As an update based upon the comments and discussion in keystone here is the course of action:
* No backports
* Pike will be updated to support pbkfd2_sha512, bcrypt, and scrypt (configurable) - default will be bcrypt
* For rolling upgrade purposes, keystone will still write sha512_crypt passwords to the old column, new column will be created for the new password hashes. This old crypt hash will be disable-able from being written via configuration option.
* IN Q release, keystone will cease to write sha512_crypt and the configuration option will be deprecated for removal/removed (that toggles sha512_crypt writing).
This means OSSA can be closed, OSSN task can be opened if OSSG would like to issue an OSSN for this.
While sha512_crypt and sha256_crypt are used in many cases, these are in places that are typically more secure than web-facing applications (shadow file) where pbkfd2, bcrypt, and scrypt really shine and start providing significantly more protection against off-line brute force especially since databases are more likely to be breached as they are more often accessible from more locations than the shadow/filesystem is).
As an update based upon the comments and discussion in keystone here is the course of action:
* No backports
* Pike will be updated to support pbkfd2_sha512, bcrypt, and scrypt (configurable) - default will be bcrypt
* For rolling upgrade purposes, keystone will still write sha512_crypt passwords to the old column, new column will be created for the new password hashes. This old crypt hash will be disable-able from being written via configuration option.
* IN Q release, keystone will cease to write sha512_crypt and the configuration option will be deprecated for removal/removed (that toggles sha512_crypt writing).
This means OSSA can be closed, OSSN task can be opened if OSSG would like to issue an OSSN for this.
While sha512_crypt and sha256_crypt are used in many cases, these are in places that are typically more secure than web-facing applications (shadow file) where pbkfd2, bcrypt, and scrypt really shine and start providing significantly more protection against off-line brute force especially since databases are more likely to be breached as they are more often accessible from more locations than the shadow/filesystem is).