FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > ArchLinux > ArchLinux General Discussion

 
 
LinkBack Thread Tools
 
Old 01-20-2012, 11:32 AM
Kevin Chadwick
 
Default Upgrading password hashes

I know arch tries to keep to upstream but their seems some
discrepencies that you may or may not be aware of so thought I'd share.

The crypt man page says glibc may not support blowfish (stronger than
nists recommendation) and that seems true when used via the commandline
(very short output).

The arch wiki says you can use a library from AUR.

There is also a sha512 arch wiki which says you should edit
pamd.d/passwd from md5 to sha512 but the default seems to already be
sha512, maybe it tries both as some distros default is now sha512 so no
need anymore.

It seems if you simply edit /etc/default/passwd to blowfish and reset
your password, sha512 is used e.g. encrypted password beginning with $6
in /etc/shadow not $2 (blowfish) and logins work fine.

I guess the /etc/default/passwd config file may be futurised or the
config written before changing to SHA which was easier to
implement and the wiki is out of date with the code??

--
Kc
 
Old 01-20-2012, 09:17 PM
Don Juan
 
Default Upgrading password hashes

On 01/20/2012 04:32 AM, Kevin Chadwick wrote:

I know arch tries to keep to upstream but their seems some
discrepencies that you may or may not be aware of so thought I'd share.

The crypt man page says glibc may not support blowfish (stronger than
nists recommendation) and that seems true when used via the commandline
(very short output).

The arch wiki says you can use a library from AUR.

There is also a sha512 arch wiki which says you should edit
pamd.d/passwd from md5 to sha512 but the default seems to already be
sha512, maybe it tries both as some distros default is now sha512 so no
need anymore.

It seems if you simply edit /etc/default/passwd to blowfish and reset
your password, sha512 is used e.g. encrypted password beginning with $6
in /etc/shadow not $2 (blowfish) and logins work fine.
Wouldn't that be because you did not setup blowfish properly? You cant
just change passwd only to get blowfish going, according to the wiki.
(Not speaking from experience)




I guess the /etc/default/passwd config file may be futurised or the
config written before changing to SHA which was easier to
implement and the wiki is out of date with the code??

Not sure if I am getting what you mean here but to me sounds like you
did not complete what is in the wiki in regards to running blowfish,
since you need AUR package and what not and it says there is more to do
than change a single file to make blowfish the algo.


I was wondering when you change these settings how do you change the
hash of other system users, or is that pointless and not needed? I
always wondered about that. Such as user ftp or similar.
 
Old 01-20-2012, 10:04 PM
Kevin Chadwick
 
Default Upgrading password hashes

On Fri, 20 Jan 2012 14:17:22 -0800
Don Juan wrote:

> Not sure if I am getting what you mean here but to me sounds like you
> did not complete what is in the wiki in regards to running blowfish,
> since you need AUR package and what not and it says there is more to do
> than change a single file to make blowfish the algo.

I know I didn't. Blowfish is stronger but I'm settled with sha512
rather than building a library and fixing any possible fallout in the
future.

Maybe I missed giving a piece of info. The default password is DES which
is really crap and starts with $1 so simply enabling blowfish
in /etc/default/passwd has enabled SHA512, you'd expect to uncomment
SHA512 not blowfish. It seems for sha512 you don't have to do as much as
the wiki suggests anymore.
 
Old 01-20-2012, 10:14 PM
Don Juan
 
Default Upgrading password hashes

On 01/20/2012 03:04 PM, Kevin Chadwick wrote:

On Fri, 20 Jan 2012 14:17:22 -0800
Don Juan wrote:


Not sure if I am getting what you mean here but to me sounds like you
did not complete what is in the wiki in regards to running blowfish,
since you need AUR package and what not and it says there is more to do
than change a single file to make blowfish the algo.

I know I didn't. Blowfish is stronger but I'm settled with sha512
rather than building a library and fixing any possible fallout in the
future.

Maybe I missed giving a piece of info. The default password is DES which
is really crap and starts with $1 so simply enabling blowfish
in /etc/default/passwd has enabled SHA512, you'd expect to uncomment
SHA512 not blowfish. It seems for sha512 you don't have to do as much as
the wiki suggests anymore.
Ahhh OK that makes more sense, at least to me. I just went through doing
everything in the wiki myself for the same reason I did not want to add
another AUR package just to get the feature/ability. I agree though that
DES should be changed at this point.
 
Old 01-21-2012, 02:34 PM
"Mantas M."
 
Default Upgrading password hashes

On Fri, Jan 20, 2012 at 11:04:12PM +0000, Kevin Chadwick wrote:
> Maybe I missed giving a piece of info. The default password is DES which
> is really crap and starts with $1 so simply enabling blowfish

DES is indeed crap, but it hasn't been the default for a long time.
The $1$ hashes are salted MD5, as crypt(3) can confirm.

--
Mantas M.
 
Old 01-21-2012, 03:06 PM
Don Juan
 
Default Upgrading password hashes

On 01/21/2012 07:34 AM, Mantas M. wrote:

On Fri, Jan 20, 2012 at 11:04:12PM +0000, Kevin Chadwick wrote:

Maybe I missed giving a piece of info. The default password is DES which
is really crap and starts with $1 so simply enabling blowfish

DES is indeed crap, but it hasn't been the default for a long time.
The $1$ hashes are salted MD5, as crypt(3) can confirm.

Then if the default is that then why are default system users, such as
http mail postfix and similar not displaying the $1$ on the shadow file?
Also according to the wiki it says des is the default and to upgrade the
hashes out of the default. Am I not understanding it correctly in the
wiki, and the users that I am talking about the hashes do not matter?
Sorry feel confused at the moment.
 
Old 01-21-2012, 03:50 PM
Tobias Frilling
 
Default Upgrading password hashes

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/21/2012 05:06 PM, Don Juan wrote:
> Then if the default is that then why are default system users, such as
> http mail postfix and similar not displaying the $1$ on the shadow file?
> Also according to the wiki it says des is the default and to upgrade the
> hashes out of the default. Am I not understanding it correctly in the
> wiki, and the users that I am talking about the hashes do not matter?
> Sorry feel confused at the moment.
>

A ! or x as the hash in /etc/shadow indicates that login for these user
is not permitted. (Also you may login using ssh-keys).
The CRYPT setting from /etc/default/passwd is only used if pam is not
enabled. If it is enabled, the used configs are in /etc/pam.d (e.g.
passwd, login etc.) which default nowadays to sha512.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPGuy+AAoJEEDINPnaM7l+QGYH+we8QwHXO8 OsAOEibRRAHz2j
hwWnXpitJVDLuxJ406F4DtbxXLMD2addtC1tQtSvKhcLAj1Q3b GoCEETqpUaSBTh
ZhZOeqBKKyP0BR980Qy3DRSHFWDkWY8ZpwgmutNj7QmmJt3NOw fdSZhzXVbqlx/u
vu3BsKAwuAeIE60HbJS4Ugn8VdUlY3HSp1EW0eR2sxb2x81y/T7YW7koBk6aVCv5
6pFqO8S+tgBQnh+5bvagBWvJq1zGGTA1A9sjCEYadynqEVjIY0 i5ydsLQ2J+dhUG
hiWaGQu4JKBK7meAv5OBtfoewFEVQb4qYqYn1R1D4/Y1IuwTS60SW6nSO/UJrsw=
=Dcl9
-----END PGP SIGNATURE-----
 
Old 01-21-2012, 04:08 PM
"Mantas M."
 
Default Upgrading password hashes

On Sat, Jan 21, 2012 at 08:06:04AM -0800, Don Juan wrote:
> On 01/21/2012 07:34 AM, Mantas M. wrote:
> >On Fri, Jan 20, 2012 at 11:04:12PM +0000, Kevin Chadwick wrote:
> >>Maybe I missed giving a piece of info. The default password is DES which
> >>is really crap and starts with $1 so simply enabling blowfish
> >DES is indeed crap, but it hasn't been the default for a long time.
> >The $1$ hashes are salted MD5, as crypt(3) can confirm.
> >
> Then if the default is that then why are default system users, such
> as http mail postfix and similar not displaying the $1$ on the
> shadow file?

Because they *do not have* passwords.

"x", "!" or "*" are invalid hash values, and they basically mean "password-based
logins are not permitted".

--
Mantas M.
 
Old 01-23-2012, 10:59 AM
Kevin Chadwick
 
Default Upgrading password hashes

On Sat, 21 Jan 2012 17:50:13 +0100
Tobias Frilling wrote:

> The CRYPT setting from /etc/default/passwd is only used if pam is not
> enabled. If it is enabled, the used configs are in /etc/pam.d (e.g.
> passwd, login etc.) which default nowadays to sha512.


Confirmed, /etc/default/passwd does not enable sha512. It's
probably a good idea and the easiest way to get SHA512 for people to
reset their password *AFTER* installing PAM. Might be worth adding to
the SHA512 wiki that PAM users can just do that.

Now to see if PAM supports blowfish without adding the library from
AUR?, I very much doubt it!


OpenBSDs bcrypt with configurable rounds is awesome by the way and far
more secure, yet wouldn't pass PCI compliance, how dumb some of these
certifications are.
 
Old 01-23-2012, 11:09 AM
Tobias Frilling
 
Default Upgrading password hashes

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/23/2012 12:59 PM, Kevin Chadwick wrote:
> OpenBSDs bcrypt with configurable rounds is awesome by the way and far
> more secure, yet wouldn't pass PCI compliance, how dumb some of these
> certifications are.

I know next to nothing about bcrypt, but you can configure rounds in pam
too:
password required pam_unix.so sha512 shadow nullok rounds=999999
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPHU39AAoJEEDINPnaM7l+/UYH/11e5JPq2CE5yWTsNfcDFa67
R6YOJppkE+de4kYedkx0WOg6zTZ1GwQohbrFYJU7XPhNqQCGM0 z5Q5bRbBJQbQee
bdUJcVjtpwEFFk6+F86/ArW0N3+MLRB+v5eebzzE86JFCtES1op44sJadtsDlqgE
QZFCPnKn7Pz3FxLgxW2k0jJAxA7VyLX3MgMUCgTmpqcYfq7Oib FTQ+4nMQhVwmVK
eUbb5Tw6DCwKG0qJrBInsEfP/nScrYd2Wew2kYmei1tVpy1LfddfJYWYuKc1sXz3
WQHKfbQ31Dp8ZhgehXdH7x3+Yuw+nmUsNpnrlBMD0RekZGvZt6 wYKpkqF1xsE3M=
=bXbX
-----END PGP SIGNATURE-----
 

Thread Tools




All times are GMT. The time now is 09:23 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org