Index: authselect-1.2.3/profiles/minimal/password-auth =================================================================== --- authselect-1.2.3.orig/profiles/minimal/password-auth +++ authselect-1.2.3/profiles/minimal/password-auth @@ -10,7 +10,7 @@ account required account required pam_unix.so password requisite pam_pwquality.so try_first_pass -password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok +password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke Index: authselect-1.2.3/profiles/minimal/system-auth =================================================================== --- authselect-1.2.3.orig/profiles/minimal/system-auth +++ authselect-1.2.3/profiles/minimal/system-auth @@ -10,7 +10,7 @@ account required account required pam_unix.so password requisite pam_pwquality.so try_first_pass -password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok +password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke Index: authselect-1.2.3/profiles/nis/password-auth =================================================================== --- authselect-1.2.3.orig/profiles/nis/password-auth +++ authselect-1.2.3/profiles/nis/password-auth @@ -12,7 +12,7 @@ account required account required pam_unix.so broken_shadow password requisite pam_pwquality.so try_first_pass {if not "with-nispwquality":local_users_only} -password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok nis +password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} try_first_pass use_authtok nis password required pam_deny.so session optional pam_keyinit.so revoke Index: authselect-1.2.3/profiles/nis/system-auth =================================================================== --- authselect-1.2.3.orig/profiles/nis/system-auth +++ authselect-1.2.3/profiles/nis/system-auth @@ -13,7 +13,7 @@ account required account required pam_unix.so broken_shadow password requisite pam_pwquality.so try_first_pass {if not "with-nispwquality":local_users_only} -password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok nis +password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} try_first_pass use_authtok nis password required pam_deny.so session optional pam_keyinit.so revoke Index: authselect-1.2.3/profiles/sssd/password-auth =================================================================== --- authselect-1.2.3.orig/profiles/sssd/password-auth +++ authselect-1.2.3/profiles/sssd/password-auth @@ -21,7 +21,7 @@ account [default=bad success=ok user account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only -password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok +password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so Index: authselect-1.2.3/profiles/sssd/system-auth =================================================================== --- authselect-1.2.3.orig/profiles/sssd/system-auth +++ authselect-1.2.3/profiles/sssd/system-auth @@ -26,7 +26,7 @@ account [default=bad success=ok user account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only -password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok +password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so Index: authselect-1.2.3/profiles/winbind/password-auth =================================================================== --- authselect-1.2.3.orig/profiles/winbind/password-auth +++ authselect-1.2.3/profiles/winbind/password-auth @@ -18,7 +18,7 @@ account [default=bad success=ok user account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only -password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok +password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} try_first_pass use_authtok password sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_authtok password required pam_deny.so Index: authselect-1.2.3/profiles/winbind/system-auth =================================================================== --- authselect-1.2.3.orig/profiles/winbind/system-auth +++ authselect-1.2.3/profiles/winbind/system-auth @@ -19,7 +19,7 @@ account [default=bad success=ok user account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only -password sufficient pam_unix.so sha512 shadow {if not "without-nullok":nullok} try_first_pass use_authtok +password sufficient pam_unix.so yescrypt shadow {if not "without-nullok":nullok} try_first_pass use_authtok password sufficient pam_winbind.so {if "with-krb5":krb5_auth} use_authtok password required pam_deny.so Index: authselect-1.2.3/src/compat/authcompat_Options.py =================================================================== --- authselect-1.2.3.orig/src/compat/authcompat_Options.py +++ authselect-1.2.3/src/compat/authcompat_Options.py @@ -145,7 +145,7 @@ class Options: Option.UnsupportedSwitch ("useshadow"), Option.UnsupportedFeature("md5"), Option.UnsupportedSwitch ("usemd5"), - Option.UnsupportedValued ("passalgo", _("")), + Option.UnsupportedValued ("passalgo", _("")), Option.UnsupportedValued ("ldaploadcacert", _("")), Option.UnsupportedValued ("smartcardmodule", _("")), Option.UnsupportedValued ("smbsecurity", _("")), Index: authselect-1.2.3/src/man/authselect-migration.7.adoc =================================================================== --- authselect-1.2.3.orig/src/man/authselect-migration.7.adoc +++ authselect-1.2.3/src/man/authselect-migration.7.adoc @@ -1,6 +1,6 @@ authselect-migration(7) ======================= -:revdate: 2018-03-18 +:revdate: 2021-06-04 NAME ---- @@ -85,8 +85,16 @@ configuration file for required services |--enablefaillock |with-faillock |--enablepamaccess |with-pamaccess |--enablewinbindkrb5 |with-krb5 +|--enableshadow |_none_ +|--passalgo |_none_ |================================================== +NOTE: Authconfig options `--enableshadow` and `--passalgo=sha512` were often +used to make sure that passwords are stored in `/etc/shadow` using `sha512` +algorithm. *The authselect profiles now use the yescrypt hashing method* and +it cannot be changed through an option (only by creating a custom profile). +You can just omit these options. + .Examples ---- authconfig --enableldap --enableldapauth --enablefaillock --updateall