Update

Author: svartkanin

archinstall/lib/crypt.py

@@ -1,5 +1,8 @@
 import ctypes
 import ctypes.util
+from pathlib import Path
+
+from .output import debug
 
 libcrypt = ctypes.CDLL("libcrypt.so")
 
@@ -9,6 +12,23 @@
 libcrypt.crypt_gensalt.argtypes = [ctypes.c_char_p, ctypes.c_ulong, ctypes.c_char_p, ctypes.c_int]
 libcrypt.crypt_gensalt.restype = ctypes.c_char_p
 
+LOGIN_DEFS = Path('/etc/login.defs')
+
+
+def _search_login_defs(key: str) -> str | None:
+	defs = LOGIN_DEFS.read_text()
+	for line in defs.split('\n'):
+		line = line.strip()
+
+		if line.startswith('#'):
+			continue
+
+		if line.startswith(key):
+			value = line.split(' ')[1]
+			return value
+
+	return None
+
 
 def crypt_gen_salt(prefix: str | bytes, rounds: int) -> bytes:
 	if isinstance(prefix, str):
@@ -27,11 +47,19 @@ def crypt_yescrypt(plaintext: str) -> str:
 	By default chpasswd in Arch uses PAM to to hash the password with crypt_yescrypt
 	the PAM code https://github.com/linux-pam/linux-pam/blob/master/modules/pam_unix/support.c
 	shows that the hashing rounds are determined from YESCRYPT_COST_FACTOR in /etc/login.defs
-	If no value was specified (or commented out) a default of 5 is choosen, given that the default
-	/etc/login.defs file from the ISO has the variable commented out 5 would be the default value
-	determined by the PAM in chpasswd
+	If no value was specified (or commented out) a default of 5 is choosen
 	"""
-	rounds = 5
+	value = _search_login_defs('YESCRYPT_COST_FACTOR')
+	if value is not None:
+		rounds = int(value)
+		if rounds < 3:
+			rounds = 3
+		elif rounds > 11:
+			rounds = 11
+	else:
+		rounds = 5
+
+	debug(f'Creating yescrypt hash with rounds {rounds}')
 
 	enc_plaintext = plaintext.encode('utf-8')
 	salt = crypt_gen_salt('$y$', rounds)