-
Notifications
You must be signed in to change notification settings - Fork 10
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
10 changed files
with
267 additions
and
118 deletions.
There are no files selected for viewing
104 changes: 104 additions & 0 deletions
104
docs/2023/09/23/changes-to-default-password-hashing-algorithm-and-umask-settings.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,104 @@ | ||
| <!doctype html> | ||
| <html lang="zh-TW"> | ||
|
|
||
| <head> | ||
| <meta charset="utf-8"> | ||
| <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no"> | ||
| <title>預設的密碼雜湊演算法與 umask 設定的更動 | Arch Linux 臺灣社群 / Arch Linux Taiwan Community</title> | ||
| <link rel="shortcut icon" href="/images/favicon.ico" /> | ||
| <!-- Twitter Bootstrap CSS --> | ||
| <link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.1.0/css/bootstrap.min.css" integrity="sha384-9gVQ4dYFwwWSjIDZnLEWnxCjeSWFphJiwGPXr1jddIhOegiu1FwO5qRGvFXOdJZ4" | ||
| crossorigin="anonymous"> | ||
| <!-- syntax highlighting CSS --> | ||
| <link rel="stylesheet" href="/css/syntax.css"> | ||
| <!-- Custom CSS --> | ||
| <link rel="stylesheet" href="/css/main.css"> | ||
| <!-- Web fonts --> | ||
| <link href='//fonts.googleapis.com/css?family=Roboto:400,700|Roboto+Condensed:400,700|Roboto+Slab:400,700' rel='stylesheet' type='text/css'> | ||
| <link href='//fonts.googleapis.com/css?family=Comfortaa' rel='stylesheet' type='text/css'> | ||
| <link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.0.10/css/all.css" integrity="sha384-+d0P83n9kaQMCwj8F4RJB66tzIwOKmrdb46+porD/OvrJ+37WqIM7UoBtwHO6Nlg" crossorigin="anonymous"> | ||
| <!-- RSS Feeds --> | ||
| <link type="application/atom+xml" rel="alternate" href="https://archlinux.tw/feed.xml" title="Arch Linux 臺灣社群" /> | ||
| </head> | ||
|
|
||
| <body data-itemid=""> | ||
| <header> | ||
| <nav class="navbar navbar-expand-lg navbar-dark bg-dark" role="navigation"> | ||
| <a class="site-title navbar-brand" href="https://archlinux.tw">Arch Linux 臺灣社群</a> | ||
| <button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarSupportedContent" aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation"> | ||
| <span class="navbar-toggler-icon"></span> | ||
| </button> | ||
| <div class="collapse navbar-collapse" id="navbarSupportedContent"> | ||
| <ul class="navbar-nav mr-auto"> | ||
| <li class="nav-item" id="nav-home"> | ||
| <a class="nav-link" href="/">首頁</a> | ||
| </li> | ||
| <li class="nav-item" id="nav-news"> | ||
| <a class="nav-link" href="/news/">最新消息</a> | ||
| </li> | ||
| <li class="nav-item" id="nav-getting-started"> | ||
| <a class="nav-link" href="/getting-started/">新手上路</a> | ||
| </li> | ||
| <li class="nav-item" id="nav-links"> | ||
| <a class="nav-link" href="/resources/">線上資源</a> | ||
| </li> | ||
| <li class="nav-item" id="nav-contribute"> | ||
| <a class="nav-link" href="/contribute/">加入我們</a> | ||
| </li> | ||
| </ul> | ||
| </div> | ||
| </nav> | ||
| </header> | ||
|
|
||
| <section class="content container"> | ||
| <article itemscope itemtype="http://schema.org/Article" class="post"> | ||
| <h1 itemprop="name" class="post__title">預設的密碼雜湊演算法與 umask 設定的更動</h1> | ||
| <div class="meta"><span itemprop="author">Ji Kuai</span> 發表於 <span itemprop="datePublished">Sat, 23 Sep 2023 15:52:00 +0800</span></div> | ||
| <div itemprop="articleBody"> | ||
| <p><strong>原文:</strong><a href="https://archlinux.org/news/changes-to-default-password-hashing-algorithm-and-umask-settings/">Changes to default password hashing algorithm and umask settings</a></p> | ||
|
|
||
| <p>從 shadow >= <code class="language-plaintext highlighter-rouge">4.14.0</code> 起,Arch Linux 的預設密碼雜湊演算法將從 <strong>SHA512</strong> 改成 <a href="https://www.openwall.com/yescrypt/"><strong>yescrypt</strong></a>。</p> | ||
|
|
||
| <p>此外,<a href="https://man.archlinux.org/man/umask.1p"><code class="language-plaintext highlighter-rouge">umask</code></a> 的設定現在也位於 <code class="language-plaintext highlighter-rouge">/etc/login.defs</code> 而不是 <code class="language-plaintext highlighter-rouge">/etc/profile</code>。</p> | ||
|
|
||
| <p>這應該不需要任何手動調整。</p> | ||
| <h1 id="使用-yescrypt-的原因">使用 Yescrypt 的原因</h1> | ||
| <p>因基於密碼的金鑰衍生函數(KDF)和密碼雜湊方式 <strong>yescrypt</strong> 已存在於 <a href="https://wiki.archlinux.org/title/PAM"><em>pam</em></a> 所使用的 <em>libxcrypt</em> 之中,並且與 <strong>SHA512</strong> 相比其面對於密碼破解時更牢靠,因此我們採用此演算法。</p> | ||
|
|
||
| <p>儘管 <a href="https://www.password-hashing.net/">Password Hashing Competition</a> 的勝利者是 <strong>argon2</strong>,但這個更堅固的演算法目前還未存在於 <em>libxcrypt</em> 之中(<a href="https://github.com/besser82/libxcrypt/pull/113">第一次嘗試</a>、<a href="https://github.com/besser82/libxcrypt/pull/150">第二次嘗試</a>)。</p> | ||
| <h1 id="設定-yescrypt">設定 yescrypt</h1> | ||
| <p><code class="language-plaintext highlighter-rouge">/etc/login.defs</code> 內的 <code class="language-plaintext highlighter-rouge">YESCRYPT_COST_FACTOR</code> 設定目前沒有效果,<a href="https://github.com/linux-pam/linux-pam/issues/607">除非 <em>pam</em> 未來的實作讀取其值</a>。如果需要讓 <code class="language-plaintext highlighter-rouge">YESCRYPT_COST_FACTOR</code> 的值高過(或低於)其預設值(<code class="language-plaintext highlighter-rouge">5</code>),可以透過修改 <a href="https://man.archlinux.org/man/pam_unix.8"><code class="language-plaintext highlighter-rouge">pam_unix</code></a> 模組內(於 <code class="language-plaintext highlighter-rouge">/etc/pam.d/system-auth</code>)的 <code class="language-plaintext highlighter-rouge">rounds</code> 設定來達到。</p> | ||
| <h1 id="改動列表">改動列表</h1> | ||
| <ul> | ||
| <li><strong>yescrpyt</strong> 現在取代了 <strong>SHA512</strong> 成為預設的密碼雜湊演算法</li> | ||
| <li><em>pam</em> 現在採用 <code class="language-plaintext highlighter-rouge">/etc/login.defs</code> 內的 <code class="language-plaintext highlighter-rouge">ENCRYPT_METHOD</code> 而不再複寫其值</li> | ||
| <li>修改了 <em>filesystem</em> (>= <code class="language-plaintext highlighter-rouge">2023.09.18</code>) 和 <em>pambase</em> (>= <code class="language-plaintext highlighter-rouge">20230918</code>) 來確保 <code class="language-plaintext highlighter-rouge">umask</code> 是設定於 <code class="language-plaintext highlighter-rouge">/etc/login.defs</code> 而非 <code class="language-plaintext highlighter-rouge">/etc/profile</code></li> | ||
| </ul> | ||
|
|
||
| </div> | ||
| </article> | ||
|
|
||
| </section> | ||
| <!-- /content --> | ||
|
|
||
| <footer class="container"> | ||
| <h1>Arch Linux 臺灣社群</h1> | ||
| <p>除另有註明外,本站內容皆採 | ||
| <a href="http://creativecommons.org/licenses/by-sa/4.0/deed.zh_TW">Creative Commons — 姓名標示-相同方式分享 4.0 國際 — CC BY-SA 4.0</a> 或更新版本授權大眾使用。本站原始碼可自 | ||
| <a href="https://github.com/linux-taiwan/arch.linux.org.tw">GitHub</a> 取得,歡迎貢獻、改進內容。</p> | ||
| <p>本站使用 | ||
| <a href="https://fontawesome.com/">Font Awesome</a> 提供之圖示字型服務,特此謝忱。</p> | ||
| </footer> | ||
| <!-- Twitter Bootstrap JS --> | ||
| <script src="https://code.jquery.com/jquery-3.3.1.slim.min.js" integrity="sha384-q8i/X+965DzO0rT7abK41JStQIAqVgRVzpbzo5smXKp4YfRvH+8abtTE1Pi6jizo" | ||
| crossorigin="anonymous"></script> | ||
| <script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.14.0/umd/popper.min.js" integrity="sha384-cs/chFZiN24E4KMATLdqdvsezGxaGsi4hLGOzlXwp5UZB1LY//20VyM2taTB4QvJ" | ||
| crossorigin="anonymous"></script> | ||
| <script src="https://stackpath.bootstrapcdn.com/bootstrap/4.1.0/js/bootstrap.min.js" integrity="sha384-uefMccjFJAIv6A+rW+L4AHf99KvxDjWSu1z9VI8SKNVmz4sk7buKt/6v9KI65qnm" | ||
| crossorigin="anonymous"></script> | ||
| <!-- some tweaks --> | ||
| <script src="/javascripts/set-active-menu-item.js"></script> | ||
| <script src="/javascripts/redirect-https.js"></script> | ||
| </body> | ||
|
|
||
| </html> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.