Re: SHA512 passwords in shadow

[DJ Lucas]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/28/2010 10:20 PM, Bruce Dubbs wrote:

> We probably need to also mention:
> 
> # Note: If you use PAM, it is recommended to use a value consistent with
> # the PAM modules configuration.
> 
> Other opinions?
> 
>    -- Bruce


Despite the comment in login.defs, that is not necessary.  In fact, PAM
also adds support for bigcrypt (DEC C2) and blowfish encryption in the
shadow file (as long as crypt() supports them).  The passwd program is
going to use whatever value is handed to pam_unix.so in the
/etc/pam.d/passwd file.  This bit is an error in BLFS.  ENCRYPT_METHOD
should be added to the sed for login.defs at the end of the shadow
instructions, and the first sed removed.

Just a quick test to show the above in action, I thought the comment was
wrong (thinking of blowfish), but had to verify quick:

dj [ /media/lfs ]$ sudo passwd dj
New Linux password:                        <- "password"
Retype new Linux password:
BAD PASSWORD: it is based on a dictionary word
passwd: password updated successfully
dj [ /media/lfs ]$ sudo grep dj /etc/shadow
dj:$1$GHXqyIJ5$LSPJqqMrJnW29KRfJmBD20:14789:0:99999:7:::
dj [ /media/lfs ]$ sudo sed -e 's...@md5 @sha512 @' -i /etc/pam.d/system-auth
## this is not standard yet, but /etc/pam.d/login includes system-auth
on my system
dj [ /media/lfs ]$ sudo sed -e 's...@md5 @sha512 @' -i /etc/pam.d/passwd
dj [ /media/lfs ]$ grep "^ENCRYPT" /etc/login.defs
ENCRYPT_METHOD MD5
dj [ /media/lfs ]$ sudo passwd dj
New Linux password:                        <- "password"
Retype new Linux password:
BAD PASSWORD: it is based on a dictionary word
passwd: password updated successfully
dj [ /media/lfs ]$ sudo login
name51 login: dj
Password:
dj [ ~ ]$ sudo grep dj /etc/shadow
dj:$6$wvESC6TO$4BUZxy6FKKleNcsn2MFF2pdPucYVV/JlvrdwO.li4gUZeTnQPl9rZ8RhI.Lik79DWvFMua5LVaf5kQVC3dM5M0:14789:0:99999:7:::
dj [ ~ ]$ exit
logout
dj [ /media/lfs ]$

- -- DJ Lucas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)

iQIcBAEBAgAGBQJMKXJAAAoJEIUM+xKzBYsIq2wP+QH7q+qVQLm/a/we6C8A78vA
xA7IrZDbposY5AsxxgWAnl1IrBDf19wj7+OOYygN+DXp+GHtVkFzew9U0M4CS44W
G/mmXJcuiOw0PyqWKJHWnbXAOpThJpALIDWZ3COsclCvp4uiaOnWv1xjaPZq7lcV
E2+59IK+4VN19PiRvTa6VHfo8ohFwugKLFZm2YDq0MxKb0FO+YG7AUwFUcZLXPCA
s6Iv3gy+RNXdOwhl63Fdz8My6GScl/FMkV4BqFZN+KhcBG6YEBKDX9lQbN1wB9hK
ZgfoUfcPPw5QNElgsXL79wIFwQxL4d5y60LWt9S8Tg1wU91d3jGbgkYXrH11dQuQ
xgcZeNcRHwIjtB3HUNW7cqdaclN46s6eFr0+bzcrBc2XoqXudZO2ZZLd9PTmMDiZ
u9UwlgdB2KtvKUNEu2Z1nbK/qTcjWT6MaCLkWH3K3n8U74T3i0znDTROL8JUQkdj
LsDY7T0PkETf+roDDrVujUqZBFmV8s4CpsrT0PHAHhhSq5/7qKOiHLu6VAwRrm6k
su5e5AM1V0LylWy1C2B9wAUGbI1+peDAEcZoDYAUz4KHYcHT3UoQnNGi/454k1FB
71GCNFJJjE0puaEqayGZjY0nGnzzteR0r9AUX2k09Hy9F9zlif2gsDiYhwe4FCFq
pyAJbuW2P4nHW07NT0v/
=upfx
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content, and is believed to be clean.

-- 
http://linuxfromscratch.org/mailman/listinfo/lfs-dev
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page