Re: Changing the default localcipher in passwd.conf to argon2id

To: NetBSD Discussion List User-Level Technical <tech-userlevel%netbsd.org@localhost>
Subject: Re: Changing the default localcipher in passwd.conf to argon2id
From: Alistair Crooks <agc%pkgsrc.org@localhost>
Date: Sun, 31 Oct 2021 16:45:59 -0700

On Wed, 20 Oct 2021 at 14:37, Alistair Crooks <agc%pkgsrc.org@localhost> wrote:

>
>
> On Wed, 20 Oct 2021 at 13:39, nia <nia%netbsd.org@localhost> wrote:
>
>> I want to change the default cipher in passwd.conf to
>> Argon2id, for these reasons:
>>
>> - Argon2id is resistant to GPU-based password cracking attacks.
>> - Argon2id is resistant to side channel attacks.
>> - It allows us to dynamically scale the CPU time and memory required
>>   to compute a password hash, making hashes that are strong and
>>   difficult to crack on fast machines, while not making you wait
>>   an unreasonable amount of time to log in on slow machines.
>>
>> The work to integrate Argon2 into NetBSD was done in 2019 and in
>> the past few weeks I've been cleaning up the code, making sure
>> we match the reference implementation, adding tests and documentation,
>> etc.
>>
>> I've tested the Argon2 implementation and determined it's correct
>> and usable on:
>>
>> - amd64 (Ryzen, Haswell...)
>> - aarch64 (QEMU)
>> - shark
>> - macppc (G4)
>> - sparc (50MHz, Argon2id shaves 7 seconds off login time compared to
>>   the current default.)
>>
>
> Thanks for fixing up the Argon2 implementation
>
> I think it's a good idea, BUT I'd be a lot happier if the argon2 support
> was in a regular release (I know it's just the default cipher going
> forward, but I suspect some people have got into the nasty habit of cloning
> some of /etc from git or hg - maybe even cvs? :) - repos in some places,
> and onto various vintages of hosts)
>
> For those of you wanting to read about Jason High's work on bringing the
> Argon2 routines to NetBSD, and adding them to the testing framework, please
> see:
>
> https://blog.netbsd.org/tnf/entry/gsoc_2019_report_incorporating_the
> https://blog.netbsd.org/tnf/entry/gsoc_2019_report_update_incorporating
> https://wiki.netbsd.org/archives/2020/01/
>
> (Not always easy to find using Google, for obvious reasons)
>
>
>
I think my MUA must be broken, as I can't see any reply to address the
concerns that were raised above

I see the change was made, nevertheless, on Oct 26th

Or is the intent to discuss this in retrospect?

Follow-Ups:
- Re: Changing the default localcipher in passwd.conf to argon2id
  - From: nia

References:
- Changing the default localcipher in passwd.conf to argon2id
  - From: nia
- Re: Changing the default localcipher in passwd.conf to argon2id
  - From: Alistair Crooks

Prev by Date: Re: fuser(1)
Next by Date: Re: Changing the default localcipher in passwd.conf to argon2id
Previous by Thread: Re: Changing the default localcipher in passwd.conf to argon2id
Next by Thread: Re: Changing the default localcipher in passwd.conf to argon2id
Indexes:

Home | Main Index | Thread Index | Old Index