https://bugzilla.novell.com/show_bug.cgi?id=802006 https://bugzilla.novell.com/show_bug.cgi?id=802006#c1 Jiří Suchomel <jsuchome@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |bwiedemann@suse.com --- Comment #1 from Jiří Suchomel <jsuchome@suse.com> 2013-02-05 07:21:47 UTC --- (In reply to comment #0)

When investigating bug 801970 I found that the "Password Encryption" setting in yast2 users is not used by passwd - only by yast itself

I think it should either influence /etc/pam.d/common-password (via pam-config?) or be documented accordingly (best within the dialog)

Indeed it should have affected whole system. YaST saves encryption as CRYPT_FILES into /etc/default/passwd - what do you have? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=802006 https://bugzilla.novell.com/show_bug.cgi?id=802006#c3 --- Comment #3 from Thorsten Kukuk <kukuk@suse.com> 2013-02-05 08:46:09 UTC --- /etc/default/passwd is gone with the switch to shadow and pam_unix. I thought this was part of the adjustments, we made for YaST for this reason? Or did we miss this part? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=802006 https://bugzilla.novell.com/show_bug.cgi?id=802006#c5 Thorsten Kukuk <kukuk@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW InfoProvider|kukuk@suse.com | --- Comment #5 from Thorsten Kukuk <kukuk@suse.com> 2013-02-05 09:06:39 UTC --- The changes for shadow are documented in /usr/share/doc/packages/shadow/README.changes-pwdutils - /etc/default/passwd was removed. The configure options are partly available in /etc/login.defs. For YaST this isn't that simple, or more simple, I don't know. But there should be already code to use pam-config. To query which hash is used: pam-config -q --unix You need to look at the password: line if md5, sha256, sha512 is used. If none from them, it's DES (des does not have an option, it's the default). pam-config -d --unix-{hash} (means --unix-md5, --unix-sha256, --unix-sha512) will delete the old option, pam-config -a --unix-{hash} set the new one. pam_unix knows some more options like bigcrypt and blowfish, but we should not use or offer them. Problem: this does not work if pam_unix2 is used, but we should ignore that, after 12.3 I will modify pam-config to automatically replace pam_unix2 with pam_unix. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=802006 https://bugzilla.novell.com/show_bug.cgi?id=802006#c6 --- Comment #6 from Jiří Suchomel <jsuchome@suse.com> 2013-02-05 11:58:24 UTC --- What about replacement for GROUP_CRYPT from /etc/default/passwd? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=802006 https://bugzilla.novell.com/show_bug.cgi?id=802006#c8 --- Comment #8 from Bernhard Wiedemann <bwiedemann@suse.com> 2013-02-05 14:00:08 CET --- This is an autogenerated message for OBS integration: This bug (802006) was mentioned in https://build.opensuse.org/request/show/151269 Factory / shadow -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=802006 https://bugzilla.novell.com/show_bug.cgi?id=802006#c10 Thorsten Kukuk <kukuk@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED InfoProvider|kukuk@suse.com | --- Comment #10 from Thorsten Kukuk <kukuk@suse.com> 2013-02-06 12:41:12 UTC --- (In reply to comment #9)

(In reply to comment #7)

...

Good catch.

/etc/login.defs, variable ENCRYPT_METHOD

allowed values: DES, MD5, SHA256, SHA512

Sorry, but this is for group encryption? The comment in your /etc/login.defs doesn't say anything about groups.

This is for both, passwd and group, there is no differentation anymore.

So should YaST read/write ENCRYPT_METHOD for user password settings, and not call pam-config here?

Or should it call pam-config AND set ENCRYPT_METHOD for user passwords?

Or should it only use ENCRYPT_METHOD instead original GROUP_CRYPT?

Since upstream accepted already my patches (even if not yet accepted for openSUSE), I think we should only use ENCRYPT_METHOD in /etc/login.defs for both, password and group, and ignore pam-config. Else it will become difficult later to get this right again. I will revert the pam-config change ... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=802006 https://bugzilla.novell.com/show_bug.cgi?id=802006#c12 Thorsten Kukuk <kukuk@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED InfoProvider|kukuk@suse.com | --- Comment #12 from Thorsten Kukuk <kukuk@suse.com> 2013-02-06 14:20:32 UTC --- I don't know when PASS_MIN_LEN was removed from login.defs, but this was before SLE11. SLE11 already does not have this entry anymore. pam_cracklib has a minlen= option, but if you read the manual page, that is pretty confusing and does not always gives you what you expect. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=802006 https://bugzilla.novell.com/show_bug.cgi?id=802006#c14 --- Comment #14 from Thorsten Kukuk <kukuk@suse.com> 2013-02-06 15:03:54 UTC --- (In reply to comment #13)

(In reply to comment #12)

...

I don't know when PASS_MIN_LEN was removed from login.defs

Well, it's removed in the request referenced from comment 8.

It's not removed with that request, it was already removed before. As I wrote, SLE11 didn't had it already anymore.

But now I finally found that YaST actually uses that minlen= option of pam_cracklib, so sorry for the alert.

Ok, thanks. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=802006 https://bugzilla.novell.com/show_bug.cgi?id=802006#c16 --- Comment #16 from Swamp Workflow Management <swamp@suse.de> 2013-03-18 16:04:38 UTC --- openSUSE-RU-2013:0474-1: An update that has two recommended fixes can now be installed. Category: recommended (low) Bug References: 802006,807099 CVE References: Sources used: openSUSE 12.3 (src): yast2-security-2.23.5-1.4.1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.