Add support for yescrypt

[troglobit]

Classification:

• Bug report
• Feature request
• Question (see Discussions)

Description:

A few people so far have asked about support for alternative password crypts, https://en.wikipedia.org/wiki/Yescrypt is possibly the most interesting since. This is a feature currently not possible to add since ietf-system.yang has a limitation to which crypts are available, see RFC7317 for details:

typedef crypt-hash {
  type string {
    pattern
      '$0$.*'
      + '|$1$[a-zA-Z0-9./]{1,8}$[a-zA-Z0-9./]{22}'
      + '|$5$(rounds=\d+$)?[a-zA-Z0-9./]{1,16}$[a-zA-Z0-9./]{43}'
      + '|$6$(rounds=\d+$)?[a-zA-Z0-9./]{1,16}$[a-zA-Z0-9./]{86}';
   }
   description
     "The crypt-hash type is used to store passwords using
      a hash function.  The algorithms for applying the hash
      function and encoding the result are implemented in
      various UNIX systems as the function crypt(3).

      A value of this type matches one of the forms:

      $0$<clear text password>
      $<id>$<salt>$<password hash>
      $<id>$<parameter>$<salt>$<password hash>

      The '$0$' prefix signals that the value is clear text.  When
      such a value is received by the server, a hash value is
      calculated, and the string '$<id>$<salt>$' or
      $<id>$<parameter>$<salt>$ is prepended to the result.  This
      value is stored in the configuration data store.

To enable support for this the current investigation has detailed the following issues:

• Add a deviation the IETF system password type to include $y$
• Migrate from libgcrypt to libxcrypt, the former does not have yescrypt

You can help out by sponsoring the development, or contributing a pull request for its support. Use this issue for discussions around this topic.