https://bugzilla.novell.com/show_bug.cgi?id=743715 https://bugzilla.novell.com/show_bug.cgi?id=743715#c1 Bruno Friedmann changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |bruno@ioda-net.ch --- Comment #1 from Bruno Friedmann 2012-01-27 12:23:53 UTC --- It's not only YaST : simple command line tools like useradd/passwd didn't setup the SHA512 encrypted password To reproduce, install 12.1 ensure that SHA512 is used. Setup a different normal user & root password check result userdel user useraadd user passwd user expected $6$xxxx found $1$1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=743715 https://bugzilla.novell.com/show_bug.cgi?id=743715#c3 --- Comment #3 from Bruno Friedmann 2012-01-27 12:31:38 UTC --- rpm -qf /etc/default/passwd pwdutils-3.2.17-6.1.2.x86_64 c-3po:/etc/pam.d # rpm -q --changelog pwdutils-3.2.17-6.1.2.x86_64 * Mon Aug 29 2011 crrodriguez@opensuse.org - Fix build with new gnu LD. * Thu Jul 14 2011 lnussel@suse.de * add support for sha512 * use implicit defaults in /etc/default/passwd * use glibc's crypt_gensalt if available * Mon May 16 2011 kukuk@suse.de - Fix syntax errors in useradd.local * Wed May 11 2011 kukuk@suse.de - Update to pwdutils version 3.2.16 - sha512 new default password hash [FATE#312321]. - newgrp: honour dynamically assigned groups [bnc#680833]. - Don't link against libxcrypt -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=743715 https://bugzilla.novell.com/show_bug.cgi?id=743715#c Arvin Schnell changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|yast2-maintainers@suse.de |jsuchome@suse.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=743715 https://bugzilla.novell.com/show_bug.cgi?id=743715#c5 --- Comment #5 from andrew cooke 2012-01-30 11:02:06 UTC ---

cat /var/lib/YaST2/users_first_stage.ycp $[ "after_auth" : "users", "autologin_user" : "", "encryption_method" : "sha512", "root_alias" : "andrew", "root_password_written" : "1", "run_krb_config" : "0", "users_written" : 1 ]

-- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=743715 https://bugzilla.novell.com/show_bug.cgi?id=743715#c7 --- Comment #7 from Bruno Friedmann 2012-01-30 11:09:29 UTC --- on a 12.1 updated from 11.4 cat /var/lib/YaST2/users_first_stage.ycp $[ "after_auth" : "users", "autologin_user" : "", "encryption_method" : "blowfish", "root_alias" : "", "root_password_written" : "1", "run_krb_config" : "0", "users_written" : 1 ] on a 12.1 first installation $[ "after_auth" : "users", "autologin_user" : "", "encryption_method" : "sha512", "root_alias" : "", "root_password_written" : "1", "run_krb_config" : "0", "users_written" : 1 ] -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=743715 https://bugzilla.novell.com/show_bug.cgi?id=743715#c9 andrew cooke changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|andrew@acooke.org | --- Comment #9 from andrew cooke 2012-01-30 12:47:45 UTC --- don't you have a 12.1 of your own you can take these from? it was just a standard install. the entire log dump appears to contain a lot of information. i am not going to make a pile of unchecked info public. if you want one particular file i can read it and supply it. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=743715 https://bugzilla.novell.com/show_bug.cgi?id=743715#c11 --- Comment #11 from Bruno Friedmann 2012-01-30 13:31:08 UTC --- Created an attachment (id=473259) --> (http://bugzilla.novell.com/attachment.cgi?id=473259) Full var/log/YaST2 just after a Factory 12.2 installation -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=743715 https://bugzilla.novell.com/show_bug.cgi?id=743715#c13 Jiří Suchomel changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED --- Comment #13 from Jiří Suchomel 2012-01-30 14:15:26 UTC --- Thanks. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=743715 https://bugzilla.novell.com/show_bug.cgi?id=743715#c15 Jiří Suchomel changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO InfoProvider| |andrew@acooke.org --- Comment #15 from Jiří Suchomel 2012-01-31 15:07:09 UTC --- So, I've sent a fix to Factory (and 12.2). For 12.1, we cannot fix installation process anyway. Does it work for you when you change encryption method (at running system) from yast2 users or yast2 security? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=743715 https://bugzilla.novell.com/show_bug.cgi?id=743715#c17 --- Comment #17 from andrew cooke 2012-01-31 16:10:12 UTC --- @Jiri - sorry, I don't understand what you want me to do. Where should I specify the encryption method? currently, /etc/default/passwd has CRYPT= so i assume it should use the default. but according to the post above the default should be sha512. so it is already configured correctly. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=743715 https://bugzilla.novell.com/show_bug.cgi?id=743715#c19 Bruno Friedmann changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED InfoProvider|andrew@acooke.org | --- Comment #19 from Bruno Friedmann 2012-01-31 16:44:58 UTC --- Jiri, it seems to work manually under a 12.1, once in Yast2 security center -> password you set SHA512 then the /etc/default/passwd contain this cat /etc/default/passwd # This file contains some information for # the passwd (1) command and other tools # creating or modifying passwords. # Define default crypt hash. # CRYPT={des,md5,blowfish,sha256,sha512} CRYPT= # Use another crypt hash for group passwords. # This is used by gpasswd, fallback is the CRYPT entry. # GROUP_CRYPT=des # We can override the default for a specific service # by appending the service name (FILES, YP, NISPLUS, LDAP) # for local files, use a more secure hash. We # don't need to be portable here: # CRYPT_FILES=sha512 # # For NIS, we should always use DES: # CRYPT_YP=des # We can override the default for a special service # by appending the service name (FILES, YP, NISPLUS, LDAP) # for local files, use a more secure hash. We # don't need to be portable here: # CRYPT_FILES=blowfish # sometimes we need to specify special options for a hash (variable # is prepended by the name of the crypt hash). In case of blowfish # and sha* this is the number of rounds # blowfish: 4-31 # BLOWFISH_CRYPT_FILES=5 # sha256/sha512: 1000-9999999 # SHA512_CRYPT_FILES=1000 # In June 2011 it was discovered that the Linux crypt_blowfish # implementation contained a bug that made passwords with non-ASCII # characters easier to crack (CVE-2011-2483). Affected passwords are # also incompatible with the original, correct OpenBSD # implementation. Therefore the $2a hash identifier previously used # for blowfish now is ambiguous as it could mean the hash was # generated with the correct implementation on OpenBSD or the buggy # one on Linux. To avoid the ambiguity two new identifier were # introduced. $2x now explicitly identifies hashes that were # generated with the buggy algorithm while $2y is used for hashes # generated with the correct algorithm. New passwords are now # generated with the $2y identifier. # # Setting the following option to "yes" tells the sytem that $2a # hashes are to be treated as generated with the buggy algorithm. BLOWFISH_2A2X= CRYPT_FILES=sha512 then using Yast or useradd/usermod/passwd for users change the password for the desired format $6$ But any users, that have been created, need to change its actual password so it become re-encoded with the new format. That must be write in CAPITALS during the update. For 12.1 update, perhaps the script could check if CRYPT_FILES=md5 then replace it by CRYPT_FILES=sha512 ? Don't know if it's a good idea or not, +adding a comment #bnc743715 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=743715 https://bugzilla.novell.com/show_bug.cgi?id=743715#c21 Jiří Suchomel changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED --- Comment #21 from Jiří Suchomel 2012-01-31 20:15:26 UTC --- (In reply to comment #19)

Jiri, it seems to work manually under a 12.1, once in Yast2 security center -> password you set SHA512 then the /etc/default/passwd contain this

CRYPT_FILES=sha512

So this is correct and YaST works as it should on installed system.

For 12.1 update, perhaps the script could check if CRYPT_FILES=md5 then replace it by CRYPT_FILES=sha512 ? Don't know if it's a good idea or not, +adding a comment #bnc743715

No, that would not be good, as we could not know in script if the value is there by error or on purpose. So I think I can close it now: for 12.1, users can change the encryption value from YaST, and for next release, it should work well from the beginning. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.