diff --git a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml index 7a8ab3c00e3c..7e9b19beeb40 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2211.section.xml @@ -11,6 +11,62 @@ includes the following highlights: + + + Software that uses the crypt password + hashing API is now using the implementation provided by + libxcrypt + instead of glibc’s, which enables support for more secure + algorithms. + + + + + Support for algorithms that libxcrypt + does + not consider strong are + deprecated as of this + release, and will be removed in NixOS 23.05. + + + + + This includes system login passwords. Given this, we + strongly encourage all + users to update their system passwords, as you will be + unable to login if password hashes are not migrated by the + time their support is removed. + + + + + When using + users.users.<name>.hashedPassword + to configure user passwords, run + mkpasswd, and use the yescrypt hash + that is provided as the new value. + + + + + On the other hand, for interactively configured user + passwords, simply re-set the passwords for all users + with passwd. + + + + + This release introduces warnings for the use of + deprecated hash algorithms for both methods of + configuring passwords. To make sure you migrated + correctly, run + nixos-rebuild switch. + + + + + + GNOME has been upgraded to version 43. Please take a look at diff --git a/nixos/doc/manual/release-notes/rl-2211.section.md b/nixos/doc/manual/release-notes/rl-2211.section.md index 7a5e6ead8760..3229485e3282 100644 --- a/nixos/doc/manual/release-notes/rl-2211.section.md +++ b/nixos/doc/manual/release-notes/rl-2211.section.md @@ -6,6 +6,13 @@ This release is supported until the end of June 2023, handing over to NixOS 23.0 In addition to numerous new and upgraded packages, this release includes the following highlights: +- Software that uses the `crypt` password hashing API is now using the implementation provided by [`libxcrypt`](https://github.com/besser82/libxcrypt) instead of glibc's, which enables support for more secure algorithms. + - Support for algorithms that `libxcrypt` [does not consider strong](https://github.com/besser82/libxcrypt/blob/v4.4.28/lib/hashes.conf#L41) are **deprecated** as of this release, and will be removed in NixOS 23.05. + - This includes system login passwords. Given this, we **strongly encourage** all users to update their system passwords, as you will be unable to login if password hashes are not migrated by the time their support is removed. + - When using `users.users..hashedPassword` to configure user passwords, run `mkpasswd`, and use the yescrypt hash that is provided as the new value. + - On the other hand, for interactively configured user passwords, simply re-set the passwords for all users with `passwd`. + - This release introduces warnings for the use of deprecated hash algorithms for both methods of configuring passwords. To make sure you migrated correctly, run `nixos-rebuild switch`. + - GNOME has been upgraded to version 43. Please take a look at their [Release Notes](https://release.gnome.org/43/) for details. - KDE Plasma has been upgraded from v5.24 to v5.26. Please see the release notes for [v5.25](https://kde.org/announcements/plasma/5/5.25.0/) and [v5.26](https://kde.org/announcements/plasma/5/5.26.0/) for more details on the included changes.