Univention Bugzilla – Bug 42103
root password is hashed with MD5
Last modified: 2016-10-20 12:40:33 CEST
UCS 4.1-3 errata 237 Expected behaviour: The UCRV "password/hashing/method" specifies "SHA-512" as default hashing method for all passwords. Observed behaviour: "password/hashing/method" is only valid for LDAP users. For local users (such as "root") we still use MD5 (or md5crypt iirc): > root@ucs-2920:~# less /etc/shadow | grep root > root:$1$F5qxj2Hh$kVYT3gvF2GFpC3CGAFAAQ/:17036:0:99999:7::: "$1$" indicates MD5 / md5crypt as hashing method. Possible solution: AFAIK /etc/pam.d/common-password is responsible for this: > password [success=2 default=ignore] pam_unix.so nullok obscure md5 min=4 max=32 try_first_pass use_authtok We should replace 'md5' with 'sha512'. I also think we should remove 'nullok', because empty root passwords don't seem acceptable to me. The 'min' and 'max' settings seem outdated as they have no effect: I can ignore the warnings and set a root password with only 1 character (or one with 35 characters) nevertheless. The default Debian Wheezy config uses this: > password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
Created attachment 7919 [details] Replace md5 with sha512, remove nullok, min, max
On my UCS 4.1 system my root password is not hashed with MD5 but with SHA-512. Which tool did you use to change the root password?
(In reply to Florian Best from comment #2) > On my UCS 4.1 system my root password is not hashed with MD5 but with > SHA-512. Which tool did you use to change the root password? Ah okay, I could reproduce this with the following python script: import PAM auth = PAM.pam() auth.start('univention-management-console') auth.chauthtok()
All relevant pam configuration files: grep -l pam_unix $(find $(find -name pam.d -type d) -type f) * Removed min and max parameter as don't exists (/aren't documented). Default minlen is 6. * Changed MD5 to SHA512 * Removed nullok From pam_unix manpage: nullok: The default action of this module is to not permit the user access to a service if their official password is blank. The nullok argument overrides this default and allows any user with a blank password to access the service. So after this change it's not possible to change the password anymore if it is empty. I don't know which side effects this can have. We will see tomorrow if the jenkins tests fail if e.g. system-setup tries to use this when initially setting the password for root. Michael/The security auditors wants this change. It's also the debian default. univention-ldap (12.1.6-40): r73236 | Bug #42103: enhance pam_unix password change configuration r73235 | Bug #42103: enhance pam_unix password change configuration univention-ldap.yaml: r73236 | Bug #42103: enhance pam_unix password change configuration univention-pam (9.0.0-7): r73236 | Bug #42103: enhance pam_unix password change configuration r73235 | Bug #42103: enhance pam_unix password change configuration univention-management-console (8.0.28-19): r73236 | Bug #42103: enhance pam_unix password change configuration r73235 | Bug #42103: enhance pam_unix password change configuration univention-pam.yaml: r73236 | Bug #42103: enhance pam_unix password change configuration univention-management-console.yaml: r73236 | Bug #42103: enhance pam_unix password change configuration Merge to UCS 4.2: univention-ldap (13.0.0-11): r73238 | Bug #42103: enhance pam_unix password change configuration r73237 | Bug #42103: enhance pam_unix password change configuration univention-management-console (9.0.12-24): r73238 | Bug #42103: enhance pam_unix password change configuration r73237 | Bug #42103: enhance pam_unix password change configuration univention-pam (10.0.0-2): r73238 | Bug #42103: enhance pam_unix password change configuration r73237 | Bug #42103: enhance pam_unix password change configuration
univention-pam (9.0.0-8): r73239 | Bug #42103: adjust pseudo tests
Tests: OK, the new hashes are SHA 256 Code review: OK Merge to 4.2: OK YAML: OK
<http://errata.software-univention.de/ucs/4.1/302.html> <http://errata.software-univention.de/ucs/4.1/303.html> <http://errata.software-univention.de/ucs/4.1/304.html>