PAM on Debian Bullseye uses yescrypt passwd hash algorithm
Opened this issue · 4 comments
We recognised failing web interface login attempts when using Debian Bullseye, respectively when changing the password on an older Debian Bullseye system where the password has not changed for a while. The reason is that the default password hashing algorithm has changed to "yescrypt": https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=978553
Please consider to "teach" MineOS to understand or hash password with this new algorithm to retain login ability on recent Debian. Not sure if other distros are affected as well, but at least it is always possible to change the algorithm used to store UNIX user passwords manually.
Thank you for posting the issue! I was about to lose my mind wondering why I couldn't log in to the webUI on Debian 11. I am using the latest version of Raspberry Pi OS 64bit which uses Debian 11. I was able to change the password hashing algorithm, reset the password, then log in.
For anyone else that stumbles upon this issue, here is how to resolve it:
Run as root user:
nano /etc/pam.d/common-password
Look for the line that ends with yescrypt and change that to sha512, then change your password.
Pushing this, as Debian/Raspbian Bullseye is stable for half a year now and the error is handled quite non-gracefully, without any meaningful error message to end users, which just see that login fails: #458
While reverting default UNIX password hashes to sha512 IMHO is not a big issue, secure enough, it is not great to argue to end users that they need to weaken the way all their UNIX user passwords are stored to run a game... I can do this decision for myself, or to individual users, but I won't ever advise all our user to do so or dare to do this automatically, hence am currently forced to not offer MineOS for Bullseye users at all, which is pretty sad 😢.
It is squarely in the too hard basket as there is no library to handle linux crypt password hashing for yescrypt in node yet. Or, not one I could recognise and use. Yescrypt is used in some crypto mining libraries but the linux crypt solution is not as simple as running yescrypt over your provided password and checking it against your system password.
The solution at the moment is probably to return an error to the UI informing them that they’re using yescrypt and that we don’t support it.
Cleanest solution would be probably to use an own user management instead of UNIX login users, which also allows to run MineOS itself as non-root user.
But yes, I think a meaningful error message would help for now.