proxmox-mirrors/pve-common
1
0
Fork 0
mirror of https://git.proxmox.com/git/pve-common synced 2025-07-15 04:00:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

encrypt_pw: allow yescrypt in addition to sha256

Browse Source 
this has been the default for Debian since Bullseye[0].

besides password setting for the PAM/PVE/PMG realms, this is also used
to hash cloud-init passwords for Linux VMs, where only a subset of
prefixes is currently allowed.

'j9T' is the default cost factor for yescrypt.

0: https://www.debian.org/releases/bullseye/amd64/release-notes/ch-information.en.html#pam-default-password

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
This commit is contained in:
Fabian Grünbichler 2025-03-31 12:03:33 +02:00 committed by Thomas Lamprecht
parent 81aee5bd53
commit 6cbbb1863d
1 changed files with 13 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
src/PVE/Tools.pm
View File

@ -1805,7 +1805,7 @@ sub fchownat($$$$$) {
my $salt_starter = time(); my $salt_starter = time();
sub encrypt_pw { sub encrypt_pw {
my ($pw) = @_; my ($pw, $prefix) = @_;
$salt_starter++; $salt_starter++;
my $salt = substr(Digest::SHA::sha1_base64(time() + $salt_starter + $$), 0, 8); my $salt = substr(Digest::SHA::sha1_base64(time() + $salt_starter + $$), 0, 8);
@ -1813,7 +1813,18 @@ sub encrypt_pw {
# crypt does not want '+' in salt (see 'man crypt') # crypt does not want '+' in salt (see 'man crypt')
$salt =~ s/\+/X/g; $salt =~ s/\+/X/g;
return crypt(encode("utf8", $pw), "\$5\$$salt\$"); $prefix = '5' if !$prefix;
my $input;
if ($prefix eq '5') {
$input = "\$5\$$salt\$";
} elsif ($prefix eq 'y') {
$input = "\$y\$j9T\$$salt\$"
} else {
die "Cannot hash password, unknown crypt prefix '$prefix'\n";
}
return crypt(encode("utf8", $pw), $input);
} }
# intended usage: convert_size($val, "kb" => "gb") # intended usage: convert_size($val, "kb" => "gb")