Univention Bugzilla – Full Text Bug Listing |
Summary: | root password is hashed with MD5 | ||
---|---|---|---|
Product: | UCS | Reporter: | Michael Grandjean <grandjean> |
Component: | PAM | Assignee: | Florian Best <best> |
Status: | CLOSED FIXED | QA Contact: | Stefan Gohmann <gohmann> |
Severity: | normal | ||
Priority: | P5 | CC: | best, gohmann |
Version: | UCS 4.1 | ||
Target Milestone: | UCS 4.1-3-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | Security Issue | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | Yes | |
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | API change, Security | |
Max CVSS v3 score: | |||
Attachments: | Replace md5 with sha512, remove nullok, min, max |
Description
Michael Grandjean
2016-08-23 22:59:38 CEST
Created attachment 7919 [details]
Replace md5 with sha512, remove nullok, min, max
On my UCS 4.1 system my root password is not hashed with MD5 but with SHA-512. Which tool did you use to change the root password? (In reply to Florian Best from comment #2) > On my UCS 4.1 system my root password is not hashed with MD5 but with > SHA-512. Which tool did you use to change the root password? Ah okay, I could reproduce this with the following python script: import PAM auth = PAM.pam() auth.start('univention-management-console') auth.chauthtok() All relevant pam configuration files: grep -l pam_unix $(find $(find -name pam.d -type d) -type f) * Removed min and max parameter as don't exists (/aren't documented). Default minlen is 6. * Changed MD5 to SHA512 * Removed nullok From pam_unix manpage: nullok: The default action of this module is to not permit the user access to a service if their official password is blank. The nullok argument overrides this default and allows any user with a blank password to access the service. So after this change it's not possible to change the password anymore if it is empty. I don't know which side effects this can have. We will see tomorrow if the jenkins tests fail if e.g. system-setup tries to use this when initially setting the password for root. Michael/The security auditors wants this change. It's also the debian default. univention-ldap (12.1.6-40): r73236 | Bug #42103: enhance pam_unix password change configuration r73235 | Bug #42103: enhance pam_unix password change configuration univention-ldap.yaml: r73236 | Bug #42103: enhance pam_unix password change configuration univention-pam (9.0.0-7): r73236 | Bug #42103: enhance pam_unix password change configuration r73235 | Bug #42103: enhance pam_unix password change configuration univention-management-console (8.0.28-19): r73236 | Bug #42103: enhance pam_unix password change configuration r73235 | Bug #42103: enhance pam_unix password change configuration univention-pam.yaml: r73236 | Bug #42103: enhance pam_unix password change configuration univention-management-console.yaml: r73236 | Bug #42103: enhance pam_unix password change configuration Merge to UCS 4.2: univention-ldap (13.0.0-11): r73238 | Bug #42103: enhance pam_unix password change configuration r73237 | Bug #42103: enhance pam_unix password change configuration univention-management-console (9.0.12-24): r73238 | Bug #42103: enhance pam_unix password change configuration r73237 | Bug #42103: enhance pam_unix password change configuration univention-pam (10.0.0-2): r73238 | Bug #42103: enhance pam_unix password change configuration r73237 | Bug #42103: enhance pam_unix password change configuration univention-pam (9.0.0-8): r73239 | Bug #42103: adjust pseudo tests Tests: OK, the new hashes are SHA 256 Code review: OK Merge to 4.2: OK YAML: OK |