nixos/doc/rl-2211: add entry for libxcrypt migration

This commit is contained in:
Winter 2022-11-29 20:22:02 -05:00
parent e81b0cec91
commit b937bf637f
2 changed files with 63 additions and 0 deletions

View file

@ -11,6 +11,62 @@
includes the following highlights:
</para>
<itemizedlist>
<listitem>
<para>
Software that uses the <literal>crypt</literal> password
hashing API is now using the implementation provided by
<link xlink:href="https://github.com/besser82/libxcrypt"><literal>libxcrypt</literal></link>
instead of glibcs, which enables support for more secure
algorithms.
</para>
<itemizedlist spacing="compact">
<listitem>
<para>
Support for algorithms that <literal>libxcrypt</literal>
<link xlink:href="https://github.com/besser82/libxcrypt/blob/v4.4.28/lib/hashes.conf#L41">does
not consider strong</link> are
<emphasis role="strong">deprecated</emphasis> as of this
release, and will be removed in NixOS 23.05.
</para>
</listitem>
<listitem>
<para>
This includes system login passwords. Given this, we
<emphasis role="strong">strongly encourage</emphasis> all
users to update their system passwords, as you will be
unable to login if password hashes are not migrated by the
time their support is removed.
</para>
<itemizedlist spacing="compact">
<listitem>
<para>
When using
<literal>users.users.&lt;name&gt;.hashedPassword</literal>
to configure user passwords, run
<literal>mkpasswd</literal>, and use the yescrypt hash
that is provided as the new value.
</para>
</listitem>
<listitem>
<para>
On the other hand, for interactively configured user
passwords, simply re-set the passwords for all users
with <literal>passwd</literal>.
</para>
</listitem>
<listitem>
<para>
This release introduces warnings for the use of
deprecated hash algorithms for both methods of
configuring passwords. To make sure you migrated
correctly, run
<literal>nixos-rebuild switch</literal>.
</para>
</listitem>
</itemizedlist>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>
GNOME has been upgraded to version 43. Please take a look at

View file

@ -6,6 +6,13 @@ This release is supported until the end of June 2023, handing over to NixOS 23.0
In addition to numerous new and upgraded packages, this release includes the following highlights:
- Software that uses the `crypt` password hashing API is now using the implementation provided by [`libxcrypt`](https://github.com/besser82/libxcrypt) instead of glibc's, which enables support for more secure algorithms.
- Support for algorithms that `libxcrypt` [does not consider strong](https://github.com/besser82/libxcrypt/blob/v4.4.28/lib/hashes.conf#L41) are **deprecated** as of this release, and will be removed in NixOS 23.05.
- This includes system login passwords. Given this, we **strongly encourage** all users to update their system passwords, as you will be unable to login if password hashes are not migrated by the time their support is removed.
- When using `users.users.<name>.hashedPassword` to configure user passwords, run `mkpasswd`, and use the yescrypt hash that is provided as the new value.
- On the other hand, for interactively configured user passwords, simply re-set the passwords for all users with `passwd`.
- This release introduces warnings for the use of deprecated hash algorithms for both methods of configuring passwords. To make sure you migrated correctly, run `nixos-rebuild switch`.
- GNOME has been upgraded to version 43. Please take a look at their [Release Notes](https://release.gnome.org/43/) for details.
- KDE Plasma has been upgraded from v5.24 to v5.26. Please see the release notes for [v5.25](https://kde.org/announcements/plasma/5/5.25.0/) and [v5.26](https://kde.org/announcements/plasma/5/5.26.0/) for more details on the included changes.