Bugzilla – Bug 1086
shadow should be set up to use MD5 passwords
Last modified: 2008-06-16 12:35:39 UTC
This is a simple change that only requires changing a line in the /etc/login.defs. a line that is now: #MD5_CRYPT_ENAB no MD5_CRYPT_ENAB yes This simple change makes it significantly (about 50x) harder to bruteforce crack your passwords, and allows for passwords longer then 8 characters.
*** Bug 1085 has been marked as a duplicate of this bug. ***
Oh, btw changing this setting does not generate new MD5 passwords, so the passwords remain in des format until they are reset with passwd.
Bumping all severities/priorities to max... we need action on all these bugs... find, fix, or forget them but get them closed in the next 6 days.... rc1 is due 24th of October! Eric
any action on this?
The Security Team can take action on this if they want, otherwise we can wait on Jeff.
Any news on this yet? Making this (very simple)change by your next release is probably a good idea... Simple fix looks like this: cp /etc/login.defs /etc/login.defs.backup cat /etc/login.defs.backup | sed "s/#MD5_CRYPT_ENAB.*no/MD5_CRYPT_ENAB yes/" \ >login.defs You can probably do it in a cleaner then I can, but that will work.. Without this you only have 8 significant character passwords, which john the ripper can check at 89923 characters a second on my computer. With MD5 passwords, you have no practical limit on the significant characters, and john the ripper checks them out at a rate of 1918 cps.
I'm going to do the taking action part if this isn't done within a couple days. It looks like a small, harmless change. Then, I'll move it up to test so that the test to stable migration catches it. At that point, iso-gurus should be building from stable for the 0.5 release, and it should fix the /etc/logins.def in the default install, I presume. On my smgl installs, it is set to yes already, so I'm wondering if this is a problem with older install CDs.
If it's already updated on the new installs, that's great... I did raise the issue 5 months ago after all ;-) BTW, FYI(and other THA's), I've been playing with trying to get bcrypt passwords working, they give another order of magnitiude improvement(or more, it's designed to be future-proof) See http://www.openwall.com/crypt/ for more info...
bcrypt passwords would be nice to have. I remember reading that paper a while ago and was impressed by the future-proofness. The website had a shadow patch for slackware. I wonder if shadow itself will include it eventually.
Reassigning...
to close this bug we just need to make sure the logins.def file is set for md5 encryption on the new iso. It was when I installed before... are the new isos setup correctly then? Or did you renew this since we wanted bcrypt sypport, as that's why I left it open? I'm thinking assign this bug to sm-security and see if we have any volunteers to make a bcrypt spell?
bcrypt sounds good, if we can find the hackers for it. :) On the beta3 ISO, "MD5_CRYPT_ENAB yes" is in /etc/login.defs
Opening up so others with more time can work on them.
Well, I'm going to close this, and if we ever get someone with time to work on bcrypt, they can open a new one for that.
if any of these still have issues outstanding then they can be reopened, but most have just been overlooked/forgotten ("these" refers to the 611 fixed but not closed bugs I just found in our database)
reassign to sm-grimoire-bugs
Changing version to test grimoire.