I know arch tries to keep to upstream but their seems some
discrepencies that you may or may not be aware of so thought I'd share.
The crypt man page says glibc may not support blowfish (stronger than
nists recommendation) and that seems true when used via the commandline
(very short output).
The arch wiki says you can use a library from AUR.
There is also a sha512 arch wiki which says you should edit
pamd.d/passwd from md5 to sha512 but the default seems to already be
sha512, maybe it tries both as some distros default is now sha512 so no
need anymore.
It seems if you simply edit /etc/default/passwd to blowfish and reset
your password, sha512 is used e.g. encrypted password beginning with $6
in /etc/shadow not $2 (blowfish) and logins work fine.
I guess the /etc/default/passwd config file may be futurised or the
config written before changing to SHA which was easier to
implement and the wiki is out of date with the code??
--
Kc
01-20-2012, 09:17 PM
Don Juan
Upgrading password hashes
On 01/20/2012 04:32 AM, Kevin Chadwick wrote:
I know arch tries to keep to upstream but their seems some
discrepencies that you may or may not be aware of so thought I'd share.
The crypt man page says glibc may not support blowfish (stronger than
nists recommendation) and that seems true when used via the commandline
(very short output).
The arch wiki says you can use a library from AUR.
There is also a sha512 arch wiki which says you should edit
pamd.d/passwd from md5 to sha512 but the default seems to already be
sha512, maybe it tries both as some distros default is now sha512 so no
need anymore.
It seems if you simply edit /etc/default/passwd to blowfish and reset
your password, sha512 is used e.g. encrypted password beginning with $6
in /etc/shadow not $2 (blowfish) and logins work fine.
Wouldn't that be because you did not setup blowfish properly? You cant
just change passwd only to get blowfish going, according to the wiki.
(Not speaking from experience)
I guess the /etc/default/passwd config file may be futurised or the
config written before changing to SHA which was easier to
implement and the wiki is out of date with the code??
Not sure if I am getting what you mean here but to me sounds like you
did not complete what is in the wiki in regards to running blowfish,
since you need AUR package and what not and it says there is more to do
than change a single file to make blowfish the algo.
I was wondering when you change these settings how do you change the
hash of other system users, or is that pointless and not needed? I
always wondered about that. Such as user ftp or similar.
01-20-2012, 10:04 PM
Kevin Chadwick
Upgrading password hashes
On Fri, 20 Jan 2012 14:17:22 -0800
Don Juan wrote:
> Not sure if I am getting what you mean here but to me sounds like you
> did not complete what is in the wiki in regards to running blowfish,
> since you need AUR package and what not and it says there is more to do
> than change a single file to make blowfish the algo.
I know I didn't. Blowfish is stronger but I'm settled with sha512
rather than building a library and fixing any possible fallout in the
future.
Maybe I missed giving a piece of info. The default password is DES which
is really crap and starts with $1 so simply enabling blowfish
in /etc/default/passwd has enabled SHA512, you'd expect to uncomment
SHA512 not blowfish. It seems for sha512 you don't have to do as much as
the wiki suggests anymore.
01-20-2012, 10:14 PM
Don Juan
Upgrading password hashes
On 01/20/2012 03:04 PM, Kevin Chadwick wrote:
On Fri, 20 Jan 2012 14:17:22 -0800
Don Juan wrote:
Not sure if I am getting what you mean here but to me sounds like you
did not complete what is in the wiki in regards to running blowfish,
since you need AUR package and what not and it says there is more to do
than change a single file to make blowfish the algo.
I know I didn't. Blowfish is stronger but I'm settled with sha512
rather than building a library and fixing any possible fallout in the
future.
Maybe I missed giving a piece of info. The default password is DES which
is really crap and starts with $1 so simply enabling blowfish
in /etc/default/passwd has enabled SHA512, you'd expect to uncomment
SHA512 not blowfish. It seems for sha512 you don't have to do as much as
the wiki suggests anymore.
Ahhh OK that makes more sense, at least to me. I just went through doing
everything in the wiki myself for the same reason I did not want to add
another AUR package just to get the feature/ability. I agree though that
DES should be changed at this point.
01-21-2012, 02:34 PM
"Mantas M."
Upgrading password hashes
On Fri, Jan 20, 2012 at 11:04:12PM +0000, Kevin Chadwick wrote:
> Maybe I missed giving a piece of info. The default password is DES which
> is really crap and starts with $1 so simply enabling blowfish
DES is indeed crap, but it hasn't been the default for a long time.
The $1$ hashes are salted MD5, as crypt(3) can confirm.
--
Mantas M.
01-21-2012, 03:06 PM
Don Juan
Upgrading password hashes
On 01/21/2012 07:34 AM, Mantas M. wrote:
On Fri, Jan 20, 2012 at 11:04:12PM +0000, Kevin Chadwick wrote:
Maybe I missed giving a piece of info. The default password is DES which
is really crap and starts with $1 so simply enabling blowfish
DES is indeed crap, but it hasn't been the default for a long time.
The $1$ hashes are salted MD5, as crypt(3) can confirm.
Then if the default is that then why are default system users, such as
http mail postfix and similar not displaying the $1$ on the shadow file?
Also according to the wiki it says des is the default and to upgrade the
hashes out of the default. Am I not understanding it correctly in the
wiki, and the users that I am talking about the hashes do not matter?
Sorry feel confused at the moment.
01-21-2012, 03:50 PM
Tobias Frilling
Upgrading password hashes
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/21/2012 05:06 PM, Don Juan wrote:
> Then if the default is that then why are default system users, such as
> http mail postfix and similar not displaying the $1$ on the shadow file?
> Also according to the wiki it says des is the default and to upgrade the
> hashes out of the default. Am I not understanding it correctly in the
> wiki, and the users that I am talking about the hashes do not matter?
> Sorry feel confused at the moment.
>
A ! or x as the hash in /etc/shadow indicates that login for these user
is not permitted. (Also you may login using ssh-keys).
The CRYPT setting from /etc/default/passwd is only used if pam is not
enabled. If it is enabled, the used configs are in /etc/pam.d (e.g.
passwd, login etc.) which default nowadays to sha512.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
On Sat, Jan 21, 2012 at 08:06:04AM -0800, Don Juan wrote:
> On 01/21/2012 07:34 AM, Mantas M. wrote:
> >On Fri, Jan 20, 2012 at 11:04:12PM +0000, Kevin Chadwick wrote:
> >>Maybe I missed giving a piece of info. The default password is DES which
> >>is really crap and starts with $1 so simply enabling blowfish
> >DES is indeed crap, but it hasn't been the default for a long time.
> >The $1$ hashes are salted MD5, as crypt(3) can confirm.
> >
> Then if the default is that then why are default system users, such
> as http mail postfix and similar not displaying the $1$ on the
> shadow file?
Because they *do not have* passwords.
"x", "!" or "*" are invalid hash values, and they basically mean "password-based
logins are not permitted".
--
Mantas M.
01-23-2012, 10:59 AM
Kevin Chadwick
Upgrading password hashes
On Sat, 21 Jan 2012 17:50:13 +0100
Tobias Frilling wrote:
> The CRYPT setting from /etc/default/passwd is only used if pam is not
> enabled. If it is enabled, the used configs are in /etc/pam.d (e.g.
> passwd, login etc.) which default nowadays to sha512.
Confirmed, /etc/default/passwd does not enable sha512. It's
probably a good idea and the easiest way to get SHA512 for people to
reset their password *AFTER* installing PAM. Might be worth adding to
the SHA512 wiki that PAM users can just do that.
Now to see if PAM supports blowfish without adding the library from
AUR?, I very much doubt it!
OpenBSDs bcrypt with configurable rounds is awesome by the way and far
more secure, yet wouldn't pass PCI compliance, how dumb some of these
certifications are.
01-23-2012, 11:09 AM
Tobias Frilling
Upgrading password hashes
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/23/2012 12:59 PM, Kevin Chadwick wrote:
> OpenBSDs bcrypt with configurable rounds is awesome by the way and far
> more secure, yet wouldn't pass PCI compliance, how dumb some of these
> certifications are.
I know next to nothing about bcrypt, but you can configure rounds in pam
too:
password required pam_unix.so sha512 shadow nullok rounds=999999
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
Upgrading password hashes
