Mailinglist Archive: opensuse-security (192 mails)

< Previous Next >
Re: [suse-security] passwd question
  • From: Thomas Biege <thomas@xxxxxxx>
  • Date: Thu, 11 May 2000 09:07:16 +0200 (MEST)
  • Message-id: <Pine.LNX.4.05.10005110900530.32152-100000@xxxxxxxxxxxxxx>
Hi,

> Hy, having installed my first SUSE system [BTW 6.3] (and against my will)
> finding it much better than i expected of a "user-friendly" instalation.

:)

>
> When browsing the new system i found something that i thought i would never
> found in a modern linux setup, the passwords were using only the first 8
> caracters of a password, that is using DES, why doesn't it uses MD5 crypt.

this topic was discussed serveral times before.. so, please check the
archives before posting to this list.

> I may be wrong, and i hope this isn't the default. It it is, then i consider
> it a bug.

NO! It isn't a bug. It's a bug to use MD5 as default, because DES is
standard in the unix environment and not all apps understand MD5.

>
> My question then is: how to install a better crypt or how to setup a better
> crypt.

look at Thorsten's PAM docu...



MD5 passwords on SuSE Linux
===========================

SuSE Linux is able to handle MD5 passwords. With MD5 encryption,
passwords can be longer than 8 characters (up to 128 characters).
Since MD5 encryption is not compatible with the standard Unix crypt()
function, most commercial Unices and some programs don't work
with MD5 passwords. So be careful, if you enable this feature.


How to enable MD5 passwords:
----------------------------

You need to add the option "md5" to the "password" rules in the PAM
config files. You can find the config files in /etc/pam.d.

For example, you need to change the following lines in /etc/pam.d/passwd:

password required /lib/security/pam_pwcheck.so \
nullok
password required /lib/security/pam_unix.so \
nullok use_first_pass use_authtok

to:

password required /lib/security/pam_pwcheck.so \
nullok md5
password required /lib/security/pam_unix.so \
nullok md5 use_first_pass use_authtok

This is necessary for every program which is able to change the
user's password. At the moment these are at least: /etc/pam.d/login,
/etc/pam.d/passwd, /etc/pam.d/sshd and /etc/pam.d/rlogin.

Some sample PAM config files with enabled md5 encryption can be
found in the directory /usr/doc/packages/pam/md5.config/

If you use NIS, you need to replace /usr/bin/yppasswd with a
link to /usr/bin/passwd:
# cd /usr/bin
# mv yppasswd yppasswd.old
# ln -sf passwd yppasswd


The password will be converted into an MD5 one after the next
password change.

Bye,
Thomas
--
Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg
E@mail: thomas@xxxxxxx Function: Security Support & Auditing
"lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka"
Key fingerprint = 09 48 F2 FD 81 F7 E7 98 6D C7 36 F1 96 6A 12 47


< Previous Next >
References