infix
infix copied to clipboard
kernelkit
Add support for yescrypt
Classification:
- [ ] Bug report
- [X] Feature request
- [ ] Question (see Discussions)
Description:
A few people so far have asked about support for alternative password crypts, https://en.wikipedia.org/wiki/Yescrypt is possibly the most interesting since. This is a feature currently not possible to add since ietf-system.yang has a limitation to which crypts are available, see RFC7317 for details:
typedef crypt-hash { type string { pattern '$0$.*' + '|$1$[a-zA-Z0-9./]{1,8}$[a-zA-Z0-9./]{22}' + '|$5$(rounds=\d+$)?[a-zA-Z0-9./]{1,16}$[a-zA-Z0-9./]{43}' + '|$6$(rounds=\d+$)?[a-zA-Z0-9./]{1,16}$[a-zA-Z0-9./]{86}'; } description "The crypt-hash type is used to store passwords using a hash function. The algorithms for applying the hash function and encoding the result are implemented in various UNIX systems as the function crypt(3). A value of this type matches one of the forms: $0$<clear text password> $<id>$<salt>$<password hash> $<id>$<parameter>$<salt>$<password hash> The '$0$' prefix signals that the value is clear text. When such a value is received by the server, a hash value is calculated, and the string '$<id>$<salt>$' or $<id>$<parameter>$<salt>$ is prepended to the result. This value is stored in the configuration data store.
To enable support for this the current investigation has detailed the following issues:
- [ ] Add a deviation the IETF system password type to include
$y$ - [ ] Migrate from libgcrypt to libxcrypt, the former does not have yescrypt
You can help out by sponsoring the development, or contributing a pull request for its support. Use this issue for discussions around this topic.
