Changing user password - yescrypt, rockylinux

gbr161 · May 16, 2023, 11:08am

SYSTEM INFORMATION
OS type and version	Rocky Linux 8.7
Webmin version	2.021
Virtualmin version	7.7

Hello
I am facing issues trying to change password for virtualserver user through virtualmin. The error i get is:

Error: Your system has yescrypt passwords enabled, but the crypt function does not support this format. To force the use of normal encrypted passwords, adjust your module configuration.

I’ve tried changing it to Blowfish or sha512 but the error remains.
What can i do to fix it?

Joe · May 16, 2023, 4:55pm

SHA512 is definitely supported. It’s been the default in Linux for a decade or more.

I’m unable to make the Perl crypt create a yescrypt or blowfish hash, though, so I think it is correct to say those are not available.

e.g. This works on my Fedora 38 system:

6 means SHA512:

print (crypt($passwd,"\$6\$" . $salt . "\$") . "\n");

This does not:

7 or y means yescrypt:

print (crypt($passwd,"\$7\$" . $salt . "\$") . "\n");

Blowfish also fails:

print (crypt($passwd,"\$2a\$" . $salt . "\$") . "\n");

Since we’re not going to implement encryption and I don’t want to add more dependencies to the default install, I think we have to use SHA512.

@Jamie, we probably should allow specifying more rounds, though (5000 is the default, which is insufficient today…OWASP recommends 210000 for SHA512), if we don’t already. I do this for passwords on some embedded device I work on in my day job:

print (crypt($passwd,"\$6\$rounds=210000\$" . $salt . "\$") . "\n");

gbr161 · May 16, 2023, 6:16pm

Thanks for the reply.
So what type of encryption should I set so I can can change password through virtualmin? Setting to SHA512 still throws an error. Should I restart webmin after changing encryption?

… Administration user failed! : virtualmin-htpasswd::mailbox_modify failed : Your system has yescrypt passwords enabled, but the crypt function does not support this format. To force the use of normal encrypted passwords, adjust your module configuration.

Jamie · May 17, 2023, 12:17am

Is including rounds=N in the salt really how the number of rounds are set? That seems like an odd API!

Joe · May 17, 2023, 12:32am

Yep, it’s a magic string. The rounds have to be in the resulting file so the crypt function knows to run the password through that many rounds.

It results in an entry in shadow like this:

joe:$6$rounds=210000$20BTGR3tJjio4dy$lf72yL8yrHQZ.IMc5AvLUEMYOxcPSHEC3gGz86xkpobOtRBnvrWRF25Lu1EOMEP/fjK0WYzIiDdHE1WBprn00:19489:0:99999:7:::

Joe · May 17, 2023, 12:33am

Note it’s not in the salt…it’s between the 6 and the salt, with $ separator. Weird, but it works.

Jamie · May 17, 2023, 3:51am

Huh … that’s interesting! I could see us adding support for customizing this.

system · July 16, 2023, 3:52am

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.