| Bug ID | 1177182 |
|---|---|
| Summary | Don't use DES as default password encryption |
| Classification | openSUSE |
| Product | openSUSE Tumbleweed |
| Version | Current |
| Hardware | Other |
| OS | Other |
| Status | NEW |
| Severity | Normal |
| Priority | P5 - None |
| Component | Security |
| Assignee | security-team@suse.de |
| Reporter | fvogt@suse.com |
| QA Contact | qa-bugs@suse.de |
| Found By | --- |
| Blocker | --- |
If (/usr)/etc/login.defs does not specify ENCRYPT_METHOD, it defaults to DES. This means that if the file is deleted, not readable (typo) or something unrelated in YaST throws an exception (boo#1176714), passwords in /etc/shadow are trivially reversible. At this point we've used something else in the system provided login.defs for ages, so changing the default in the packages reading and applying those files (upstream?) should be safe.