[Bug 1177182] New: Don't use DES as default password encryption
https://bugzilla.suse.com/show_bug.cgi?id=1177182 Bug ID: 1177182 Summary: Don't use DES as default password encryption Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: fvogt@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- If (/usr)/etc/login.defs does not specify ENCRYPT_METHOD, it defaults to DES. This means that if the file is deleted, not readable (typo) or something unrelated in YaST throws an exception (boo#1176714), passwords in /etc/shadow are trivially reversible. At this point we've used something else in the system provided login.defs for ages, so changing the default in the packages reading and applying those files (upstream?) should be safe. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1177182 Frank Krüger <fkrueger@mailbox.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |fkrueger@mailbox.org -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1177182 https://bugzilla.suse.com/show_bug.cgi?id=1177182#c1 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |meissner@suse.com Flags| |needinfo?(meissner@suse.com | |) --- Comment #1 from Marcus Meissner <meissner@suse.com> --- needs to pushed to jira etc. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1177182 https://bugzilla.suse.com/show_bug.cgi?id=1177182#c2 --- Comment #2 from Fabian Vogt <fvogt@suse.com> --- Any news here? That the builtin default everywhere is DES is just terrible. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com