With shadow >=
4.14.0, Arch Linux's default password hashing algorithm changed from SHA512 to yescrypt.
umask settings are now configured in
/etc/login.defs instead of
This should not require any manual intervention.
Reasons for Yescrypt
The password-based key derivation function (KDF) and password hashing scheme yescrypt has been chosen due to its adoption (readily available in libxcrypt, which is used by pam) and its stronger resilience towards password cracking attempts over SHA512.
YESCRYPT_COST_FACTOR setting in
/etc/login.defs is currently without effect, until pam implements reading its value. If a
YESCRYPT_COST_FACTOR higher (or lower) than the default (
5) is needed, it can be set using the
rounds option of the
pam_unix module (i.e. in
General list of changes
- yescrypt is used as default password hashing algorithm, instead of SHA512
- pam honors the chosen
/etc/login.defsand does not override the chosen method anymore
- changes in the filesystem (>=
2023.09.18) and pambase (>=
20230918) packages ensure, that
umaskis set centrally in