Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   ArchLinux General Discussion (http://www.linux-archive.org/archlinux-general-discussion/)
-   -   Password expiring and encryption (http://www.linux-archive.org/archlinux-general-discussion/712312-password-expiring-encryption.html)

Rafael Beraldo 10-14-2012 09:03 PM

Password expiring and encryption
 
Hello all,

I have my passwords set to expire every 30 days. When they expire, I am
asked to input a
new, different password.

It turns out that I recently noticed I had to input only the first 8
characters of my password to
be able to log in. I discussed this with Hlao-ru on #archlinux and, thanks
to him, I found out that
passwords generated by passwd were fine but passwords generated after my
password
expire suffer of the 8-character restriction problem. This problem can be
reproduced by
manually expiring the password with passwd -e user and then loging in with
su user.

So I took a look at man passwd and man login and both programs read
/etc/login.defs. This file has
a parameter, ENCRYPT_METHOD, that was, in my system, unset. The default
value for this parameter
is DES, and that could be causing my problem. I set the parameter to SHA512
but that didn't help (I
believe I have to reboot the system, and I haven't).

There are a few other files that seem to do a similar job, namely
/etc/default/passwd and
/etc/pam.d/password.

I am confused: what file control what programs? And isn't that a bug? The
wiki [0] says that newly
created passwords use SHA-512 as the encryption, but that's clearly not the
case when asked
to create a new password.

[0]: https://wiki.archlinux.org/index.php/SHA_password_hashes

Thanks all,

--
Rafael Beraldo
cabaladada.org

Christoph Vigano 10-14-2012 10:57 PM

Password expiring and encryption
 
On 10/14/12 at 06:03pm, Rafael Beraldo wrote:
> Hello all,
>
> I have my passwords set to expire every 30 days. When they expire, I am
> asked to input a
> new, different password.
>
> It turns out that I recently noticed I had to input only the first 8
> characters of my password to
> be able to log in. I discussed this with Hlao-ru on #archlinux and, thanks
> to him, I found out that
> passwords generated by passwd were fine but passwords generated after my
> password
> expire suffer of the 8-character restriction problem. This problem can be
> reproduced by
> manually expiring the password with passwd -e user and then loging in with
> su user.
>
> So I took a look at man passwd and man login and both programs read
> /etc/login.defs. This file has
> a parameter, ENCRYPT_METHOD, that was, in my system, unset. The default
> value for this parameter
> is DES, and that could be causing my problem. I set the parameter to SHA512
> but that didn't help (I
> believe I have to reboot the system, and I haven't).
>
> There are a few other files that seem to do a similar job, namely
> /etc/default/passwd and
> /etc/pam.d/password.
>
> I am confused: what file control what programs? And isn't that a bug? The
> wiki [0] says that newly
> created passwords use SHA-512 as the encryption, but that's clearly not the
> case when asked
> to create a new password.
>
> [0]: https://wiki.archlinux.org/index.php/SHA_password_hashes
>
> Thanks all,
>
> --
> Rafael Beraldo
> cabaladada.org

A few minutes ago I tinkered with this exact issue on my hobbyist LFS,
introducing PAM to my setup.

The installation page for shadow states the following:
"The login program currently performs many functions which Linux-PAM
modules should now handle. The following sed command will comment out
the appropriate lines in /etc/login.defs, and stop login from performing
these functions" [0]

After that, several files for different services or programs are
created, "system-passwd" being one of them, where the line is identical
to that of "/etc/pam.d/passwd" shipped with Arch Linux pam-package:

password required pam_unix.so sha512 shadow nullok

That line enforces hashing of the password with SHA512 if available the
next time the password is set anew.

This should explain why you did not find any of those options in
login.defs. Have you tried backing up default/passwd and deleting it?
On my LFS, there is no such file and I can't find the point of it's
creation in the PKGBUILD of pam.

HTH,
Christoph


All times are GMT. The time now is 12:16 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.