Hi, Am Donnerstag, 21. November 2019, 19:43:48 CET schrieb Radosław Wyrzykowski:
I was playing around with a laptop I installed Tumbleweed on last week when suddenly, I realized I don’t have to input my whole password - only the first few characters let me in.
I quickly realized what it was and, with a sinking feeling, I checked /etc/shadow to find my user password (but not the root password, thankfully) hashed with DES_crypt…
I had installed Tumbleweed using the net install ISO, on snapshot 20191107.
I quickly spun up a fresh Tumbleweed VM using a current ISO (though I know the net installer updates automatically) and the password of the new user was hashed with DES (and hence, stripped to 8 chars) without any warning.
Using passwd, I was able to correct this problem, and I found that there’s an option in YaST that controls what hashing function it uses.
On my Leap servers, it’s set to SHA512, which is what it should be.
On my Tumbleweed machines, it’s set to DES and I get a warning when I try to set a password longer than 8 chars using YaST.
I think this is a mistake that should be rectified ASAP, though I’m not sure where’s the problem.
Probably with /usr/etc/login.defs. Does it work after you cp /usr/etc/login.defs /etc/login.defs and create a new user/change the password with YaST? If so, it's https://bugzilla.opensuse.org/show_bug.cgi?id=1155735. If not, please create a new bug report with your observations.
It apparently didn’t occur in older snapshots, but at least this month, anyone who installed Tumbleweed might be vulnerable. Check your password hashes!
I agree - this is a CVE worthy bug IMO. DES is like plaintext, but at least only the first eight bytes are affected... Cheers, Fabian
Regards Radosław Wyrzykowski
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org