You are not logged in.
- Topics: Active | Unanswered
#1 2017-10-04 12:38:42
- schard
- Forum Moderator
- From: Hannover
- Registered: 2016-05-06
- Posts: 1,976
- Website
[solved] Argon2 for hashing passwords in /etc/shadow
Hi all,
I already asked this question a year ago in the german forum, but did not receive any answer.
Are there plans to provide the winner of the 2015 Password Hashing Competition, Argon2, to be exact Argon2d, as a hash algorithm available for storing passwords in /etc/shadow?
If so, when?
If not, why?
Best regards.
Last edited by schard (2017-10-05 08:42:52)
macro_rules! yolo { { $($tokens:tt)* } => { unsafe { $($tokens)* } }; }
Offline
#2 2017-10-04 16:13:54
- progandy
- Member
- Registered: 2012-05-17
- Posts: 5,190
Re: [solved] Argon2 for hashing passwords in /etc/shadow
That is not in the scope of arch linux.
/etc/shadow relies on crypt(). Arch uses the glibc implementation which supports DES, MD5, SHA-256 and SHA-512, so you should be able to encrypt your shadow passwords with SHA-512.
There are also no PAM or glibc nss modules readily available.
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |
Offline
#3 2017-10-04 21:27:37
- Uriel_Bernhard48
- Member
- Registered: 2017-08-08
- Posts: 29
Re: [solved] Argon2 for hashing passwords in /etc/shadow
To be precise, this is SHA-512-crypt not SHA-512. More info at https://passlib.readthedocs.io/en/stabl … crypt.html
It's considered safe if you set high number of rounds. It defaults to 5k if I recall correctly. It's better to set it to something like 200k or more. Depends on hardware.
Last edited by Uriel_Bernhard48 (2017-10-04 21:28:23)
Offline
#4 2017-10-05 08:26:26
- schard
- Forum Moderator
- From: Hannover
- Registered: 2016-05-06
- Posts: 1,976
- Website
Re: [solved] Argon2 for hashing passwords in /etc/shadow
That is not in the scope of arch linux.
Sorry. I was under the false impression that this sub-forum, since labelled GNU/Linux Discussion was for discussions regarding GNU/Linux in general and hence, that a discussion of algorithms provided by a GNU library used by arch was on-topic.
/etc/shadow relies on crypt(). Arch uses the glibc implementation which supports DES, MD5, SHA-256 and SHA-512, so you should be able to encrypt your shadow passwords with SHA-512.
There are also no PAM or glibc nss modules readily available.
I know which algorithms are supported. My question is why Argon2 is not among them (yet).
To be precise, this is SHA-512-crypt not SHA-512. More info at https://passlib.readthedocs.io/en/stabl … crypt.html
It's considered safe if you set high number of rounds. It defaults to 5k if I recall correctly. It's better to set it to something like 200k or more. Depends on hardware.
I am not interested in discussing tweaking existing algorithms within the scope of this thread.
My question was solely regarding the possible inclusion of Argon2 within the respective crypto libraries.
Solved
I just saw that there is already a pending feature request on this.
https://sourceware.org/bugzilla/show_bug.cgi?id=21421
So let's just wait.
Last edited by schard (2017-10-05 08:43:11)
macro_rules! yolo { { $($tokens:tt)* } => { unsafe { $($tokens)* } }; }
Offline
#5 2017-10-05 08:39:17
- Uriel_Bernhard48
- Member
- Registered: 2017-08-08
- Posts: 29
Re: [solved] Argon2 for hashing passwords in /etc/shadow
I doubt glibc developers read this forums so discussion here is pointless. It's better to ask directly at source https://www.gnu.org/software/libc/involved.html
Offline
#6 2017-10-05 10:58:53
- progandy
- Member
- Registered: 2012-05-17
- Posts: 5,190
Re: [solved] Argon2 for hashing passwords in /etc/shadow
progandy wrote:That is not in the scope of arch linux.
Sorry. I was under the false impression that this sub-forum, since labelled GNU/Linux Discussion was for discussions regarding GNU/Linux in general and hence, that a discussion of algorithms provided by a GNU library used by arch was on-topic.
...
I know which algorithms are supported. My question is why Argon2 is not among them (yet).
Sorry, I understood it as if you wanted to ask arch developers to add the hash. Since this is implemented in glibc, and arch uses vanilla packages I tried to redirect you to glibc. Your question did not make it clear you knew of the implemented hashes, so I added them just in case.
I just saw that there is already a pending feature request on this.
https://sourceware.org/bugzilla/show_bug.cgi?id=21421
So let's just wait.
That might take a while until somone is interested enough. You could help with writing the patch, though 
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |
Offline