You are not logged in.
- Topics: Active | Unanswered
#1 2023-10-14 00:52:55
- solskog
- Member
- Registered: 2020-09-05
- Posts: 462
[Solved] chpasswd result Invalid ENCRYPT_METHOD
The chpasswd succeeded with a warning.
# uname -a
Linux 6.5.7-arch1-1 #1 SMP PREEMPT_DYNAMIC Tue, 10 Oct 2023 21:10:21 +0000 x86_64 GNU/Linux
#
# chpasswd <<<"me:123456"
Invalid ENCRYPT_METHOD value: 'YESCRYPT'.
Defaulting to DES.
# The chpasswd succeeded without warning. But, how to enable yescrypt method?
# chpasswd --md5 <<<"me:123456"Do I need to recompile "shadow 4.14.0-4" with ENCRYPTMETHOD_SELECT flag defined?
# cat /etc/login.defs
# Only works if compiled with ENCRYPTMETHOD_SELECT defined:
# If set to SHA256, SHA256-based algorithm will be used for encrypting password
# If set to SHA512, SHA512-based algorithm will be used for encrypting password
# If set to YESCRYPT, YESCRYPT-based algorithm will be used for encrypting password
# If set to DES, DES-based algorithm will be used for encrypting password (default)
# MD5 and DES should not be used for new hashes, see crypt(5) for recommendations.
#
# Note: If you use PAM, it is recommended to use a value consistent with
# the PAM modules configuration.
#
ENCRYPT_METHOD YESCRYPTRecompile upstream https://github.com/shadow-maint/shadow master branch fixed this issue.
./autogen.sh --without-selinux --enable-man --with-yescryptRecompile https://archlinux.org/packages/core/x86_64/shadow/ does not.
# cat PKGBUILD
build() {
local configure_options=(
--with-yescriptLast edited by solskog (2023-10-14 13:02:39)
Offline
#2 2023-10-14 07:02:48
- seth
- Member
- From: Don't DM me only for attention
- Registered: 2012-09-03
- Posts: 74,322
Re: [Solved] chpasswd result Invalid ENCRYPT_METHOD
Recompile upstream https://github.com/shadow-maint/shadow master branch fixed this issue.
Did that replace the login.defs w/ the dafault and w/o "ENCRYPT_METHOD YESCRYPT"?
pacman -Qikk libxcrypt pam shadowOnline
#3 2023-10-14 07:44:05
- solskog
- Member
- Registered: 2020-09-05
- Posts: 462
Re: [Solved] chpasswd result Invalid ENCRYPT_METHOD
Did that replace the login.defs w/ the dafault and w/o "ENCRYPT_METHOD YESCRYPT"?
I configure/compiled both upstream master and 4.14.x branch with option --with-yescrypt.
# Inside Upstream shadow directory. No Warning.
# cat /etc/login.defs |grep "ENCRYPT_METHOD YESCRYPT"
ENCRYPT_METHOD YESCRYPT
# ./src/chpasswd <<<"me:123456"
# # pacman -Qikk libxcrypt pam shadow
Name : libxcrypt
Version : 4.4.36-1
Description : Modern library for one-way hashing of passwords
Architecture : x86_64
URL : https://github.com/besser82/libxcrypt/
Licenses : LGPL
Groups : None
Provides : libcrypt.so=2-64
Depends On : glibc
Optional Deps : None
Required By : apache apr-util guile inetutils libxcrypt-compat mariadb-libs mkinitcpio-busybox nginx-mainline openssh pam perl python shadow systemd texlive-bin util-linux whois
Optional For : None
Conflicts With : None
Replaces : None
Installed Size : 186.13 KiB
Packager : Christian Hesse <eworm@archlinux.org>
Build Date : Wed 05 Jul 2023 06:50:09 PM UTC
Install Date : Thu 28 Sep 2023 10:06:10 AM UTC
Install Reason : Installed as a dependency for another package
Install Script : Yes
Validated By : Signature
libxcrypt: 25 total files, 0 altered files
Name : pam
Version : 1.5.3-3
Description : PAM (Pluggable Authentication Modules) library
Architecture : x86_64
URL : http://linux-pam.org
Licenses : GPL2
Groups : None
Provides : libpam.so=0-64 libpamc.so=0-64 libpam_misc.so=0-64
Depends On : glibc libtirpc pambase audit libaudit.so=1-64 libxcrypt libcrypt.so=2-64
Optional Deps : None
Required By : c-client gogs inetutils kbd libcap oath-toolkit openssh polkit screen shadow sudo systemd util-linux
Optional For : None
Conflicts With : None
Replaces : None
Installed Size : 3.23 MiB
Packager : Tobias Powalowski <tpowa@archlinux.org>
Build Date : Thu 25 May 2023 07:14:12 AM UTC
Install Date : Thu 28 Sep 2023 10:06:10 AM UTC
Install Reason : Installed as a dependency for another package
Install Script : No
Validated By : Signature
pam: 563 total files, 0 altered files
Name : shadow
Version : 4.14.0-4
Description : Password and account management tool suite with support for shadow
files and PAM
Architecture : x86_64
URL : https://github.com/shadow-maint/shadow
Licenses : BSD-3-Clause
Groups : None
Provides : None
Depends On : acl libacl.so=1-64 attr libattr.so=1-64 audit libaudit.so=1-64
glibc libxcrypt libcrypt.so=2-64 pam libpam.so=0-64
libpam_misc.so=0-64
Optional Deps : None
Required By : base git util-linux
Optional For : None
Conflicts With : None
Replaces : None
Installed Size : 3.82 MiB
Packager : Frederik Schwan <freswa@archlinux.org>
Build Date : Sun 24 Sep 2023 12:50:45 PM UTC
Install Date : Sat 14 Oct 2023 08:15:51 AM UTC
Install Reason : Installed as a dependency for another package
Install Script : No
Validated By : Signature
warning: shadow: /usr/bin/groupmems (GID mismatch)
warning: shadow: /usr/bin/groupmems (Permissions mismatch)
shadow: 588 total files, 1 altered fileLast edited by solskog (2023-10-14 08:19:41)
Offline
#4 2023-10-14 07:47:59
- seth
- Member
- From: Don't DM me only for attention
- Registered: 2012-09-03
- Posts: 74,322
Re: [Solved] chpasswd result Invalid ENCRYPT_METHOD
That doesn't answer the question about what happened to the login.defs
shadow: 588 total files, 2 altered files
which ones?
Why is there no output about the pam package?
Online
#5 2023-10-14 07:55:26
- solskog
- Member
- Registered: 2020-09-05
- Posts: 462
Re: [Solved] chpasswd result Invalid ENCRYPT_METHOD
which ones?
Why is there no output about the pam package?
Updated previous post with pam package.
Offline
#6 2023-10-14 08:52:22
- seth
- Member
- From: Don't DM me only for attention
- Registered: 2012-09-03
- Posts: 74,322
Re: [Solved] chpasswd result Invalid ENCRYPT_METHOD
Nothing off there 
Can you explicitly
chpasswd -c YESCRYPT <<< "me:123456"Online
#7 2023-10-14 09:13:40
- solskog
- Member
- Registered: 2020-09-05
- Posts: 462
Re: [Solved] chpasswd result Invalid ENCRYPT_METHOD
The upstream support YESCRYPT both implicit and explicit. The pacman version does not.
# Inside Upstream shadow directory. No Warning.
# ./src/chpasswd -c YESCRYPT <<<"me:123456"
#
# /usr/sbin/chpasswd -c YESCRYPT <<<"me:123456"
chpasswd: unsupported crypt method: YESCRYPT
# /usr/sbin/chpasswd <<<"me:123456"
Invalid ENCRYPT_METHOD value: 'YESCRYPT'.
Defaulting to DES.When I configure/compiled upstream version. I did not apply any patches like pacman version here.
https://gitlab.archlinux.org/archlinux/ … ges/shadow
0001-Disable-replaced-tools-and-their-man-pages-and-PAM-i.patch
0002-Adapt-login.defs-for-PAM-and-util-linux.patch
0003-Add-Arch-Linux-defaults-for-login.defs.patchLast edited by solskog (2023-10-14 09:22:43)
Offline
#8 2023-10-14 09:20:05
- loqs
- Member
- Registered: 2014-03-06
- Posts: 18,859
Re: [Solved] chpasswd result Invalid ENCRYPT_METHOD
Are all pam configs default?
pacman -Qkk $(pacman -Qqo /etc/pam.d/)What is chpasswd resolved to?
# type -a chpasswdOffline
#9 2023-10-14 09:26:57
- seth
- Member
- From: Don't DM me only for attention
- Registered: 2012-09-03
- Posts: 74,322
Re: [Solved] chpasswd result Invalid ENCRYPT_METHOD
Also "realpath /usr/sbin/chpasswd"
Online
#10 2023-10-14 09:27:42
- solskog
- Member
- Registered: 2020-09-05
- Posts: 462
Re: [Solved] chpasswd result Invalid ENCRYPT_METHOD
pacman -Qkk $(pacman -Qqo /etc/pam.d/)
inetutils: 53 total files, 0 altered files
kbd: 815 total files, 1 altered file
backup file: openssh: /etc/ssh/sshd_config (Modification time mismatch)
backup file: openssh: /etc/ssh/sshd_config (Size mismatch)
backup file: openssh: /etc/ssh/sshd_config (MD5 checksum mismatch)
backup file: openssh: /etc/ssh/sshd_config (SHA256 checksum mismatch)
openssh: 63 total files, 2 altered files
pambase: 8 total files, 0 altered files
polkit: 217 total files, 0 altered files
screen: 38 total files, 0 altered files
shadow: 588 total files, 1 altered file
backup file: sudo: /etc/sudoers (Modification time mismatch)
backup file: sudo: /etc/sudoers (Size mismatch)
backup file: sudo: /etc/sudoers (MD5 checksum mismatch)
backup file: sudo: /etc/sudoers (SHA256 checksum mismatch)
sudo: 236 total files, 1 altered file
backup file: systemd: /etc/systemd/system.conf (Modification time mismatch)
backup file: systemd: /etc/systemd/system.conf (Size mismatch)
backup file: systemd: /etc/systemd/system.conf (MD5 checksum mismatch)
backup file: systemd: /etc/systemd/system.conf (SHA256 checksum mismatch)
systemd: 1366 total files, 3 altered files
util-linux: 495 total files, 0 altered files# type -a chpasswd
chpasswd is /usr/sbin/chpasswd
chpasswd is /usr/bin/chpasswd
chpasswd is /sbin/chpasswd
chpasswd is /bin/chpasswd
# realpath /usr/sbin/chpasswd
/usr/bin/chpasswdLast edited by solskog (2023-10-14 09:28:52)
Offline
#11 2023-10-14 09:36:41
- loqs
- Member
- Registered: 2014-03-06
- Posts: 18,859
Re: [Solved] chpasswd result Invalid ENCRYPT_METHOD
What is the contents of /etc/systemd/system.conf ?
Edit:
chpasswd only uses pam to check permissions it does the hashing itself so shadow needs to be built with the options with_bcrypt and with_yescrypt for chpasswd and newusers to support bcrypt and yescrypt.
I would ask upstream shadow maint to support using crypt_gensalt first for all salt types as supported by libxcrypt.
Last edited by loqs (2023-10-14 10:38:55)
Offline
#12 2023-10-14 11:31:40
- solskog
- Member
- Registered: 2020-09-05
- Posts: 462
Re: [Solved] chpasswd result Invalid ENCRYPT_METHOD
I would ask upstream shadow maint to support using crypt_gensalt first for all salt types as supported by libxcrypt.
looks like it already using crypt_gensalt.
https://github.com/shadow-maint/shadow/pull/357
Also I disabled all the patches inside pacman version, recompiled "with_bcrypt and with_yescrypt", but it still doesn't support YESCRYPT.
# cat PKGBUILD
build() {
local configure_options=(
--with-bcrypt
--with-yescriptLast edited by solskog (2023-10-14 11:33:10)
Offline
#13 2023-10-14 12:06:47
- loqs
- Member
- Registered: 2014-03-06
- Posts: 18,859
Re: [Solved] chpasswd result Invalid ENCRYPT_METHOD
I rebuilt shadow the the following change
diff --git a/PKGBUILD b/PKGBUILD
index b20622d..205b7fb 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -89,9 +89,11 @@ build() {
--sbindir=/usr/bin
--sysconfdir=/etc
--with-audit
+ --with-bcrypt
--with-fcaps # use capabilities instead of setuid for setuidmap and setgidmap
--with-group-name-max-length=32
--with-libpam # PAM integration for chpasswd, groupmems, newusers, passwd
+ --with-yescrypt
--without-libbsd # shadow can use internal implementation for getting passphrase
--without-nscd # we do not ship nscd anymore
--without-selinuxAfter installing the built package:
$ sudo chpasswd <<< testuser:password
$ sudo chpasswd -c YESCRYPT <<< testuser:passwordOffline
#14 2023-10-14 13:02:06
- solskog
- Member
- Registered: 2020-09-05
- Posts: 462
Re: [Solved] chpasswd result Invalid ENCRYPT_METHOD
I also rebuilt with a clean system and it works now. Thanks!
Offline