From Fedora Project Wiki

Replace glibc's libcrypt with libxcrypt


There are plans to remove libcrypt from glibc, so we should have a replacement.


Current status

  • Targeted release: Fedora 28
  • Last updated: 2017-11-13
  • Tracker bug: <will be assigned by the Wrangler>

Detailed Description

Since there has been some discussion in the last time about removing libcrypt from glibc in some time and splitting it out into a separate project which can evolve quicker, Zack Weinberg and I put some work into libxcrypt to make it a basically suitable replacement.

libxcrypt is fully binary compatible with software linked against glibc's libcrypt and does not require any rebuilds. However, the converse is not true: programs linked against libxcrypt will not work with glibc's libcrypt. Also, programs that use certain legacy APIs supplied by glibc's libcrypt (encrypt, encrypt_r, setkey, setkey_r, and fcrypt) cannot be compiled against libxcrypt.

It comes with a set of extended interfaces pioneered by Openwall Linux, crypt_rn, crypt_ra, crypt_gensalt, crypt_gensalt_rn, and crypt_gensalt_ra.

The crypt and gensalt functions are supporting all (except for Crypt16, which was used on Ultrix and Tru64, only) widely used password hashing algorithms, which before were specific to just some operating system's implementations of libcrypt.

Benefit to Fedora


  • Proposal owners:
    • Apply needed packaging changes to glibc
    • Import and build libxcrypt for Fedora 28
  • Other developers:
    • Test their applications using one of the following interfaces for unexpected changes in functionality:
      • crypt()
      • crypt_r()
      • encrypt()
      • encrypt_r()
      • fcrypt()
      • setkey()
      • setkey_r()
  • Release engineering: #7160
  • Policies and guidelines: N/A (not needed for this Change)
  • Trademark approval: N/A (not needed for this Change)

Upgrade/compatibility impact

How To Test

  • Logout of your current user session and check if you can login again.
  • Change your user password and check if you can login with the new one.
  • Check if all packages built against libcrypt are working as expected. You can get a list of those packages with the following command: sudo dnf repoquery --whatrequires '*' | sed -e 's!-[0-9]\+.*$!!g' | sort -u

User Experience


Contingency Plan

  • Contingency mechanism: Revert changes and restore glibc's libcrypt
  • Contingency deadline: Completion deadline (testable)
  • Blocks release? Yes
  • Blocks product? none


Release Notes