@
https://privacyidea.readthedocs.io/en/latest/configuration/useridresolvers.html
states
There is no standard way to store passwords in an SQL database. There are several different ways to do this. privacyIDEA supports the most common ways like Wordpress hashes starting with $P or $S. Secure hashes starting with {SHA} or salted secure hashes starting with {SSHA}, {SSHA256} or {SSHA512}. Password hashes of length 64 are interpreted as OTRS sha256 hashes.
“most common ways like Wordpress hashes” is not explicitly clear …
By default, out of the box, PI appears to use {SSHA256} hash when locally managing/creating users in the internal realm.
Are only the pwd hashes listed above supported?
Specifically, are Argon2id hashes supported? ideally, Argon2id, or even ‘just’ Argon2i?
I do see in PI venv the python argon2x passlib handlers,
cat /lib/python3.6/site-packages/passlib/handlers/argon2.py
...
"""passlib.handlers.argon2 -- argon2 password hash wrapper
References
==========
* argon2
- home: https://github.com/P-H-C/phc-winner-argon2
- whitepaper: https://github.com/P-H-C/phc-winner-argon2/blob/master/argon2-specs.pdf
* argon2 cffi wrapper
- pypi: https://pypi.python.org/pypi/argon2_cffi
- home: https://github.com/hynek/argon2_cffi
* argon2 pure python
- pypi: https://pypi.python.org/pypi/argon2pure
- home: https://github.com/bwesterb/argon2pure
"""
...
but, so far, I’ve found no mention of “Argon2” either in PI’s docs, or forums.