Use passlib in place of legacycrypt

glehmann · glehmann · commit 789db8a0cf26 · 2026-04-21T14:15:32.000+02:00
legacycrypt requires to install libcrypt.so.1 manually

Keep legacycrypt as a dependency for now, to ease the transition to those
who already have a custom data.py.

Move hash_password() to lib.common, to make easier to change the
implementation in the future.

Signed-off-by: Gaëtan Lehmann &lt;gaetan.lehmann@vates.tech&gt;
diff --git a/conftest.py b/conftest.py
@@ -18,9 +18,7 @@
     callable_marker,
     is_uuid,
     prefix_object_name,
-    setup_formatted_and_mounted_disk,
     shortened_nodeid,
-    teardown_formatted_and_mounted_disk,
     vm_image,
     wait_for,
 )
diff --git a/data.py-dist b/data.py-dist
@@ -4,7 +4,7 @@ from __future__ import annotations
 
 import os
 
-import legacycrypt as crypt  # type: ignore[import-untyped]
+from lib.common import hash_password
 
 from typing import TYPE_CHECKING, Any
 
@@ -17,11 +17,6 @@ if TYPE_CHECKING:
 HOST_DEFAULT_USER = "root"
 HOST_DEFAULT_PASSWORD = ""
 
-def hash_password(password):
-    """Hash password for /etc/password."""
-    salt = crypt.mksalt(crypt.METHOD_SHA512)  # type: ignore
-    return crypt.crypt(password, salt)
-
 HOST_DEFAULT_PASSWORD_HASH = hash_password(HOST_DEFAULT_PASSWORD)
 
 # Public keys for a private keys available to the test runner
diff --git a/lib/common.py b/lib/common.py
@@ -18,6 +18,7 @@
 from uuid import UUID
 
 import requests
+from passlib.hash import sha512_crypt
 from pydantic import TypeAdapter
 
 from typing import (
@@ -366,3 +367,7 @@ def _param_clear(host: Host, xe_prefix: str, uuid: str, param_name: str) -> None
     """ Common implementation for param_clear. """
     args: dict[str, str | bool | dict[str, str]] = {'uuid': uuid, 'param-name': param_name}
     host.xe(f'{xe_prefix}-param-clear', args)
+
+def hash_password(password: str) -> str:
+    """Hash password for /etc/password."""
+    return sha512_crypt.using(rounds=5000).hash(password)
diff --git a/pyproject.toml b/pyproject.toml
@@ -7,8 +7,10 @@ requires-python = ">=3.11"
 dependencies = [
     "cryptography>=3.3.1",
     "gitpython",
+    # TODO: keep legacycrypt to let the user transition to lib.common.hash_password in their data.py
     "legacycrypt",
     "packaging>=20.7",
+    "passlib",
     "pluggy>=1.1.0",
     "pydantic",
     "pytest>=8.0.0",
@@ -32,6 +34,7 @@ dev = [
     "types-colorama",
     "types-pexpect",
     "zizmor",
+    "types-passlib",
 ]
 
 [tool.pyright]
diff --git a/requirements/base.txt b/requirements/base.txt
@@ -3,6 +3,7 @@ cryptography>=3.3.1
 gitpython
 legacycrypt
 packaging>=20.7
+passlib
 pluggy>=1.1.0
 pydantic
 pytest>=8.0.0
diff --git a/requirements/dev.txt b/requirements/dev.txt
@@ -13,4 +13,5 @@ types-pygments
 types-colorama
 types-pexpect
 zizmor
+types-passlib
 -r base.txt
diff --git a/uv.lock b/uv.lock
