hexparrot / mineos-node

node.js implementation of mineos minecraft management
GNU General Public License v3.0
341 stars 174 forks source link

PAM on Debian Bullseye uses yescrypt passwd hash algorithm #441

Open MichaIng opened 3 years ago

MichaIng commented 3 years ago

We recognised failing web interface login attempts when using Debian Bullseye, respectively when changing the password on an older Debian Bullseye system where the password has not changed for a while. The reason is that the default password hashing algorithm has changed to "yescrypt": https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=978553

Please consider to "teach" MineOS to understand or hash password with this new algorithm to retain login ability on recent Debian. Not sure if other distros are affected as well, but at least it is always possible to change the algorithm used to store UNIX user passwords manually.

Smith8154 commented 2 years ago

Thank you for posting the issue! I was about to lose my mind wondering why I couldn't log in to the webUI on Debian 11. I am using the latest version of Raspberry Pi OS 64bit which uses Debian 11. I was able to change the password hashing algorithm, reset the password, then log in.

For anyone else that stumbles upon this issue, here is how to resolve it:

Run as root user: nano /etc/pam.d/common-password Look for the line that ends with yescrypt and change that to sha512, then change your password.

MichaIng commented 2 years ago

Pushing this, as Debian/Raspbian Bullseye is stable for half a year now and the error is handled quite non-gracefully, without any meaningful error message to end users, which just see that login fails: #458

While reverting default UNIX password hashes to sha512 IMHO is not a big issue, secure enough, it is not great to argue to end users that they need to weaken the way all their UNIX user passwords are stored to run a game... I can do this decision for myself, or to individual users, but I won't ever advise all our user to do so or dare to do this automatically, hence am currently forced to not offer MineOS for Bullseye users at all, which is pretty sad 😢.

flareofghast commented 2 years ago

It is squarely in the too hard basket as there is no library to handle linux crypt password hashing for yescrypt in node yet. Or, not one I could recognise and use. Yescrypt is used in some crypto mining libraries but the linux crypt solution is not as simple as running yescrypt over your provided password and checking it against your system password.

The solution at the moment is probably to return an error to the UI informing them that they’re using yescrypt and that we don’t support it.

MichaIng commented 2 years ago

Cleanest solution would be probably to use an own user management instead of UNIX login users, which also allows to run MineOS itself as non-root user.

But yes, I think a meaningful error message would help for now.

MichaIng commented 2 weeks ago

It is also possible to define the password algorithm without changing the PAM config:

sudo chpasswd --crypt-method SHA512 <<< 'user:password'