-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, Mar 13, 2018 at 03:18:35PM +0000, Adam Weremczuk wrote: > Hi all, > > I've just spotted that on one of my old wheezy servers root entry in > /etc/shadow was updated just over 3 weeks ago. > > The root password is still the same and the lastchanged count is > much higher than 3 weeks. > > The difference I've noticed is the hashed password string being much longer. > > It's now prefixed with $6$ (SHA-512 algorithm) comparing with $1$ > (MD5) before the change.
Of course, moving off MD5 makes some sense. It's not burning a hole in your system's security in this case [1], but MD5 is a bit old these days. > My first suspect was a security patch but the system was not updated > around that time. > > Has anybody seen this before and could explain? What I don't understand is how the system changed the hashing method without getting you involved. You don't remember having had to enter the root password? That would be strange. Cheers [1] /etc/shadow isn't world-readable, so if you have someone on your system capable of reading it, you're already in hot water; and if you have copies of /etc/shadow around there, well... you encrypt your system backups, do you? The only credible threat model remaining is that someone(TM) accesses your hard disk "from the side", e.g. booting a rescue system or taking to the screwdriver. - -- t -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlqn8p4ACgkQBcgs9XrR2kb5DgCfSBtg2Ew8O/eHhXKV4iMEit5e 8esAniqGwtu0lYjdRGUSlAhnTwgM08Q/ =rLBv -----END PGP SIGNATURE-----
