Re: Changing the default localcipher in passwd.conf to argon2id

[Alistair Crooks <agc%pkgsrc.org@localhost>]

On Wed, 20 Oct 2021 at 13:39, nia <nia%netbsd.org@localhost> wrote:

> I want to change the default cipher in passwd.conf to
> Argon2id, for these reasons:
>
> - Argon2id is resistant to GPU-based password cracking attacks.
> - Argon2id is resistant to side channel attacks.
> - It allows us to dynamically scale the CPU time and memory required
>   to compute a password hash, making hashes that are strong and
>   difficult to crack on fast machines, while not making you wait
>   an unreasonable amount of time to log in on slow machines.
>
> The work to integrate Argon2 into NetBSD was done in 2019 and in
> the past few weeks I've been cleaning up the code, making sure
> we match the reference implementation, adding tests and documentation,
> etc.
>
> I've tested the Argon2 implementation and determined it's correct
> and usable on:
>
> - amd64 (Ryzen, Haswell...)
> - aarch64 (QEMU)
> - shark
> - macppc (G4)
> - sparc (50MHz, Argon2id shaves 7 seconds off login time compared to
>   the current default.)
>

Thanks for fixing up the Argon2 implementation

I think it's a good idea, BUT I'd be a lot happier if the argon2 support
was in a regular release (I know it's just the default cipher going
forward, but I suspect some people have got into the nasty habit of cloning
some of /etc from git or hg - maybe even cvs? :) - repos in some places,
and onto various vintages of hosts)

For those of you wanting to read about Jason High's work on bringing the
Argon2 routines to NetBSD, and adding them to the testing framework, please
see:

https://blog.netbsd.org/tnf/entry/gsoc_2019_report_incorporating_the
https://blog.netbsd.org/tnf/entry/gsoc_2019_report_update_incorporating
https://wiki.netbsd.org/archives/2020/01/

(Not always easy to find using Google, for obvious reasons)