Mailinglist Archive: opensuse-bugs (4216 mails)

< Previous Next >
[Bug 743715] Password Encryption: Yast Add User Uses MD5, Initial System Config Used SHA512

https://bugzilla.novell.com/show_bug.cgi?id=743715

https://bugzilla.novell.com/show_bug.cgi?id=743715#c19


Bruno Friedmann <bruno@xxxxxxxxxxx> changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|NEEDINFO |ASSIGNED
InfoProvider|andrew@xxxxxxxxxx |

--- Comment #19 from Bruno Friedmann <bruno@xxxxxxxxxxx> 2012-01-31 16:44:58
UTC ---
Jiri, it seems to work manually under a 12.1, once in Yast2 security center ->
password you set SHA512
then the /etc/default/passwd contain this
cat /etc/default/passwd
# This file contains some information for
# the passwd (1) command and other tools
# creating or modifying passwords.

# Define default crypt hash.
# CRYPT={des,md5,blowfish,sha256,sha512}
CRYPT=

# Use another crypt hash for group passwords.
# This is used by gpasswd, fallback is the CRYPT entry.
# GROUP_CRYPT=des


# We can override the default for a specific service
# by appending the service name (FILES, YP, NISPLUS, LDAP)

# for local files, use a more secure hash. We
# don't need to be portable here:
# CRYPT_FILES=sha512
#
# For NIS, we should always use DES:
# CRYPT_YP=des

# We can override the default for a special service
# by appending the service name (FILES, YP, NISPLUS, LDAP)

# for local files, use a more secure hash. We
# don't need to be portable here:
# CRYPT_FILES=blowfish

# sometimes we need to specify special options for a hash (variable
# is prepended by the name of the crypt hash). In case of blowfish
# and sha* this is the number of rounds
# blowfish: 4-31
# BLOWFISH_CRYPT_FILES=5
# sha256/sha512: 1000-9999999
# SHA512_CRYPT_FILES=1000

# In June 2011 it was discovered that the Linux crypt_blowfish
# implementation contained a bug that made passwords with non-ASCII
# characters easier to crack (CVE-2011-2483). Affected passwords are
# also incompatible with the original, correct OpenBSD
# implementation. Therefore the $2a hash identifier previously used
# for blowfish now is ambiguous as it could mean the hash was
# generated with the correct implementation on OpenBSD or the buggy
# one on Linux. To avoid the ambiguity two new identifier were
# introduced. $2x now explicitly identifies hashes that were
# generated with the buggy algorithm while $2y is used for hashes
# generated with the correct algorithm. New passwords are now
# generated with the $2y identifier.
#
# Setting the following option to "yes" tells the sytem that $2a
# hashes are to be treated as generated with the buggy algorithm.
BLOWFISH_2A2X=
CRYPT_FILES=sha512

then using Yast or useradd/usermod/passwd for users change the password for the
desired format $6$

But any users, that have been created, need to change its actual password so it
become re-encoded with the new format. That must be write in CAPITALS during
the update.

For 12.1 update, perhaps the script could check if
CRYPT_FILES=md5
then replace it by
CRYPT_FILES=sha512
? Don't know if it's a good idea or not, +adding a comment #bnc743715

--
Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

< Previous Next >
References