Your message dated Thu, 6 Jan 2022 16:15:09 +0100
with message-id <[email protected]>
and subject line Re: Bug#1003151: whois: mkpasswd fails for yescrypt when
providing salt
has caused the Debian Bug report #1003151,
regarding whois: mkpasswd fails for yescrypt when providing salt
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1003151: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1003151
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: whois
Version: 5.5.10
Severity: important
X-Debbugs-Cc: [email protected]
Dear Maintainer,
`mkpasswd --method=help` lists `yescrypt` as an available method. _Yescrypt_
(prefix `$y$`) is Debian 11's default passwd hashing algorithm.
The following commands will work, asking for a password, using a generated
salt, and outputting in storage format (see `man 5 crypt`):
* `mkpasswd --method=yescrypt`
* `mkpasswd --method='$y$`
* `mkpasswd # defaults to Yescrypt`
The following commands providing a salt will FAIL with `Wrong salt length: 16
bytes when 0 expected.`:
* `mkpasswd --method=yescrypt --salt=1234567890123456`
* `mkpasswd --method='$y$' --salt=1234567890123456`
* `mkpasswd --salt=1234567890123456`
Therefore, it seems that currently, it's not possible to verify a
yescrypt-based / Debian 11 user password by comparing `mkpasswd --salt=...`
with e.g. the output from `getent shadow $SOME_USERNAME`.
-- System Information:
Debian Release: 11.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.0-10-amd64 (SMP w/64 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) (ignored: LC_ALL
set to en_US.UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages whois depends on:
ii libc6 2.31-13+deb11u2
ii libcrypt1 1:4.4.18-4
ii libidn2-0 2.3.0-5
whois recommends no packages.
whois suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
On Jan 05, Gerrit Hübbers <[email protected]> wrote:
> The following commands providing a salt will FAIL with `Wrong salt length: 16
> bytes when 0 expected.`:
> * `mkpasswd --method=yescrypt --salt=1234567890123456`
> * `mkpasswd --method='$y$' --salt=1234567890123456`
> * `mkpasswd --salt=1234567890123456`
The yescrypt function here does not know how many rounds need to be used
and there is no simple way to generate a "default" metadata string for
the salt.
I have committed a change which allows using a similar command, by also
providing the j9T$" medatada:
mkpasswd --method=yescrypt abc 'j9T$NLTnlHlt6cj0lkSizrMNN.'
But the correct and easy way to verify a password, which works with all
releases, is to provide the salt string *with* the leading method
prefix, or even just the complete hashed password:
mkpasswd abc '$5$rounds=3000$NhJ78pg4LKwQ9cOJ'
mkpasswd abc
'$5$rounds=3000$NhJ78pg4LKwQ9cOJ$Xt2t0kJycyHXVhR5rQGeI2Nh/IwBZQTnM0WfvQySnRC'
Because mkpasswd *really* is just a frontend for crypt(3).
--
ciao,
Marco
signature.asc
Description: PGP signature
--- End Message ---
