FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > ArchLinux > ArchLinux General Discussion

 
 
LinkBack Thread Tools
 
Old 10-14-2012, 09:03 PM
Rafael Beraldo
 
Default Password expiring and encryption

Hello all,

I have my passwords set to expire every 30 days. When they expire, I am
asked to input a
new, different password.

It turns out that I recently noticed I had to input only the first 8
characters of my password to
be able to log in. I discussed this with Hlao-ru on #archlinux and, thanks
to him, I found out that
passwords generated by passwd were fine but passwords generated after my
password
expire suffer of the 8-character restriction problem. This problem can be
reproduced by
manually expiring the password with passwd -e user and then loging in with
su user.

So I took a look at man passwd and man login and both programs read
/etc/login.defs. This file has
a parameter, ENCRYPT_METHOD, that was, in my system, unset. The default
value for this parameter
is DES, and that could be causing my problem. I set the parameter to SHA512
but that didn't help (I
believe I have to reboot the system, and I haven't).

There are a few other files that seem to do a similar job, namely
/etc/default/passwd and
/etc/pam.d/password.

I am confused: what file control what programs? And isn't that a bug? The
wiki [0] says that newly
created passwords use SHA-512 as the encryption, but that's clearly not the
case when asked
to create a new password.

[0]: https://wiki.archlinux.org/index.php/SHA_password_hashes

Thanks all,

--
Rafael Beraldo
cabaladada.org
 
Old 10-14-2012, 10:57 PM
Christoph Vigano
 
Default Password expiring and encryption

On 10/14/12 at 06:03pm, Rafael Beraldo wrote:
> Hello all,
>
> I have my passwords set to expire every 30 days. When they expire, I am
> asked to input a
> new, different password.
>
> It turns out that I recently noticed I had to input only the first 8
> characters of my password to
> be able to log in. I discussed this with Hlao-ru on #archlinux and, thanks
> to him, I found out that
> passwords generated by passwd were fine but passwords generated after my
> password
> expire suffer of the 8-character restriction problem. This problem can be
> reproduced by
> manually expiring the password with passwd -e user and then loging in with
> su user.
>
> So I took a look at man passwd and man login and both programs read
> /etc/login.defs. This file has
> a parameter, ENCRYPT_METHOD, that was, in my system, unset. The default
> value for this parameter
> is DES, and that could be causing my problem. I set the parameter to SHA512
> but that didn't help (I
> believe I have to reboot the system, and I haven't).
>
> There are a few other files that seem to do a similar job, namely
> /etc/default/passwd and
> /etc/pam.d/password.
>
> I am confused: what file control what programs? And isn't that a bug? The
> wiki [0] says that newly
> created passwords use SHA-512 as the encryption, but that's clearly not the
> case when asked
> to create a new password.
>
> [0]: https://wiki.archlinux.org/index.php/SHA_password_hashes
>
> Thanks all,
>
> --
> Rafael Beraldo
> cabaladada.org

A few minutes ago I tinkered with this exact issue on my hobbyist LFS,
introducing PAM to my setup.

The installation page for shadow states the following:
"The login program currently performs many functions which Linux-PAM
modules should now handle. The following sed command will comment out
the appropriate lines in /etc/login.defs, and stop login from performing
these functions" [0]

After that, several files for different services or programs are
created, "system-passwd" being one of them, where the line is identical
to that of "/etc/pam.d/passwd" shipped with Arch Linux pam-package:

password required pam_unix.so sha512 shadow nullok

That line enforces hashing of the password with SHA512 if available the
next time the password is set anew.

This should explain why you did not find any of those options in
login.defs. Have you tried backing up default/passwd and deleting it?
On my LFS, there is no such file and I can't find the point of it's
creation in the PKGBUILD of pam.

HTH,
Christoph
 

Thread Tools




All times are GMT. The time now is 07:22 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org