With shadow >= 4.14.0, Arch Linux’s default password hashing algorithm changed from SHA512 to yescrypt [1].
Furthermore, the umask [2] settings are now configured in /etc/login.defs instead of /etc/profile.
This should not require any manual intervention.
Reasons for Yescrypt
The password-based key derivation function (KDF) and password hashing scheme yescrypt has been chosen due to its adoption (readily available in libxcrypt, which is used by pam [3]) and its stronger resilience towards password cracking attempts over SHA512.
Although the winner of the Password Hashing Competition [4] has been argon2, this even more resilient algorithm is not yet available in libxcrypt [5][6].
Configuring yescrypt
The YESCRYPT_COST_FACTOR setting in /etc/login.defs is currently without effect, until pam implements reading its value [7]. If a YESCRYPT_COST_FACTOR higher (or lower) than the default (5) is needed, it can be set using the rounds option of the pam_unix [8] module (i.e. in /etc/pam.d/system-auth).
General list of changes
yescrypt is used as default password hashing algorithm, instead of SHA512
pam honors the chosen ENCRYPT_METHOD in /etc/login.defs and does not override the chosen method anymore
changes in the filesystem (>= 2023.09.18) and pambase (>= 20230918) packages ensure, that umask is set centrally in /etc/login.defs instead of /etc/profile
[1] https://www.openwall.com/yescrypt/
[2] https://man.archlinux.org/man/umask.1p
[3] https://wiki.archlinux.org/title/PAM
[4] https://www.password-hashing.net/
[5] https://github.com/besser82/libxcrypt/pull/113
[6] https://github.com/besser82/libxcrypt/pull/150
[7] https://github.com/linux-pam/linux-pam/issues/607
[8] https://man.archlinux.org/man/pam_unix.8
Read more
Guest
