Okay, getting one step further:
chpasswd -c SHA512 <<< 'root:dietpi'
restores the login ability. I tried all other (less secure) algorithms listed in:
chpasswd --help
But none of them works, only SHA512. Interesting now is that when skipping this option, the created hash in /etc/shadow doesn’t match any of the available ones. So it seems some now algorithm is used, which is not documented and not known by MineOS.
Checked the man page which says:
By default, PAM is used to encrypt the passwords.
So using the above option forces an algorithm while by default PAM is doing this, using an algorithm which is not supported by chpasswd directly. Tested on Buster, and indeed without setting the algorithm explicitly it is SHA512 by default.
And here is the changelog on PAM:
pam (1.4.0-3) unstable; urgency=medium
…
- pam-configs/unix: Default to yescript rather than sha512. From a theoretical security standpoint, it looks like yescript has similar security properties, assuming (as we typically do in the crypto protocol community) that sha256 is still reasonable. However, in terms of practical resistant to password cracking, particularly in terms of valuing space complexity as well as time complexity, yescript is superior, Closes: #978553
Related “bug” report and discussion: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=978553
=> MineOS needs to learn “yescrypt” algorithm!