[cloud-init] Passwords hashed with yescrypt get rehashed to sha256crypt

[M.D. Klapwijk]

When passing a yescrypt hashed password to a cloud-init kvm, the value gets rehashed into a sha256crypt, instead of passing the yescrypt hash directly, as it does with sha512crypt hashes.

Seems to be due to code not recognising the "$y$j9T$...." as an hashed password, for example in PVE/API2/Qemu.pm(1655):

...
    my $skip_cloud_init = extract_param($param, 'skip_cloud_init');

    if (defined(my $cipassword = $param->{cipassword})) {
        # Same logic as in cloud-init (but with the regex fixed...)
        $param->{cipassword} = PVE::Tools::encrypt_pw($cipassword)
            if $cipassword !~ /^\$(?:[156]|2[ay])(\$.+){2}/;
    }

    my @paramarr = (); # used for log message
...

Examples, with password set to test1234:
- yescrypt; $y$j9T$IDqZPRj3QPlrdR3KR0fff/$.hJ0ZpcYXa5uYRPLwtuukcWfIlz7kpCZ40qeKyt6VCA:

mklapwijk@qemu-01:~$ sudo cat /var/lib/cloud/instance/user-data.txt
#cloud-config
hostname: qemu-01
manage_etc_hosts: true
fqdn: qemu-01.domain.tld
user: test
password: $5$Q61/b6VR$rx91IPdOy0jWi6LKsDn1TptP7TKutIC/5BohLYIvi9D
chpasswd:
  expire: False
users:
  - default
package_upgrade: true

- sha512crypt; $6$xJzA.dbF1ZP.I6Yj$nz9MNnHZv6fs8qdfwp88X4HmcDvtdp8K48tSZW9uWFhlELSZKzxktHfuquYYJBSHd9zgJKL.H8EAYhSlr8U3P/:

test@qemu-01:~$ sudo cat /var/lib/cloud/instance/user-data.txt
#cloud-config
hostname: qemu-01
manage_etc_hosts: true
fqdn: qemu-01.domain.tld
user: test
password: $6$xJzA.dbF1ZP.I6Yj$nz9MNnHZv6fs8qdfwp88X4HmcDvtdp8K48tSZW9uWFhlELSZKzxktHfuquYYJBSHd9zgJKL.H8EAYhSlr8U3P/
chpasswd:
  expire: False
users:
  - default
package_upgrade: true

 

[M.D. Klapwijk]

Changing the aforementioned code into the following and rebooting server, does seem to fix the issue:

...
    my $skip_cloud_init = extract_param($param, 'skip_cloud_init');

    if (defined(my $cipassword = $param->{cipassword})) {
        # Same logic as in cloud-init (but with the regex fixed...)
        $param->{cipassword} = PVE::Tools::encrypt_pw($cipassword)
            if $cipassword !~ /^\$(?:[156y]|2[ay])(\$.+){2}/;
    }

    my @paramarr = (); # used for log message
...

Again with password set to test1234:
- yescrypt; $y$j9T$IDqZPRj3QPlrdR3KR0fff/$.hJ0ZpcYXa5uYRPLwtuukcWfIlz7kpCZ40qeKyt6VCA:

mklapwijk@qemu-01:~$ sudo cat /var/lib/cloud/instance/user-data.txt
#cloud-config
hostname: qemu-01
manage_etc_hosts: true
fqdn: qemu-01.domain.tld
user: test
password: $y$j9T$IDqZPRj3QPlrdR3KR0fff/$.hJ0ZpcYXa5uYRPLwtuukcWfIlz7kpCZ40qeKyt6VCA
chpasswd:
  expire: False
users:
  - default
package_upgrade: true

 

[M.D. Klapwijk]

Hmmm, nevermind, cloud-init itself doesn't seem to do yescrypt either....

mklapwijk@qemu-01:~$ sudo dpkg -l cloud-init
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version          Architecture Description
+++-==============-================-============-========================================================
ii  cloud-init     22.4.2-1+deb12u1 all          initialization system for infrastructure cloud instances

mklapwijk@qemu-01:~$ sudo cat /etc/shadow | grep ^test:
test:$5$Q61/b6VR$rx91IPdOy0jWi6LKsDn1TptP7TKutIC/5BohLYIvi9D:19969:0:99999:7:::