6144/5C63F4E3F5C6C943 2015-04-27
177C 1972 1FB8 F254 BAD0 3E72 5C63 F4E3 F5C6 C943

"The past tempts us, the present confuses us, the future frightens us. And
our lives slip away, moment by moment, lost in that vast, terrible in-between."

--Emperor Turhan, Centauri Republic

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Mon, Jul 25, 2022 at 03:59:59PM -0400, Joshua Kinard wrote:

On 7/25/2022 15:30, Joshua Kinard wrote:
[snip]

Some really quick looking around, I'm not finding any substantive discussions on why yescrypt is better than argon2. It so far seems that it just got implemented in libxcrypt sooner than argon2 did, so that's why there is this sudden push for it.

E.g., on Issue #45 in linux-pam[3], user ldv-alt just states "I'd recommend yescrypt instead. Anyway, it has to be implemented in libcrypt.", but provides no justification for why they recommend yescrypt. Since we're dealing with a fairly important function for system security, I kinda want something with much more context that presents pros and cons for this algorithm over others, especially argon2.

So there is this question and three answers on Crypto StackExchange. It is about five years-old, but it's got more detail on why argon2 won the PHC instead of one of the other contenders. It is still subjective information, but more thorough: https://crypto.stackexchange.com/questions/48933/why-did-argon2-win-the-phc

There's some more info if one continues to deep-dive on CSE, but I am noticing a lot of the info is several years old. Some more recent things make references to a newer algo called Balloon, but that seems to be going off into side-tangents.

Anyways, I guess I am just being paranoid. If a change to hashing algos is made, it should be based on facts and not popularity contests or feelings.

I'm not sure it's fair to suggest this change is based on "popularity
contests or feelings". The facts were given in the original mail, just
because one finds them unconvincing doesn't mean those facts aren't
real and convincing to others.

--
Joshua Kinard
Gentoo/MIPS
[email protected]
rsa6144/5C63F4E3F5C6C943 2015-04-27
177C 1972 1FB8 F254 BAD0 3E72 5C63 F4E3 F5C6 C943

"The past tempts us, the present confuses us, the future frightens us. And our lives slip away, moment by moment, lost in that vast, terrible in-between."

--Emperor Turhan, Centauri Republic

-----BEGIN PGP SIGNATURE-----

iHUEABYKAB0WIQQyG9yfCrmO0LPSdG2gXq2+aa/JtQUCYt79HgAKCRCgXq2+aa/J tf/MAQDxnz6Z/VElQdUXzDLrdaKJu712XPhfWCB2w0lJL0ET1wD9FXnckoj9zHfn YA2YE8MsB/dRRhcTNh9qkp9zdySO+gA=
=c1AJ
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 7/25/2022 16:29, John Helmert III wrote:

On Mon, Jul 25, 2022 at 03:59:59PM -0400, Joshua Kinard wrote:

On 7/25/2022 15:30, Joshua Kinard wrote:
[snip]

Some really quick looking around, I'm not finding any substantive
discussions on why yescrypt is better than argon2. It so far seems that it >>> just got implemented in libxcrypt sooner than argon2 did, so that's why
there is this sudden push for it.

E.g., on Issue #45 in linux-pam[3], user ldv-alt just states "I'd recommend >>> yescrypt instead. Anyway, it has to be implemented in libcrypt.", but
provides no justification for why they recommend yescrypt. Since we're
dealing with a fairly important function for system security, I kinda want >>> something with much more context that presents pros and cons for this
algorithm over others, especially argon2.

So there is this question and three answers on Crypto StackExchange. It is >> about five years-old, but it's got more detail on why argon2 won the PHC
instead of one of the other contenders. It is still subjective information, >> but more thorough:
https://crypto.stackexchange.com/questions/48933/why-did-argon2-win-the-phc >>
There's some more info if one continues to deep-dive on CSE, but I am
noticing a lot of the info is several years old. Some more recent things
make references to a newer algo called Balloon, but that seems to be going >> off into side-tangents.

Anyways, I guess I am just being paranoid. If a change to hashing algos is >> made, it should be based on facts and not popularity contests or feelings.

I'm not sure it's fair to suggest this change is based on "popularity contests or feelings". The facts were given in the original mail, just because one finds them unconvincing doesn't mean those facts aren't
real and convincing to others.

My wording could sometimes be done better, but that's my takeaway in a nutshell. Facts, presented objectively and well, should convince just about anyone. But the Fedora page just doesn't do that for me. It really only presents positives and no negatives of yescrypt. Are there any? I don't
know. I assume there have to be, but I'm not a crypto-expert.

I've only done a light, cursory search on Google for something basic like "argon2 vs yescrypt", and that gets a few interesting results. A few links
to github, one to the PHC website, another to the the now-dead openwall ML posts, and Debian's bug for switching pam_linux over to using yescrypt. The most recent discussion-wise result are the comments on a Hacker News article that is 11 months old[1].

1. https://news.ycombinator.com/item?id=28181350

--
Joshua Kinard
Gentoo/MIPS
[email protected]
rsa6144/5C63F4E3F5C6C943 2015-04-27
177C 1972 1FB8 F254 BAD0 3E72 5C63 F4E3 F5C6 C943

"The past tempts us, the present confuses us, the future frightens us. And
our lives slip away, moment by moment, lost in that vast, terrible in-between."

--Emperor Turhan, Centauri Republic

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sat, Jul 23, 2022 at 08:55:14PM -0400, Mike Gilbert wrote:

On Fri, Jul 22, 2022 at 3:10 PM Mikhail Koliada <[email protected]> wrote:

Hello!

This idea has been fluctuating in my head for quite a while given that the migration had happened
a while ago [0] and some other major distributions have already adopted yescrypt as their default algo
by now [1]. For us switching is as easy as changing the default use flag in pambase and rehashing the password
with the ‘passwd’ call (a news item will be required).

What do you think?

Seems like a reasonable idea to me.

Just giving my +1 to that, no strong opinion but reading about it
sounds like a reasonable choice to me.

--
ionen

-----BEGIN PGP SIGNATURE-----

iQEzBAABCAAdFiEEx3SLh1HBoPy/yLVYskQGsLCsQzQFAmLfGbAACgkQskQGsLCs QzQcqQf+O2ftxep05K11WtQmr534SINNr29DMP2tylR8knETowWIkZ21aDMnGtg5 bYldpA3XvwEtCEepdRXDftSgeYOgfk7rADFwMtZxzFTWcWy8SzsOT+3ezbYygwVd QoEip8x2SBF6YF53BKsNwhrAq9c5+B9iMgZDpszDdhntE7HaZBwhw+HJSa7dEd32 ovXiQQFQh4y/FZ1uV6H9G16ArUX+ktO0Uw25xq05L8vAWmCSjkZPsXo4+dU9vSXz V6wgocBRZYHlzoC1l8UjFPrsATRW+NzXnSjd1a063AQvtRuiU4TjS0bk8wzTx/JC baCwJ8ex/ahZ/HQGaxsIsMSm47J6vA==
=SWdV
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This is a multi-part message in MIME format.
Hi!

Am 22.07.2022 um 21:10 schrieb Mikhail Koliada:

What do you think?

I like the idea and would like to see that change.

Conrad

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hi!<br>
</p>
<div class="moz-cite-prefix">Am 22.07.2022 um 21:10 schrieb Mikhail
Koliada:<br>
</div>
<blockquote type="cite"
cite="mid:[email protected]">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}div.WordSection1
{page:WordSection1;}</style>
<div class="WordSection1"><span lang="EN-US">What do you think?</span></div>
</blockquote>
<p><br>
</p>
<p>I like the idea and would like to see that change.</p>
<p>Conrad<br>
</p>
</body>
</html>

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)